search cancel

How do I secure the z/OSMF ZMFAPLA resource?

book

Article ID: 17871

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

In z/OSMF, the authorization of users to resources (tasks and links) is based on SAF resource validations for traditional z/OS security controls, such as user IDs and groups.

Environment

Release: ACF2..001AO-15-ACF2
Component:

Resolution

The ACF2 control statements to secure the z/OSMF resources are as

follows....

 

ACF                           
SET CONTROL(GSO)                                                              
CHANGE INFODIR TYPES(R-RZMF) ADD                                              
F ACF2,REFRESH(INFODIR)                                                       
 
SET RESOURCE(ZMF)                                                      
RECKEY BBNBASE ADD(BBNBASE.ZOSMF.- USER(IZUUSER) -       
SERVICE(READ) ALLOW)                                                   
RECKEY BBNBASE ADD(BBNBASE.ZOSMF.- USER(ZOSMFGRP) -      
SERVICE(READ) ALLOW)                                                   
RECKEY BBNBASE ADD(BBNBASE.ZOSMF.LINK.- USER(IZUUSER) -  
SERVICE(READ) ALLOW)                                                   
RECKEY BBNBASE ADD(BBNBASE.ZOSMF.LINK.- USER(ZOSMFGRP) - 
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK USER(IZUUSER) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK USER(IZUADMIN) -
SERVICE(READ) ALLOW)
*
* Or if logonid IZUUSER and IZUADMIN belong to a system's group(ACF2 ROLE)
* For example logonid IZUUSER belongs to ROLE SYSROLU and 
*             logonid IZUADMIN belongs to ROLE SYSROLA:
* RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK ROLE(SYSROLU) -
* SERVICE(READ) ALLOW)
* RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK ROLE(SYSROLA) -
* SERVICE(READ) ALLOW)
F ACF2,REBUILD(ZMF)