Security Configuration Assistant task

You can use the Security Configuration Assistant task to verify that security is configured properly for the z/OSMF host system and its users. You can check the authorizations for z/OSMF itself, including the nucleus, core and optional services, and advanced configuration options. You can also check the security setup for other products on your system for which you have security descriptor files.

If you are a security administrator, you can fix missing authorizations for failed validations. In the Security Configuration Assistant task, you can verify the following areas of the security configuration on your system:
z/OSMF
Each of the following areas of z/OSMF security configuration is presented in a report format:
  • Security Configuration Assistant task
  • z/OSMF nucleus
  • z/OSMF services
  • z/OSMF advanced configuration options.
Imported products
You can check the security configuration for external products on your z/OS system. This option requires that you obtain and install a security descriptor file from the product vendor. For more information, see Imported Products view.

To get started with the Security Configuration Assistant task, click the Security Configuration Assistant icon on the z/OSMF desktop.

Key features

The Security Configuration Assistant task:
  • Displays the security setup details in a graphical user interface (GUI).
  • Performs security checks on your setup and provides the results in an easy-to-read table format.
  • Enables fixing missing authorizations for failed validations.

As you progress through the security checks, you can rerun the Security Configuration Assistant to refresh the results.

Understanding the Security Configuration Assistant layout

The Security Configuration Assistant provides a visual framework for examining particular areas of your security configuration. The Security Configuration Assistant layout consists of tabbed sections and tabular reports that can be expanded or compressed, as needed. This framework provides a comprehensive perspective on your security setup.

With the addition of one or more security descriptor files, you can expand the coverage of the Security Configuration Assistant to include other products on your system. To do so, you require the product security descriptor file, which is typically provided by the product vendor.

Figure 1 depicts the layout of the Security Configuration Assistant interface, when it is used to inspect the z/OSMF security configuration.

Figure 1. Security Configuration Assistant interface layout. The figure shows the layout and significant areas of the Security Configuration Assistant user interface, when it is used to inspect the z/OSMF security configuration.
Security Configuration Assistant interface layout
The following areas of the Security Configuration Assistant are highlighted in Figure 1:
  1. User ID or group ID for which security validation will be performed. Specify either a z/OS user ID or a RACF group ID. If you specify a group ID, the Security Configuration Assistant checks the RACF profiles that are defined to the group. Also, in the row of each validated security resource, an icon indicates whether the result is for a user ID or group ID.
  2. Select the verification view: z/OSMF or an external product. By default, the z/OSMF view is selected. To verify an external product, click the Imported Products view. To run the Security Configuration Assistant for an external product, you must first import the product security descriptor file into the Security Configuration Assistant. Typically, this file is provided by the product vendor.
  3. Click Validate all to run all possible validation checks for the specified user ID or group ID. This action refreshes the Security Configuration Assistant display to show the updated validation results.
  4. When it is used to inspect the z/OSMF security configuration, the Security Configuration Assistant organizes the validation results for the selected user or group into a set of tabbed areas: Security Configuration Assistant, Nucleus, Services, and Advanced Configuration. Click the tab for the area that you want to explore. When it is used to inspect the security configuration for an external product, the Security Configuration Assistant displays the validation results in a scrollable page with expandable areas.
  5. You can filter the display to show the enabled z/OSMF services only. This option is available only for the Services tab.
  6. To filter the display for the currently selected area to a particular type of validation result, select one or more of the following filters:
    Failed
    Shows only the failed authorizations.
    Manual
    Shows only the authorizations that must be created manually by your security administrator.
    Unknown
    Shows only the authorizations that cannot be checked by the Security Configuration Assistant.
  7. Detailed view of each resource that requires user authorization.
    If you selected the z/OSMF view, you can view the authorizations for a selected area of z/OSMF security, as follows:
    • In the Security Configuration Assistant tab, you can check the user's authorizations for the Security Configuration Assistant. To view the individual SAF resources that require user authorization, select and expand z/OSMF Security Configuration Assistant. The required authorizations are provided in the secondary tabbed area Automated.
    • In the Nucleus tab, you can check the user's authorizations to the z/OSMF base functions or nucleus. To view the individual SAF resources that require user authorization, select and expand z/OSMF Nucleus. The required authorizations are organized into the secondary tabbed areas Automated and Manual.
    • In the Services tab, you can check the user's authorizations to the z/OSMF services. To view the individual SAF resources that require user authorization, select and expand the service name. The required authorizations are provided in the secondary tabbed area Automated. To further limit the view to just the services that are enabled on the host system, select the option Show enabled services only.
    • In the Advanced Configuration tab, you can view details about the security structures that are needed for a multi-system or multi-sysplex environment. For example, this area shows the status for authorizations that are needed for establishing an auto-started server on your system.

    If you selected the Imported Products view, you can view the authorizations for one or more external products. To do so, you must first import the product security descriptor file into the Security Configuration Assistant. In the Imported Products tab, import the security descriptor file by using the Import action. Then, select and expand the product name to view the authorizations for the product.

  8. The validation status for the selected view as summarized in a bar chart (in Figure 1, the Services view is shown). Counts of each type of validation check are summarized in the bar chart. From left to right, the statistics are shown for the automated, configurable, and manual security setup steps.
    The following status values are possible:
    Passed
    Authorization that was created correctly.
    Failed
    Authorization that is missing or in error. Correcting such errors requires you to determine why the automated security was not performed.
    Unknown
    Authorization that cannot be checked by the Security Configuration Assistant. Check with your security administrator to determine whether this authorization was created on your system.
    Manual
    Authorization that must be created manually by your security administrator.

    A status of Unknown means that the Security Configuration Assistant cannot verify that the authorization is created. In such cases, your security administrator must verify that the authorization is created.

  9. Status of the validation checks for each authorization type: Automated, Configurable, and Manual. For information about resource profile names that include variable text, see Configurable resource names.
  10. Click the validate icon or select Action > Validate to run or repeat the validation checks for the selected resource. You might use this action iteratively as you resolve any authorization issues that are indicated by the Security Configuration Assistant.

    If a resource profile returns with a status value of Failed after validation, select Action > Review & Fix to correct the authorization issue. The Command tab displays the commands that are set to be run to define the specified resource profile and permit required access. Confirm the commands by clicking Submit.

Working with the Security Configuration Assistant task in multiple browsers or browser tabs concurrently might cause data inconsistencies. It is recommended to work in only one session at a time. Reopen the task if any data inconsistencies occur.