Local user access control to TCP/IP resources using SAF
You can use System Authorization Facility (SAF) to control which z/OS® users can access specific TCP/IP resources, which protects against unauthorized user access to these resources.
You define SAF resource profiles in the SERVAUTH class to control access to the TCP/IP resources. After you define a SAF resource profile, a local user can access the associated TCP/IP resource if their user ID has at least READ access to the resource.
z/OS Communication Server programs call SAF to determine which users have access to protected resources. The user's credentials, a resource name, and a requested level of access (READ, UPDATE, and so on) are provided to SAF. SAF has three defined return codes:
- 0
- Permit
- 4
- No decision
- 8
- Deny
The following situations can result in a no-decision return code from SAF:
- The security server is not available.
- The resource class is not active.
- The named resource does not have a profile defined in the class.
When SAF returns a no-decision return code, the resource manager
decides whether to allow access. The No SAF decision column in Table 1 indicates the action that the resource
manager takes for each resource.
Table 1 summarizes the SERVAUTH resource
names that are used by TCP/IP.
| Function | Description | No SAF decision | SERVAUTH resource name |
|---|---|---|---|
| LOGSTR in any SAF logging (SMF type 80 records for RACF®) | |||
| Broadcast access control | Provides ability to control whether an application is permitted to set the SO_BROADCAST socket option needed to send broadcast datagrams | Permit | EZB.SOCKOPT.sysname.tcpname.SO_BROADCAST |
| TCPIP SOCKOPT ACCESS CHECK | |||
| CIM provider access control | Provides ability to restrict access to CIM data | Deny | EZB.CIMPROV.sysname.tcpname |
| TCPIP CIM PROVIDER CHECK | |||
| DCAS server access control | Controls ability to access DCAS server based on SAF user ID associated with TLS-authenticated X.509 client certificate | Permit | EZA.DCAS.cvtsysname |
|
DCAS SAFCERT CHECK FOR USER certuser or TCPIP EZACDRAU AUTH CHECK FOR EZA.DCAS.cvtsysname |
|||
| Fast Response Cache Accelerator (FRCA) Access Control | Provides ability of user to create FRCA cache (FRCA used by web servers for caching static web pages in the stack) | Deny, see result 1 | EZB.FRCAACCESS.sysname.tcpname |
| TCPIP FRCA ACCESS CHECK | |||
| FTP server access control | Controls ability to access FTP server based on SAF user ID used to log in | Permit | EZB.FTP.sysname.ftpdaemonname.PORTxxxxx |
| (none) | |||
| FTP SITE command control | Provides ability to restrict usage of SITE DUMP and DEBUG commands (commands generate large amount of output) | Permit | EZB.FTP.sysname.ftpdaemonname.SITE.DUMP
EZB.FTP.sysname.ftpdaemonname.SITE.DEBUG |
| (none) | |||
| FTP z/OS UNIX file system access control | Provides ability to generally restrict FTP user access to the z/OS UNIX file system | Permit | EZB.FTP.sysname.ftpdaemonname.ACCESS.HFS |
| (none) | |||
| ipsec command access control | Provides ability to control ipsec command usage | Deny | EZB.IPSECCMD.sysname.tcpname.command_type
EZB.IPSECCMD.sysname.DMD_GLOBAL.command_type |
|
TCPIP EZACDRAU AUTH CHECK FOR EZB.IPSECCMD.sysname.tcpname.command_type or TCPIP EZACDRAU AUTH CHECK FOR EZB.IPSECCMD.sysname.DMD_GLOBAL.command_type |
|||
| IPSec network management interface (NMI) access control for control requests (local) | Controls whether a user can issue NMI control requests to the local IKE daemon to manage IP filtering and IPSec function (for example, activate and deactivate requests) pertaining to a local TCP/IP stack | Deny | EZB.NETMGMT.sysname.tcpname.IPSEC.CONTROL |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.tcpname.IPSEC.CONTROL | |||
| IPSec NMI access control for display requests (local) | Controls whether a user can issue NMI monitoring requests to the local IKE daemon to retrieve IP filtering and IPSec monitoring data pertaining to a local TCP/IP stack | Deny | EZB.NETMGMT.sysname.tcpname.IPSEC.DISPLAY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.tcpname.IPSEC.DISPLAY | |||
| IPSec NMI and ipsec command access control | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.sysname.IKED.DISPLAY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.sysname.IKED.DISPLAY | |||
| IPSec NMI and ipsec command access control for control requests (remote) | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.clientname.IPSEC.CONTROL | |||
| IPSec NMI and ipsec command access control for display requests (remote) | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.clientname.IPSEC.DISPLAY | |||
| IPv6 Advanced Socket API access control | Provides ability to control whether an application is permitted
to set IPv6 advanced socket API options: IPv6_NEXTHOP IPv6_TCLASS IPv6_RTHDR IPV6_HOPOPTS IPV6_DSPOPTS IPV6_RTHDRDSTOPT IPV6_PKTINFO IPV6_HOPLIMIT |
Deny, see result 2 | EZB.SOCKOPT.sysname.tcpname.IPV6_NEXTHOP
EZB.SOCKOPT.sysname.tcpname.IPV6_TCLASS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDR EZB.SOCKOPT.sysname.tcpname.IPV6_HOPOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_DSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_RTHDRDSTOPTS EZB.SOCKOPT.sysname.tcpname.IPV6_PKTINFO EZB.SOCKOPT.sysname.tcpname.IPV6_HOPLIMIT |
| TCPIP SOCKOPT ACCESS CHECK | |||
| Netstat command access control | Provides ability to restrict Netstat usage | Permit, see result 3 | EZB.NETSTAT.sysname.tcpname.netstat_option |
| TCPIP EZACDNET AUTH CHECK FOR EZB.NETSTAT.sysname.tcpname.netstat_option | |||
| Network security services (NSS) NMI and command access control | Controls whether a user can issue:
|
Deny | EZB.NETMGMT.sysname.sysname.NSS.DISPLAY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NETMGMT.sysname.sysname.NSS.DISPLAY | |||
| NSS server access control | Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec certificate service | Deny | EZB.NSS.sysname.clientname.IPSEC.CERT |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.IPSEC.CERT | |||
| NSS server access control | Controls whether an NSS IPSec client can register with the NSS server for the NSS IPSec remote management service | Deny | EZB.NSS.sysname.clientname.IPSEC.NETMGMT |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.IPSEC.NETMGMT | |||
| NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance SAFAccess service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS | |||
| NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance certificate service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT | |||
| NSS server access control | Controls whether an NSS XMLAppliance client can register with the NSS server for the XMLAppliance private key service. | Deny | EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY | |||
| NSS server certificate access control | Controls whether an NSS client can access a CERTAUTH certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH | |||
| NSS server certificate access control | Controls whether an NSS client can access a PERSONAL or SITE certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.HOST |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.HOST | |||
| NSS server private key access control | Controls whether an NSS XMLAppliance client can access the private key for a certificate on the key ring of the NSS server | Deny | EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY | |||
| OSM access control | Controls ability to access the intranode management network using OSM interfaces | Deny | EZB.OSM.sysname.tcpname |
| TCPIP OSM ACCESS CHECK | |||
| Partner information ioctl access control | Controls whether an application can use the SIOCGPARTNERINFO ioctl to obtain partner security credentials within a sysplex or subplex over a trusted TCP connection | Deny | EZB.IOCTL.sysname.tcpprocname.PARTNERINFO |
| SIOCGPARTNERINFO | |||
| Policy Agent command control | Provides ability to restrict pasearch command, IKE daemon, policy clients, and nslapm2 usage by type | Deny | EZB.PAGENT.sysname.image.ptype |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.PAGENT.sysname.image.ptype | |||
| Real-time application-controlled TCP/IP trace NMI access control - Open request | Controls whether an application can invoke the NMI to open a trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.OPEN |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can invoke the NMI to set filters for packet trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.PKTTRACE |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can request IPSec cleartext data on a packet trace filter | Deny | EZB.TRCSEC.sysname.tcpname.IPSEC |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can invoke the NMI to set filters for data trace; intended for network management applications | Deny | EZB.TRCCTL.sysname.tcpname.DATTRACE |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time application-controlled TCP/IP trace NMI access control - Set filters | Controls whether an application can request AT-TLS cleartext data on a data trace filter | Deny | EZB.TRCSEC.sysname.tcpname.ATTLS |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time OSAENTA information service access control | Provides ability to restrict access to select real-time OSAENTA packet trace records accessible using the OSAENTA information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPOT |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time SMF information service access control | Provides ability to restrict access to select real-time SMF records accessible using the SMF information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPSM |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time TCP connection information service access control | Provides ability to restrict access to the TCP connection information using TCP connection information service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPCN |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time TCP/IP packet trace service access control | Provides ability to restrict access to select real-time packet trace records accessible using the TCP/IP packet trace service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPDA |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time zERT connection detail service access control | Provides ability to restrict access to z/OS Encryption Readiness Technology information using the zERT connection detail service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPER |
| TCPIP NETWORK MANAGEMENT | |||
| Real-time zERT summary service access control | Provides ability to restrict access to z/OS Encryption Readiness Technology information using the zERT summary service; intended for network management applications | Deny, see result 4 | EZB.NETMGMT.sysname.tcpname.SYSTCPES |
| TCPIP NETWORK MANAGEMENT | |||
| rpcbind access control | Provides ability to control whether an applications is permitted to register and unregister its port with rpcbind. | Deny | EZB.RPCBIND.sysname.rpcbindname.REGISTRY |
| (none) | |||
| SNMP agent control | Provides control over usage of SNMP subagents that connect to the SNMP agent by using a TCP connection | Permit | EZB.SNMPAGENT.sysname.tcpname |
| TCPIP EZACDRAU AUTH CHECK FOR EZB.SNMPAGENT.sysname.tcpname | |||
| TCP/IP local port access control | Controls user ability to bind to a non-ephemeral TCP or UDP port | Deny | EZB.PORTACCESS.sysname.tcpname.port_safname |
| TCPIP PORT ACCESS CHECK PORT portnum | |||
| TCP/IP netaccess access control | Controls local user inbound and outbound access to network resources, and local user access to local IP address when explicitly binding to local interface (or using job-specific or destination-specific source IP addresses) | Deny | EZB.NETACCESS.sysname.tcpname.zonename |
| TCPIP NETWORK ACCESS CHECK ipaddress | |||
| TCP/IP stack access control | Controls user ability to open a socket and get host name or host ID | Permit | EZB.STACKACCESS.sysname.tcpname |
| TCPIP STACK ACCESS CHECK | |||
| TCP/IP stack initialization access control | Controls ability of applications to open a socket before AT-TLS policy is loaded into the TCP/IP stack | Deny | EZB.INITSTACK.sysname.tcpname |
| TCPIP INIT STACK ACCESS CHECK | |||
| TN3270E Telnet server access control | Controls ability to access TN3270E Telnet server based on SAF user ID associated with TLS-authenticated X.509 client certificate | Deny | EZB.TN3270.sysname.tn3270name.PORTxxxxx |
| TN3270 SAFCERT CHECK FOR USER userid PORT portnum ON tn3270name | |||
| VIPARANGE access control for any VIPA range (bind) | Controls whether an application can create a DVIPA by binding to a DVIPA that is specified by any VIPARANGE statement | Permit | EZB.BINDDVIPARANGE.sysname.tcpname |
| TCPIP BINDDVIPA ACCESS CHECK | |||
| VIPARANGE access control for any VIPA range (MODDVIPA and ioctl) | Provides access control for all VIPARANGE statements, and
controls whether a user or application can perform the following tasks:
|
Deny, see result 5 | EZB.MODDVIPA.sysname.tcpname |
| TCPIP MODDVIPA or SIOCSVIPA(6) ACCESS CHECK | |||
| VIPARANGE access control for a specific VIPA range (bind) | Controls whether an application can create an application-specific DVIPA, by binding to a DVIPA that is specified by a VIPARANGE statement that includes the SAF parameter with the same value for resname. | Deny | EZB.BINDDVIPARANGE.sysname.tcpname.resname |
| TCPIP BINDDVIPA SAF ACCESS CHECK | |||
| VIPARANGE access control for a specific VIPA range (MODDVIPA and ioctl) | Provides access control for a specific VIPARANGE statement that
includes the SAF parameter with the same value for resname, and controls
whether a user or application can perform the following tasks:
|
Deny | EZB.MODDVIPA.sysname.tcpname.resname |
| TCPIP MODDVIPA or SIOCSVIPA(6) SAF ACCESS CHECK | |||
|
Results:
|
|||