Managing security for links in z/OSMF

In z/OSMF, a link in the z/OSMF navigation area is treated as a resource. Your installation should determine whether access to a particular link is to be limited to certain users or be unrestricted. This topic describes the security considerations for managing links in z/OSMF.

Managing a link in z/OSMF involves the following steps:

Defining the link to z/OSMF through the Links task
Controlling access to the link through the ZMFAPLA resource class profile.

The z/OSMF configuration process defines a generic resource profile for links and permits groups to it. Specifically, links in z/OSMF are protected under the generic resource profile: <SAF-prefix>.ZOSMF.LINK.** where <SAF-prefix> is the SAF profile prefix that was defined for your configuration (IZUDFLT by default). z/OSMF permits the groups for z/OSMF users (IZUUSER) and z/OSMF administrators (IZUADMIN) to this profile. As a result, these users will be able to see all of the links in the navigation tree. z/OSMF does not, by default, permit the z/OS security administrator role to the ZOSMF.LINK** profile.

For more information about the Links task, see the online help.

Defining a link as a protected resource

Depending on your installation's security procedures, a link might require further protection through a discrete profile. When planning for new links, it is recommended that the z/OSMF Administrator work with the security administrator to determine whether a new link requires protection through a discrete profile.

In the Links task, the z/OSMF Administrator defines a link by specifying a name for the link and its URL. The Links task also includes a text entry window that requires the z/OSMF Administrator to further qualify the link resource name with a SAF resource name, which can be used if a discrete profile is required for the link. If so, the z/OSMF Administrator can provide this fully-qualified resource name to the security administrator to use to create the user authorizations for the link.

As an example, Figure 1 shows the RACF commands that a security administrator can use to define a discrete profile for a new link (the z/OS Basics Information Center web site) and permit a group (IZUUSER) to that link.

Figure 1. Example: Defining a link resource name and permitting a group to it

RDEFINE ZMFAPLA (IZUDFLT.ZOSMF.LINK.Z_OS_BASICS_INFORMATION_CENTER) UACC(NONE) 
PERMIT IZUDFLT.ZOSMF.LINK.Z_OS_BASICS_INFORMATION_CENTER CLASS(ZMFAPLA) ID(IZUUSER) ACC(READ)

If you change a link SAF resource name through the Links task, ensure that the new link resource name is adequately protected through a ZMFAPLA resource profile definition. You might need to create a new profile to properly secure the link.

Deleting an existing link will potentially require that your security administrator delete the discrete profile, if one is used to secure access to the link.