Security concepts in z/OSMF

As with other z/OS products and subsystems, security in z/OSMF is based on the concepts of user authentication and user authorization. User authentication occurs when a user attempts to log in to a system and the system's security management function examines the user's permission to do so. For z/OSMF, authentication occurs when the user attempts to log in to z/OSMF through a web browser. On log in, the user displays the z/OSMF Welcome page in the browser, and enters a z/OS user ID and password in the appropriate input fields. The login request is verified by the z/OS host system's security management product (for example, RACF) through the SAF interface. This processing ensures that the user ID is known to the z/OS system, and the password is valid.

Besides the ability to authenticate, a would-be z/OSMF user requires:

The ability to log in to TSO/E. That is, a TSO segment must be defined for the user ID in the installation's security management product. This authority allows z/OSMF to make use of TSO/E services on behalf of the user.
Authorization to one or more z/OSMF resources (tasks and links), which is necessary before the user can do useful work in z/OSMF (Figure 1).

Figure 1. User authorizations in z/OSMF

This image presents the concept of user authorizations in z/OSMF. The user requires authorization to one or more z/OSMF resources, such as tasks and links, before the user can do useful work.

Establishing security in z/OSMF will require the help of your security administrator. This person is responsible for ensuring that users and resources are defined in accordance with the security policies in use at your installation. This work includes running security commands to protect z/OSMF resources (tasks) and authorizing users to these resources.

Help with setting up security

To help with setting up security, z/OSMF includes sample jobs with RACF commands for your installation. The jobs are provided as members in data set SIZUJCL, which is created when you install z/OSMF using SMP/E. Your security administrator can edit and run the sample jobs to secure various resources on the z/OS system. It is assumed that your security administer has a user ID with the RACF SPECIAL attribute. Also, your security administrator can use the IZUAUTH job in SIZUJCL to create user authorizations for the optional plug-ins. If your installation uses a security management product other than RACF, your security administrator can refer to the SIZUJCL jobs for examples when creating equivalent commands for the security management product on your system.

z/OSMF also includes options for managing the access of guest users, that is, users who enter z/OSMF without authorization to tasks. Depending on how a guest user enters z/OSMF, the user is considered either authenticated or non-authenticated. A non-authenticated guest is a user who has displayed the Welcome page, but has not logged in. An authenticated guest has logged in, but has not been granted authority to z/OSMF tasks.

z/OSMF does not support multilevel security

If the z/OSMF server is running in a multilevel secure (MLS) z/OS system, some z/OSMF functions might fail to work properly. The failures can occur because z/OSMF does not assign a SECLABEL to its started task address space. As a result, the functions that use inter-address space communication might fail because of a SECLABEL mismatch. For example, a failure can occur in the ISPF task because it starts a TSO address space with the SECLABEL of the current z/OSMF user. Other z/OSMF functions that might fail include the z/OS® data set and file REST interface and the TSO/E address space services.