Security configuration requirements for z/OSMF
Using z/OSMF requires sufficient authority in z/OS®. Specifically, on the z/OS system to be managed, the resources to be accessed on behalf of z/OSMF users (data sets, operator commands, and so on). These resources are secured through the security management product at your installation, such as Resource Access Control Facility (RACF®). z/OSMF provides sample jobs and the information in this document to assist your security administrator. Your security administrator can use the sample jobs to create the groups, user IDs, and resource profiles for your z/OSMF configuration. Subsequently, these z/OSMF constructs require more permissions to a number of existing groups, user IDs, and resources on your system.
This appendix describes the security configuration requirements for z/OSMF. Included are the resource authorizations that are created when your installation runs the IZUSEC job for the core functions, and the IZUxxSEC jobs for the optional plug-ins. Also listed are the resource authorizations that your installation must define outside of the configuration process.
- Class activations that z/OSMF requires
- SAF profile prefix for z/OSMF resources
- User IDs that z/OSMF creates during configuration
- Security groups that z/OSMF creates during configuration
- Resource authorizations for the z/OSMF core functions
- Resource authorizations for hardware compression
- Resource authorizations for hardware cryptography
- Resource authorizations for Common Information Model
- Resource authorizations for Capacity Provisioning Manager
- Resource authorizations for common event adapter (CEA)
- Resource authorizations for the z/OS console services REST interface
- Resource authorizations for the z/OS data set and file REST interface
- Resource authorizations for the z/OS jobs REST interface
- Resource authorizations for Workload Management
- Resource authorizations for the Capacity Provisioning plug-in
- Resource authorizations for the Configuration Assistant plug-in
- Resource authorizations for the Incident Log plug-in
- Resource authorizations for the ISPF plug-in
- Resource authorizations for the Resource Monitoring plug-in
- Resource authorizations for the Software Deployment plug-in
- Resource authorizations for the Workload Management plug-in.
Class activations that z/OSMF requires
| Class | Purpose | RACF commands for activating |
|---|---|---|
| ACCTNUM | Controls access to the account number used for the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. | |
| APPL | Controls access to the z/OSMF application domain. This access is required by:
|
|
| EJBROLE | Controls the user’s ability to connect to the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and task. | |
| FACILITY | Controls the user’s access to profiles when the user takes some action. This access is required by the z/OSMF started task user ID (IZUSVR, by default). Examples include the profiles that are used to control privileges in the z/OS UNIX environment. | |
| SERVAUTH | Controls the user’s ability to use CEA TSO/E address space services.
In z/OSMF, this access is required by:
|
|
| SERVER | Allows the z/OSMF started task user ID to request services from z/OS system components, such as the system authorization facility (SAF), workload management (WLM), and SVCDUMP services. | |
| STARTED | Assigns an identity to the z/OSMF started task during the processing of an MVS™ START command. By default, the started task runs under the IZUSVR user ID. | |
| TSOPROC | Controls access to the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. | |
| ZMFAPLA | Controls the user’s ability to use the z/OSMF core functions and tasks. z/OSMF defines a resource name for each core function and
task.
|
|
| ZMFCLOUD | Allows the user to use the z/OSMF core functions and tasks that are
related to Cloud Provisioning. z/OSMF defines a resource name for each core function and task for
Cloud Provisioning. For more information, see Preparing to use Cloud Provisioning. The ZMFCLOUD class requires the RACLIST option. |
|
If your installation uses a security management product other than RACF, ask your security administrator to create equivalent commands for your security product.
SAF profile prefix for z/OSMF resources
During the configuration process, your security administrator runs the IZUxxSEC jobs to secure z/OSMF resources. In these jobs, your installation specifies a system authorization facility (SAF) profile prefix to be used for naming z/OSMF resources. The SAF prefix is prepended to the names of z/OSMF resource profiles, and is used in some of the RACF commands that are contained in the IZUxxSEC jobs.
In the examples in this document, the SAF prefix is shown as <SAF-prefix>. By default, the SAF prefix is IZUDFLT. If your installation selects to use a different value, substitute the value in the examples.
User IDs that z/OSMF creates during configuration
| User ID | Purpose | Default UID | Created by |
|---|---|---|---|
| IZUGUEST | User ID for performing unauthenticated work, such as guest user access to the Welcome page. | 9011 | IZUSEC job |
| IZUSVR | User ID for the z/OSMF started tasks, which are named IZUANG1 and IZUSVR1, by default. | 9010 | IZUSEC job |
Table 2 shows the IBM default values. Your security administrator can specify different user IDs in place of the default user IDs in the IZUSEC job.
Security groups that z/OSMF creates during configuration
The IZUSEC job creates a base set of security groups for your z/OSMF configuration. These groups are necessary for giving users the proper level of access to z/OSMF and z/OS system resources.
Your security team might determine that existing group names would be appropriate for this product. If so, you can use your existing group names in place of the supplied z/OSMF default group names. For example, you might already have a group aligned with administrators; if so, you could use that group, instead of the z/OSMF default group for administrators, IZUADMIN.
Table 3 lists the groups that the IZUSEC job creates. The group names can change, based on the values you provide during the configuration process. Table 3 shows the IBM® default values.
| Group | Purpose | Default group ID (GID) | Created by |
|---|---|---|---|
| IZUADMIN | Security group for the z/OSMF administrator role. Any user IDs connected to this group are considered to be z/OSMF administrators. | 9003 | IZUSEC job |
| IZUUSER | Security group for the z/OSMF user role. | 9004 | IZUSEC job |
| IZUSECAD | Security group for the z/OS security administrator role in z/OSMF. | 9006 | IZUSEC job |
| IZUUNGRP | Security group for the z/OSMF unauthenticated user ID. | 9012 | IZUSEC job |
Resource authorizations for the z/OSMF core functions
Table 4 describes the access requirements for the z/OSMF core functions. The IZUSEC job includes sample RACF commands for creating these authorizations on your system. These values can change, based on the values you provide during the configuration process. Table 4 shows the IBM default values.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| ACCTNUM | IZUACCT | IZUADMIN IZUUSER | READ | Allows callers to access the account number that is used for the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. |
| APPL | <SAF-prefix> | IZUSVR |
READ | Allow access to the z/OSMF
application domain.
|
| CERT | DefaultzOSMFCert.<SAF-prefix> | Owned by the IZUSVR user ID | N/A | Needed for secure communications between the browser and the z/OSMF server. |
| CERT | zOSMFCA | N/A | N/A | Certificate authority; needed for secure communications between the browser and the z/OSMF server. |
| CSFSERV | CSF* profiles | IZUSVR | READ | z/OS Integrated Cryptographic Service Facility (ICSF) callable services. If your installation uses hardware cryptography with ICSF, you must permit the z/OSMF server user ID to these services, as described in Resource authorizations for hardware cryptography. |
| EJBROLE | <SAF-prefix>.IzuManagementFacility.izuUsers | IZUADMIN |
READ | Allow a user to log on to z/OSMF and view the Welcome page. |
| EJBROLE | <SAF-prefix>.IzuManagementFacilityHelpApp.izuUsers | IZUADMIN |
READ | Allow a user to connect to the z/OSMF online help system. |
| EJBROLE | <SAF-prefix>.IzuManagementFacilityWorkflow.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Workflows task. |
| EJBROLE | <SAF-prefix>.IzuManagementFacilityRestJobs.izuUsers | IZUADMIN |
READ | Allow a user to connect to the z/OS jobs REST interface. |
| EJBROLE | <SAF-prefix>.IzuManagementFacilityImportUtility.izuUsers | IZUADMIN |
READ | Allow a user to use the Import Manager task to import plug-ins, event types, event handlers, and links into z/OSMF. |
| FACILITY | BBG.SYNC.<SAF-prefix> | IZUSVR | CONTROL | Allow the z/OSMF server to synchronize any RunAs identity with the OS identity. |
| FACILITY | BPX.CONSOLE | IZUSVR | READ | Allow the user to filter z/OS UNIX messages. Specifically, this setting suppresses the BPXM023I message prefix from any write-to-operator (WTO) messages that z/OSMF writes to the console. |
| FACILITY | IRR.DIGTCERT.LIST | IZUSVR | READ | Allow the started task user ID to retrieve the status of the certificate. |
| FACILITY | IRR.DIGTCERT.LISTRING | IZUSVR | READ | Allow the started task user ID to list and get the certificate keyring. |
 FACILITY  |
IRR.RUSERMAP |
IZUSVR |
READ |
Allow the started task user ID to use the R_usermap
service. This authorization is required for the z/OSMF notification function. The z/OSMF server uses
the R_usermap service to determine the application user identity associated with
a RACF user ID, or to determine the RACF user ID associated with an application user identity or
digital certificate. |
| KEYRING | IZUKeyring.<SAF-prefix> | IZUSVR | N/A | Needed for secure communications. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUADMIN |
READ | Allow the HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR |
READ | Allow the z/OSMF server to start and manage TSO/E address space services. |
| SERVER | BBG.ANGEL | IZUSVR | READ | Allow the z/OSMF server to access the angel process. |
| SERVER | BBG.AUTHMOD.BBGZSAFM | IZUSVR | READ | Allow the z/OSMF server to access the SAF authorized registry. |
| SERVER | BBG.AUTHMOD.BBGZSAFM.SAFCRED | IZUSVR | READ | Allow the z/OSMF server to access the SAF authorization services. |
| SERVER | BBG.AUTHMOD.BBGZSAFM.ZOSWLM | IZUSVR | READ | Allow the z/OSMF server to access the WLM services. |
| SERVER | BBG.AUTHMOD.BBGZSAFM.TXRRS | IZUSVR | READ | Allow the z/OSMF server to access the transaction services. |
| SERVER | BBG.AUTHMOD.BBGZSAFM.ZOSDUMP | IZUSVR | READ | Allow the z/OSMF server to access the SVC dump services. |
| SERVER | BBG.SECCLASS.ZMFAPLA | IZUSVR | READ | Allow the z/OSMF server to authorize checks for the ZMFAPLA class. |
| SERVER | BBG.SECPFX.<SAF-prefix> | IZUSVR | READ | Allow the z/OSMF server to make authentication calls against the APPL-ID. |
| STARTED | IZUSVR1.jobname | IZUADMIN | N/A | Define the started task for the z/OSMF angel process. |
| STARTED | IZUANG1.jobname | IZUADMIN | N/A | Define the started task for the z/OSMF server process. |
| TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allows callers to access the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. |
| ZMFAPLA | <SAF-prefix>.ZOSMF | IZUADMIN |
READ | Designates the user as a z/OSMF user, rather
than a guest user. This authorization is the minimum requirement for
allowing a user to do more than log in to z/OSMF and view the
Welcome page. Without this authorization, the logged-in user is treated
as an authenticated guest. Use the other ZMFAPLA resource names that follow in this table to create specific controls for each core function and task. See Table Notes® 1 and 2. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.APPLINKING | IZUADMIN | READ | Allow a user to access the Application Linking Manager task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.IMPORTMANAGER | IZUADMIN | READ | Allow a user to access the Import Manager task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.LINKSTASK | IZUADMIN | READ | Allow a user to access the Links task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.LOGGER | IZUADMIN | READ | Allow a user to manage the settings that control the behavior and content of the z/OSMF logs. This capability is used only in service situations. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.UI_LOG _MANAGEMENT | IZUADMIN | READ | Allow a user to manage the settings that control the behavior of the user interface (UI) portion of z/OSMF logging. This capability is used only in service situations. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ADMINTASKS.USAGESTATISTICS | IZUADMIN | READ | Allow a user to collect usage statistics about z/OSMF. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.linkName | IZUADMIN IZUUSER | READ | Allow a user to view an installation-specified
link. See Table Notes 3 and 4. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.SHOPZSERIES | IZUADMIN |
READ | Allow a user to view the ShopzSeries web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.SUPPORT_FOR_Z_OS | IZUADMIN IZUUSER | READ | Allow a user to view the Support for z/OS web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.SYSTEM_Z_REDBOOKS | IZUADMIN |
READ | Allow a user to view the IBM Redbooks® web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.WSC_FLASHES _TECHDOCS | IZUADMIN |
READ | Allow a user to view the WSC Flashes and Techdocs web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.Z_OS_BASICS _INFORMATION_CENTER | IZUADMIN |
READ | Allow a user to view the z/OS Basic Skills Information Center web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.Z_OS_HOME_PAGE | IZUADMIN |
READ | Allow a user to view the z/OS Home Page web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.LINK.Z_OS_INTERNET_LIBRARY | IZUADMIN |
READ | Allow a user to view the z/OS Library web site link. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.NOTIFICATION.MODIFY | IZUADMIN IZUUSER | READ | Allow a user to compose a notification. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.NOTIFICATION.SETTINGS | IZUADMIN IZUUSER | READ | Allow a user to define an mail account for receiving notifications from z/OSMF. This action is performed through the Notification Settings task of z/OSMF. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.NOTIFICATION.SETTINGS.ADMIN | IZUADMIN | READ | Allow a user to manage the z/OSMF notification settings for mobile devices, push services, and SMTP server properties. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS | IZUADMIN |
READ | Allow a user to access the FTP Servers task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS.VIEW | IZUADMIN |
READ | Allow a user to access the FTP Servers task View function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.FTP_SERVERS.MODIFY | IZUADMIN | READ | Allow a user to access the z/OSMF Task Settings task Modify function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS | IZUADMIN IZUUSER | READ | Allow a user to access the Systems task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS.VIEW | IZUADMIN |
READ | Allow a user to access the Systems task View function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SETTINGS.SYSTEMS.MODIFY | IZUADMIN | READ | Allow a user to access the z/OSMF Task Settings task Modify function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKFLOW.ADMIN | IZUADMIN | READ | Allow a user to change the assigned owner of a workflow. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKFLOW.WORKFLOWS | IZUADMIN |
READ | Allow a user to access the z/OSMF Workflows task. See Table Note 5. |
- User authorizations to functions, tasks, and links are controlled through the system authorization facility (SAF) profile prefix. By default, the SAF prefix is IZUDFLT.
- Users require READ access to at least the profile <SAF-prefix>.ZOSMF to do work in z/OSMF. Without this authorization, the user is treated as an authenticated guest, that is, able to log in to z/OSMF and display the Welcome page, but not able to access the z/OSMF functions and tasks.
- In a default z/OSMF configuration, all users are granted authority to all links through a wildcarded profile: <SAF-prefix>.ZOSMF.LINK.* *
- You must provide a SAF resource name prefix for any links that you add to z/OSMF. You can control access to specific links by
specifying a unique resource name for the link, for example, by including the link name as part of
the resource name. For example: IZUDFLT.ZOSMF.LINK.mylink
For information about defining links to z/OSMF, see Adding links to z/OSMF.
- A user with access to the Workflows task can access any of the workflows that are displayed in the Workflows task. By default, the z/OSMF defined security groups IZUADMIN, IZUSECAD, and IZUUSER have access to the Workflows task.
- If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), be aware that services such as CSFRNGL, CSFDSV, CSFOWH, CSFIQF, and others, might be protected through profiles that are established in your security product. In some cases, z/OSMF uses these services; therefore, you must permit the z/OSMF started task user ID to these profiles. For more information, see Resource authorizations for hardware cryptography.
- All z/OSMF users must have a TSO segment defined in your installation’s security database. Failure to have a TSO segment causes some z/OSMF functions not to work.
Resource authorizations for hardware compression
XAT1 IZUSVRU IZUSVR1 RACF ACCESS violation for IZUSVRU:
(READ,NONE) on FACILITY FPZ.ACCELERATOR.COMPRESSION You can ignore the message.
Table 5 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To have the commands issued when the job runs, uncomment the sections.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| FACILITY | FPZ.ACCELERATOR. COMPRESSION | IZUSVR | READ | Enable the z/OSMF server to run with hardware compression. |
Resource authorizations for hardware cryptography
If your installation uses hardware cryptography with z/OS Integrated Cryptographic Service Facility (ICSF), the z/OSMF server requires access to the ICSF callable services. Table 6 shows which permissions must be granted to the z/OSMF server user ID. Commands for the creating the permissions are included in commented sections in the IZUSEC job. To have the commands issued when the job runs, uncomment the sections.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| CSFSERV | CSFIQF | IZUSVR | READ | ICSF query facility callable service. |
| CSFSERV | CSFENC | IZUSVR | READ | Encipher callable service. |
| CSFSERV | CSFCVE | IZUSVR | READ | Cryptographic variable encipher callable service. |
| CSFSERV | CSFDEC | IZUSVR | READ | Decipher callable service. |
| CSFSERV | CSFSAE | IZUSVR | READ | Symmetric algorithm encipher callable service. |
| CSFSERV | CSFSAD | IZUSVR | READ | Symmetric algorithm decipher callable service. |
| CSFSERV | CSFOWH | IZUSVR | READ | One-way hash generate callable service. |
| CSFSERV | CSFRNG | IZUSVR | READ | Random number generate callable service. |
| CSFSERV | CSFRNGL | IZUSVR | READ | Random number generate long callable service. |
| CSFSERV | CSFPKG | IZUSVR | READ | PKA key generate callable service. |
| CSFSERV | CSFDSG | IZUSVR | READ | Digital signature generate service. |
| CSFSERV | CSFDSV | IZUSVR | READ | Digital signature verify callable service. |
| CSFSERV | CSFPKT | IZUSVR | READ | PKA key generate callable service. |
| CSFSERV | CSFRKL | IZUSVR | READ | Retained key list callable service. |
| CSFSERV | CSFPKX | IZUSVR | READ | PKA Public Key Extract callable service. |
| CSFSERV | CSFPKE | IZUSVR | READ | PKA encrypt callable service. |
| CSFSERV | CSFPKD | IZUSVR | READ | PKA decrypt callable service. |
| CSFSERV | CSFPKI | IZUSVR | READ | PKA key import callable service. |
| CSFSERV | CSFCKM | IZUSVR | READ | Multiple clear key import callable service. |
| CSFSERV | CSFKGN | IZUSVR | READ | Multiple clear key import callable service. |
| CSFSERV | CSFEDH | IZUSVR | READ | ECC Diffie-Hellman callable service. |
Resource authorizations for Common Information Model
If your z/OSMF configuration includes tasks that use the Common Information Model (CIM) server on the host z/OS system, users of the plug-ins require the proper level of access to CIM server resources.
- Capacity Provisioning
- Incident Log
- Workload Management
- The asynchronous job notifications function of z/OSMF, which is described in Configuring your system for asynchronous job notifications.
CIM includes the CFZSEC job to help you create these authorizations. See the chapter on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB. If your installation does not plan to run the CFZSEC job, ensure that z/OSMF users, and, if configuring the Workload Management plug-in, the z/OSMF server user ID, have UPDATE access to the CIMSERV profile in the WBEM class. If necessary, refresh the WBEM class.
For more information about CIM authorization requirements, see Reviewing your CIM server setup.
| Group | Purpose | Default group ID (GID) | Created by |
|---|---|---|---|
| CFZADMGP | Security group for the CIM administrator role. | 9502 | Member CFZSEC in SYS1.SAMPLIB. |
| CFZUSRGP | Security group for the CIM user role. This group grants a user access to all resources that are managed through CIM. Depending on how granular you want to control user access to CIM, your installation might have created additional groups to allow access to only a subset of resources managed through CIM. | 9503 | Member CFZSEC in SYS1.SAMPLIB. |
With the IZUAUTH job, your security administrator can supply the names of the CIM groups, based on your selection of optional plug-ins. These values include the names of the CIM administrators group (by default, CFZADMGP) and the CIM users group (by default, CFZUSRGP). The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.
Resource authorizations for Capacity Provisioning Manager
If your z/OSMF configuration includes the Capacity Provisioning plug-in, users of the plug-in must be defined and authorized for all resources accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations when you set up a Capacity Provisioning domain. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.
| Provisioning Manager setting | Default value |
|---|---|
| Domain name | DOMAIN1 |
| Started task procedure name | CPOSERV |
| High-level qualifier for runtime data set | CPO |
| Provisioning Manager user | CPOSRV |
With the IZUCPSEC job, your security administrator can supply the names of the security groups that your installation has created for authorizing users to the Provisioning Manager on your system. The IZUAUTH job contains commands for connecting users to the groups and thus, depend on the groups to exist.
| Group | Purpose | Default group ID (GID) | Created by |
|---|---|---|---|
| CPOCTRL | Security group for users of the Capacity Provisioning task Edit function. | None; your installation must specify a GID for this group. | Member CPOSEC1 in SYS1.SAMPLIB. |
| CPOQUERY | Security group for users of the Capacity Provisioning task View function. | None; your installation must specify a GID for this group. | Member CPOSEC1 in SYS1.SAMPLIB. |
Resource authorizations for common event adapter (CEA)
If your z/OSMF configuration includes tasks that use the common event adapter (CEA) component on the z/OS host system, users of the plug-ins require the proper level of access to CEA resources. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations.
- Incident Log
- ISPF
CEA has security profiles in the SERVAUTH class for protecting different portions of its processing. When you run the IZUILSEC job, you permit the z/OSMF groups to the CEA resources.
For more information, see the topic on customizing for CEA in z/OS Planning for Installation.
Resource authorizations for the z/OS console services REST interface
- READ access to the MVS.MCSOPER.consolename resource in the OPERCMDS class, where consolename is the name of the EMCS console that is used to issue the command
- READ access to the CONSOLE resource in the TSOAUTH class.
- READ access to resource account in class ACCTNUM, where account is the value specified in the COMMON_TSO ACCT option in parmlib
- READ access to resource CEA.CEATSO.TSOREQUEST in class SERVAUTH
- READ access to resource proc in class TSOPROC, where proc is the value specified with the COMMON_TSO PROC option in parmlib.
Also, the z/OSMF started task user ID, which is IZUSVR by default, requires READ access to resource CEA.CEATSO.TSOREQUEST in class SERVAUTH.
To control the parameters that z/OS console services use when creating a TSO address space as the host for an EMCS console, use parmlib option COMMON_TSO ACCT(IZUACCT) REGION(50000) PROC(IZUFPROC). Configure this setting before z/OS console services are to be used. Otherwise, default values are used with z/OS console services.
Table 10 summarizes the security requirements for the z/OS console services REST interface.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| ACCTNUM | IZUACCT | Users of the z/OS console services REST interface. | READ | Allow the user to access the account number for the procedure for the z/OS console services, as described in Updating your system for the z/OS data set and file REST interface. |
| OPERCMDS | MVS.MCSOPER.consolename | Users of the z/OS console services REST interface. | READ | Allow the user to operate the specified extended MCS console. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | Users of the z/OS console services REST interface. | READ | Allow the user to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services. |
| TSOAUTH | CONSOLE | Users of the z/OS console services REST interface. | READ | Allow the user to issue the TSO/E CONSOLE command to activate the extended MCS console. |
| TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allow the user to access the procedure for the z/OS console services, as described in Updating your system for the z/OS data set and file REST interface. |
Resource authorizations for the z/OS data set and file REST interface
The z/OS data set and file REST interface requires access to local resources on your z/OS system. Table 11 describes the security requirements for the z/OS data set and file REST interface.
For information about the z/OS data set and file REST interface services, see IBM z/OS Management Facility Programming Guide.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| ACCTNUM | IZUACCT | IZUADMIN IZUUSER | READ | Allows callers to access the account number that is used for the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUADMIN IZUUSER | READ | Allows callers to access the CEA TSO/E address space services. This setting allows HTTP client applications on your z/OS system to start and manage TSO/E address spaces. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR | READ | Allows the z/OSMF server to access the CEA TSO/E address space services. This setting allows the z/OSMF server to start and manage TSO/E address space services. |
| TSOPROC | IZUFPROC | IZUADMIN IZUUSER | READ | Allows callers to access the procedure for the z/OS data set and file REST interface services, as described in Updating your system for the z/OS data set and file REST interface. |
Resource authorizations for the z/OS jobs REST interface
The z/OS jobs REST interface requires access to local resources on your z/OS system. Table 12 describes the security requirements for the z/OS jobs REST interface. These authorizations allow the CIM server to interact with the common event adapter (CEA) component. CIM includes the CFZSEC job to help you create these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| SERVAUTH | CEA.CONNECT | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting is needed for interactions with the common event adapter (CEA) component. |
| SERVAUTH | CEA.SUBSCRIBE.* | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications. |
| SERVAUTH | CEA.SUBSCRIBE.ENF_0078* | CFZSRV | READ | If your installation uses the z/OS jobs REST interface, this setting allows HTTP client applications on your z/OS system to receive asynchronous job notifications. |
| Operation | JESJOBS resource | Access required |
|---|---|---|
| Hold a job | HOLD.nodename.userid.jobname | UPDATE |
| Release a job | RELEASE.nodename.userid.jobname | UPDATE |
| Change the job class | MODIFY.nodename.userid.jobname | UPDATE |
| Cancel a job | CANCEL.nodename.userid.jobname | ALTER |
| Delete a job (cancel a job and purge its output) | CANCEL.nodename.userid.jobname | ALTER |
For information about the z/OS jobs REST interface services, see IBM z/OS Management Facility Programming Guide. For information about JESJOBS class, see z/OS Security Server RACF Security Administrator's Guide.
If run asynchronously, the z/OS jobs REST interface services also require that the caller’s user ID be authorized to the CIM server and permitted to the JES2-JES3Jobs CIM provider. CIM includes jobs (CFZSEC and CFZRCUST) to help you configure the CIM server, including security authorizations and file system customization. For information, see the chapter on CIM server quick setup and verification in z/OS Common Information Model User's Guide. IBM supplies the CFZSEC job in SYS1.SAMPLIB.
Resource authorizations for Workload Management
If your z/OSMF configuration includes the Workload Management plug-in, users require the proper level of access to workload management (WLM) resources on your system. This access allow a user to view or update the WLM policies.
With the IZUWMSEC job, your security administrator can supply the name of the WLM security group that your installation uses for authorizing users to the z/OS Workload Management component on your system. The IZUAUTH job contains commands for connecting users to the group and thus, depend on the groups to exist.
| Group | Purpose | Default group ID (GID) | Created by |
|---|---|---|---|
| WLMGRP | Security group for users of the Workload Management task. | 9600 | ADDGROUP command or an equivalent security command for creating user groups. |
Resource authorizations for the Capacity Provisioning plug-in
The Capacity Provisioning plug-in requires access to local resources on your z/OS system. Table 15 describes the security requirements for the Capacity Provisioning plug-in. The IZUCPSEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuManagementFacilityCapacityProvisioning.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Capacity Provisioning task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT | IZUADMIN | READ | Allow a user to display and access the Capacity Provisioning task Edit function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.DOMAIN | IZUADMIN | READ | Allow a user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning domain. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.EDIT.POLICY | IZUADMIN | READ | Allow a user to use the Capacity Provisioning task Edit function to edit a Capacity Provisioning policy. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.CAPACITY_PROVISIONING.CAPACITY_ PROVISIONING.VIEW | IZUADMIN |
READ | Allow a user to access the Capacity Provisioning task View function. |
- The Capacity Provisioning plug-in requires the CIM server; thus, you must also create the authorizations described in Resource authorizations for Common Information Model.
- Users of the Capacity Provisioning plug-in must be authorized for resources that are accessed by the Provisioning Manager. IBM provides the CPOSEC1 and CPOSEC2 jobs in SYS1.SAMPLIB to help you create these authorizations. For more information, see the topic on setting up a Capacity Provisioning domain in z/OS MVS Capacity Provisioning User's Guide.
Resource authorizations for the Configuration Assistant plug-in
The Configuration Assistant plug-in requires access to local resources on your z/OS system. Table 16 describes the security requirements for theConfiguration Assistant plug-in. The IZUCASEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuConfigurationAssistant.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Configuration Assistant task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.CONFIGURATION_ ASSISTANT.CONFIGURATION_ASSISTANT | IZUUSER | READ | Allow a user to access the Configuration Assistant task. |
Resource authorizations for the Incident Log plug-in
The Incident Log plug-in requires access to local resources on your z/OS system. Table 17 describes the security requirements for the Incident Log plug-in. The IZUILSEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| ALIAS | CEA | N/A | N/A | If your installation has a user catalog set-up instead of using the master catalog, you may need to define CEA alias to the user catalog. |
| DATASET | CEA.* | IZUADMIN |
ALTER | Allow the user to create data sets using the CEA high level qualifier (HLQ). |
| DATASET | your_master_catalog | IZUADMIN |
UPDATE | If your installation has master catalog setup, you might need to permit a user to the master catalog data set class. |
| EJBROLE | <SAF-prefix>.IzuManagementFacilityIncidentLog.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Incident Log task. |
| JESSPOOL | your_system_name.+MASTER+.SYSLOG.*.* | CEA | READ | If your installation is using the system log (SYSLOG) as the source for diagnostic log snapshots, the CEA user ID requires READ access to the JESSPOOL class. This authorization allows the JES subsystem to access SYSLOG on behalf of the common event adapter (CEA) component. |
| SERVAUTH | CEA.CEADOCONSOLECMD | IZUADMIN |
READ | Allow the calling program to issue operator commands to accomplish its function. |
| SERVAUTH | CEA.CEADOCMD | IZUADMIN |
READ | Allow a user to cancel the FTP job. |
| SERVAUTH | CEA.CEAGETPS | IZUADMIN |
READ | Allow a user to obtain information about the FTP job. |
| SERVAUTH | CEA.CEAPDWB.CEACHECKSTATUS | IZUADMIN |
READ | Allow a user to check status and return incident information. |
| SERVAUTH | CEA.CEAPDWB.CEADELETEINCIDENT | IZUADMIN |
READ | Allow a user to delete selected incidents, including the dumps, all diagnostic snapshot files and the corresponding sysplex dump directory entry. |
| SERVAUTH | CEA.CEAPDWB.CEAGETINCIDENT | IZUADMIN |
READ | Allow a user to obtain data associated with a specific incident. |
| SERVAUTH | CEA.CEAPDWB.CEAGETINCIDENTCOLLECTION | IZUADMIN |
READ | Allow a user to obtain collection of incident data for all incidents matching a filter. |
| SERVAUTH | CEA.CEAPDWB.CEAPREPAREINCIDENT | IZUADMIN |
READ | Allow a user to prepare data for FTP (locate and compress/terse). |
| SERVAUTH | CEA.CEAPDWB.CEASETINCIDENTINFO | IZUADMIN |
READ | Allow a user to set information associated with the incident, such as the Notes field. |
| SERVAUTH | CEA.CEAPDWB.CEASETPROBLEMTRACKINGNUMBER | IZUADMIN |
READ | Allow a user to set a problem ID, such as a PMR number, or problem management tracking ID. |
| SERVAUTH | CEA.CEAPDWB.CEAUNSUPPRESSDUMP | IZUADMIN |
READ | Allow user to allow a dump that has been marked for suppression through DAE to be taken. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.INCIDENT_LOG.INCIDENT_LOG | IZUADMIN |
READ | Allow a user to access the Incident Log task. |
- The Incident Log plug-in requires the CIM server; thus, you must also create the authorizations described in Resource authorizations for Common Information Model.
- Users of the Incident Log plug-in must be authorized for resources that are accessed by the common event adapter (CEA) component of z/OS. IBM provides the CEASEC job in SYS1.SAMPLIB to help you create these authorizations. See Resource authorizations for common event adapter (CEA).
Resource authorizations for the ISPF plug-in
The ISPF plug-in requires access to local resources on your z/OS system. Table 18 describes the security requirements for the ISPF plug-in. The IZUISSEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuManagementFacilityISPF.izuUsers | IZUADMIN |
READ | Allow a user to connect to the ISPF task. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUADMIN |
READ | Allow a user to access the CEATSOREQUEST API so that the user’s session can be managed through the ISPF task. |
| SERVAUTH | CEA.CEATSO.TSOREQUEST | IZUSVR |
READ | Allow the z/OSMF server to access the CEATSOREQUEST API. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.ISPF.ISPF | IZUADMIN |
READ | Allow a user to access the ISPF task. |
Resource authorizations for the Resource Monitoring plug-in
The Resource Monitoring plug-in requires access to local resources on your z/OS system. Table 19 describes the security requirements for the Resource Monitoring plug-in. The generated REXX exec program, izuconfig1.cfg.rexx, includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuManagementFacilityResourceMonitoring.izuUsers | IZUADMIN IZUUSER | READ | Allow a user to connect to the Resource Monitoring and System Status tasks. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.RESOURCE_MONITORING.PERFDESKS | IZUADMIN IZUUSER | READ | Allow a user to access the Resource Monitoring task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.RESOURCE_MONITORING.OVERVIEW | IZUADMIN IZUUSER | READ | Allow a user to access the System Status task. |
Resource authorizations for the Software Deployment plug-in
The Software Deployment plug-in requires access to local resources on your z/OS system. Table 20 describes the security requirements for the plug-in. The IZUDMSEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuManagementFacilitySoftwareDeployment.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Deployment task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT | IZUADMIN |
READ | Allow a user to access the Deployment task. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SOFTWARE_
DEPLOYMENT.DATA.objectType.objectSuffix For information about possible values for objectType and objectSuffix, see Creating access controls for the Software Management task. |
IZUADMIN |
CONTROL | Allow a user to access the Deployment task objects. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.SOFTWARE_DEPLOYMENT.SOFTWARE_ MANAGEMENT.PRODUCT _INFO_FILE.RETRIEVE | IZUADMIN | READ | Allow a user to access the Deployment task Product Information File Retrieve function. |
Resource authorizations for the Workload Management plug-in
The Workload Management plug-in requires access to local resources on your z/OS system. Table 21 describes the security requirements for the plug-in. The IZUWMSEC job includes sample RACF commands for creating these authorizations.
| Resource class | Resource name | Who needs access? | Type of access required | Why |
|---|---|---|---|---|
| EJBROLE | <SAF-prefix>.IzuManagementFacilityWorkloadManagement.izuUsers | IZUADMIN |
READ | Allow a user to connect to the Workload Management task. |
| FACILITY | MVSADMIN.WLM.POLICY | IZUSVR | READ | Allow the z/OSMF server to access the WLM policies. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.VIEW | IZUADMIN |
READ | Allow a user to access the Workload Management View function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.MODIFY | IZUADMIN | READ | Allow a user to access the Workload Management Modify function. |
| ZMFAPLA | <SAF-prefix>.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_ MANAGEMENT.INSTALL | IZUADMIN | READ | Allow a user to access the Workload Management Install function. |