In z/OSMF, the authorization of users to resources (tasks and links) is based on SAF resource validations for traditional z/OS security controls, such as user IDs and groups.
The ACF2 control statements to secure the z/OSMF resources are as follows....
ACF SET CONTROL(GSO) CHANGE INFODIR TYPES(R-RZMF) ADD F ACF2,REFRESH(INFODIR) SET RESOURCE(ZMF) RECKEY BBNBASE ADD(BBNBASE.ZOSMF.- USER(IZUUSER) - SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(BBNBASE.ZOSMF.- USER(ZOSMFGRP) - SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(BBNBASE.ZOSMF.LINK.- USER(IZUUSER) - SERVICE(READ) ALLOW) RECKEY BBNBASE ADD(BBNBASE.ZOSMF.LINK.- USER(ZOSMFGRP) - SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK USER(IZUUSER) -
SERVICE(READ) ALLOW)
RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK USER(IZUADMIN) -
SERVICE(READ) ALLOW)
*
* Or if logonid IZUUSER and IZUADMIN belong to a system's group(ACF2 ROLE)
* For example logonid IZUUSER belongs to ROLE SYSROLU and
* logonid IZUADMIN belongs to ROLE SYSROLA:
* RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK ROLE(SYSROLU) -
* SERVICE(READ) ALLOW)
* RECKEY IZUDFLT ADD(ZOSMF.SEND.IBM.FEEDBACK ROLE(SYSROLA) -
* SERVICE(READ) ALLOW)
F ACF2,REBUILD(ZMF)