Security and the System Authorization Facility (SAF)

If your environment has a SAF-compliant security package installed on the z/OS® system on which zDMF is installed, you must make the appropriate modifications to the security package in order for zDMF to execute properly: specifically, you should check profiles and/or command tables.

zDMF provides security by allowing you to validate authorization through the z/OS SAF interface. As a result, you can use any of the following SAF–compliant security products to ensure proper user authorization:

  • RACF®
  • CA-ACF2
  • CA-Top Secret
    Note: The zDMF Server requires SAF ALTER authorization for both the source and the target data sets, and to the catalogs containing source and target data set entries. In addition, authorization to the DASDVOL resource name may be required, as described in SAF authorizations if your site's security policies currently use the DASDVOL resource name.

    Target data sets should be protected from all user access from the time they are allocated until the completion of the migration. It is recommended to select unique Target data set HLQs and to restrict access to these HLQs to the zDMF server to ensure that the Target data sets are not intentionally or unintentionally accessed or deleted during migration processing.

    Limiting access to the zDMF authorized library in order to prevent unauthorized use of the zDMF system may be accomplished through security packages. The user who applies the zDMF license with the GZDSOPT1 batch job must have UPDATE authority for the library pointed to by the GZDKEY DD statement. If you do not have UPDATE authority to the zDMF database, you can only perform some Manage Group functions in Option 1 of the TSO Monitor. For example, you cannot promote a group if you do not have UPDATE authority—the TSO Monitor will detect your lack of authorization, and will inform you of which commands you are able to issue. Refer to zDMF TSO Monitor - Option 1: Manage Groups and Security options.

    Important: The security product you select must be compatible with RACF release 1.9 or higher.

    The following commands should be added to the CA-ACF2 Restricted Commands List; for more information on this topic, refer to the CA-ACF2 Systems Programmer Guide:

    Table 1. CA-ACF2 Restricted Commands List
    GZDCKRA GZDMON GZDXBRL
    GZDHMSG GZDMONM GZDXMAIN
    GZDID GZDOPT GZDXSYS
    GZDLVL GZDPORT  
    GZDMKEY GZDPSET  

    The zDMF Monitor uses the “RACROUTE REQUEST=AUTH,STATUS=ACCESS” macro. ACF2 users may experience S047 abends in module ACF9C000 if GZDCKRA is not authorized to issue this macro. The following SAFDEF example can be used as a guideline in providing the Monitor with access to security definitions: 

    SAFDEFGZD ID(GZDCKRA)
FUNCRET(4)
FUNCRSN(0)
MODE(GLOBAL)
NOAPFCHK
PROGRAM(GZDCKRA)
RACROUTE(REQUEST=AUTH)
RB(GZDCKRA)
RETCODE(4)

    For more information about this topic, refer to the CA-ACF2 Administrator Guide.