Setting up security for the z/OSMF plug-ins
The authorization of users to z/OSMF functions (tasks and links) is based on traditional z/OS security controls, such as user IDs and groups, and SAF resource profiles. This topic describes the actions for setting up security for the z/OSMF tasks and links.
To perform work in z/OSMF, a user requires a valid user ID on the z/OS® host system and authorization to one or more z/OSMF tasks on that system. Your security administrator authorizes users to z/OSMF resources through your security management product, such as RACF. After the required plug-ins are added to your system and the associated security controls are established, a user can begin using z/OSMF to perform system management tasks.
IZUxxSEC jobs in SYS1.SAMPLIB
IBM provides a set of jobs in SYS1.SAMPLIB with RACF commands to help with performing these changes. Each job represents a set of security profiles to be defined, based on the specific z/OSMF functions to be protected.
- IZUCASEC
- Network Configuration Assistant
- IZUCPSEC
- Capacity Provisioning
- IZUDMSEC
- Software Deployment
- IZUGCSEC
- z/OS Operator Consoles
- IZUILSEC
- Incident Log
- IZUISSEC
- ISPF
- IZUPRSEC
- IBM Cloud Provisioning and Management for z/OS
- IZURMSEC
- Resource Monitoring
- IZUSPSEC
- Sysplex Management
- IZUWMSEC
- Workload Management
- IZUNASEC
- IBM z/OS Encryption Readiness Technology (zERT) Network Analyzer
Depending on which plug-ins you choose to enable, review the associated IZUxxSEC job to determine which security commands should be run for your installation.
SYS1.SAMPLIB also includes the IZUAUTH job, which your security administrator can use for authorizing user IDs to the z/OSMF plug-ins. Specifically, the job contains a number of CONNECT statements for connecting user IDs to the z/OSMF security groups.
Though the z/OS Operator Consoles task is a core function of z/OSMF, your security administrator must grant users access to it. IBM provides job IZUGCSEC in SYS1.SAMPLIB to assist you with performing these updates. The job contains RACF commands for creating the required security authorizations. For more information, see Security setup for the z/OS Operator Consoles task.