Setting up security for the z/OSMF plug-ins

The authorization of users to z/OSMF functions (tasks and links) is based on traditional z/OS security controls, such as user IDs and groups, and SAF resource profiles. This topic describes the actions for setting up security for the z/OSMF tasks and links.

To perform work in z/OSMF, a user requires a valid user ID on the z/OS® host system and authorization to one or more z/OSMF tasks on that system. Your security administrator authorizes users to z/OSMF resources through your security management product, such as RACF. After the required plug-ins are added to your system and the associated security controls are established, a user can begin using z/OSMF to perform system management tasks.

IZUxxSEC jobs in SYS1.SAMPLIB

IBM provides a set of jobs in SYS1.SAMPLIB with RACF commands to help with performing these changes. Each job represents a set of security profiles to be defined, based on the specific z/OSMF functions to be protected.

Each of the other IZUxxSEC jobs is associated with a z/OSMF plug-in, as follows:
IZUCASEC
Network Configuration Assistant
IZUCPSEC
Capacity Provisioning
IZUDMSEC
Software Deployment
IZUGCSEC
z/OS Operator Consoles
IZUILSEC
Incident Log
IZUISSEC
ISPF
IZUPRSEC
IBM Cloud Provisioning and Management for z/OS
IZURMSEC
Resource Monitoring
IZUSPSEC
Sysplex Management
IZUWMSEC
Workload Management
IZUNASEC
IBM z/OS Encryption Readiness Technology (zERT) Network Analyzer

Depending on which plug-ins you choose to enable, review the associated IZUxxSEC job to determine which security commands should be run for your installation.

SYS1.SAMPLIB also includes the IZUAUTH job, which your security administrator can use for authorizing user IDs to the z/OSMF plug-ins. Specifically, the job contains a number of CONNECT statements for connecting user IDs to the z/OSMF security groups.

Though the z/OS Operator Consoles task is a core function of z/OSMF, your security administrator must grant users access to it. IBM provides job IZUGCSEC in SYS1.SAMPLIB to assist you with performing these updates. The job contains RACF commands for creating the required security authorizations. For more information, see Security setup for the z/OS Operator Consoles task.