IBM Support

PI56621: NEW FUNCTION - z/OSMF Workflows Security.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as new function.

Error description

  • Z/OSMF Workflows Security.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED: All users of IBM z/OSMF Workflows task,      *
*                 Version 2 Release 1 and Version 2 Release 2. *
****************************************************************
* PROBLEM DESCRIPTION: This APAR provides new functions        *
*                      in z/OSMF Version 2 Release 1 and       *
*                      Version 2 Release 2.                    *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
This APAR provides new functions in z/OSMF Version 2 Release 1
and Version 2 Release 2.

1. Access type is a new security control for workflows, which is
used to control what the user is permitted to see and modify in
various sections of the workflow. The access type is specified
by the workflow owner at workflow creation time.

The valid values for access type are summarized, as follows:

(1) Public:  Workflow information and step information can be
viewed by all users.

(2) Restricted: Workflow information and step information is
restricted to a subset of users-the workflow owner, step owners,
and step assignees. Other users cannot access this information.

(3) Private:  Workflow information is restricted to a subset of
users, and is further limited among these users.  Workflow
information is accessible to the workflow owner. The steps
information is accessible to the step owner and step assignees
for the particular step. Other users cannot access this
information.

2. When you specify an access type for a workflow, you control
user access to workflow notes and step notes. A workflow with a
public access type imposes no restrictions on who can view the
workflow notes and step notes. A workflow with a restricted or
private access type is more secure, and requires the user to be
a workflow owner, step owner, or step assignee to view or modify
notes. The notes data structure is changed from text box to a
table.

The effects of access type on user access to notes is described,
as follows:

(1) Public:  The workflow notes and step notes can be viewed by
all z/OSMF users. Only the workflow owner, step owners and step
assignees can modify the workflow notes.

(2) Restricted:  The workflow notes and step notes can be viewed
only by the workflow owner, step owners, and step assignees.
Only the workflow owner can modify workflow notes. The workflow
owner, step owner, or step assignees can view all of the step
notes.

(3) Private: The workflow owner can view all workflow notes and
step notes. Only the workflow owner can modify workflow notes.
The step notes can be viewed only by the step owner or step
assignees for the particular step.

3. A user having read access level on profile
IZUDFLT.ZOSMF.WORKFLOW.ADMIN can change the owner of any
workflow instances, even if they are not the owner of the
current workflow instance. Usually a user can be connected to
z/OSMF administrator security group in order to get the
permission.

4. Enhancements are made to the z/OSMF workflow services API, as
follows:

The following services are updated in support of the access
type:
Create workflow
Get workflow properties
List workflows

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • -------------  ENHANCEMENTS  -------------
1. Access type is a new security control for workflows, which is
used to control what the user is permitted to see and modify in
various sections of the workflow. The access type is specified
by the workflow owner at workflow creation time.

The valid values for access type are summarized, as follows:

(1) Public:  Workflow information and step information can be
viewed by all users.

(2) Restricted: Workflow information and step information is
restricted to a subset of users-the workflow owner, step owners,
and step assignees. Other users cannot access this information.

(3) Private:  Workflow information is restricted to a subset of
users, and is further limited among these users.  Workflow
information is accessible to the workflow owner. The steps
information is accessible to the step owner and step assignees
for the particular step. Other users cannot access this
information.

2. When you specify an access type for a workflow, you control
user access to workflow notes and step notes. A workflow with a
public access type imposes no restrictions on who can view the
workflow notes and step notes. A workflow with a restricted or
private access type is more secure, and requires the user to be
a workflow owner, step owner, or step assignee to view or modify
notes. The notes data structure is changed from text box to a
table.

The effects of access type on user access to notes is described,
as follows:

(1) Public:  The workflow notes and step notes can be viewed by
all z/OSMF users. Only the workflow owner, step owners and step
assignees can modify the workflow notes.

(2) Restricted:  The workflow notes and step notes can be viewed
only by the workflow owner, step owners, and step assignees.
Only the workflow owner can modify workflow notes. The workflow
owner, step owner, or step assignees can view all of the step
notes.

(3) Private: The workflow owner can view all workflow notes and
step notes. Only the workflow owner can modify workflow notes.
The step notes can be viewed only by the step owner or step
assignees for the particular step.

3. A user having read access level on profile
IZUDFLT.ZOSMF.WORKFLOW.ADMIN can change the owner of any
workflow instances, even if they are not the owner of the
current workflow instance. Usually a user can be connected to
z/OSMF administrator security group in order to get the
permission.

With this APAR, workflow notes and step notes are changed to use
a new internal data format that is not compatible with the
previous format. Therefore, it is recommended that you save any
notes that you want to retain before you apply the PTF for this
APAR.

4. Enhancements are made to the z/OSMF workflow services API, as
follows:

The following services are updated in support of the access
type:
Create workflow
Get workflow properties
List workflows

-------- -----  DOCUMENTS UPDATES ------------------------------
The z/OSMF Programming Guide will be changed on March 25, 2016,
as follows:

In Chapter 1, the following services are updated in support
of the workflow access type:
Create workflow
Get workflow properties
List workflows

-------------  MESSAGE UPDATES  -------------------------------
The following messages have been added:
IZUWF0017W IZUWF0266I IZUWF00267I IZUWF0270W IZUWF0271E
IZUWF0272E IZUWF0280E IZUWF0281E IZUWF0282E IZUWF0283E
IZUWF0284E IZUWF0285E IZUWF0287E IZUWF5013W

    



APAR Information




    

  • APAR number
    PI56621
    • 

  • Reported component name
    Z/OSMF WORFKLOW
    • 

  • Reported component ID
    5655S2807
    • 

  • Reported release
    227
    • 

  • Status
    CLOSED  UR1
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    YesSpecatt / New Function / Xsystem
    • 

  • Submitted date
    2016-02-04
    • 

  • Closed date
    2016-03-15
    • 

  • Last modified date
    2016-04-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
PI56641 UI35926 UI35927
    

    • 



Modules/Macros


    

  • IZUWFAAA IZUWFBAA IZUWFBAB IZUWFBAC IZUWFBAD
IZUWFBAE IZUWFBAF IZUWFBAG IZUWFBAH IZUWFBAI IZUWFBAJ IZUWFBAK
IZUWFBAL IZUWFBAM IZUWFBAN IZUWFBAO IZUWFCAA IZUWFCAB IZUWFDAA
IZUWFDAB IZUWFDAC

    




Publications Referenced


SA32106600SC27842000   





Fix information


    

  • Fixed component name
    Z/OSMF WORFKLOW
    • 

  • Fixed component ID
    5655S2807
    • 



Applicable component levels


    

  • R217  PSY  UI35926
       UP16/03/18  P  F603
    • 

  • R227  PSY  UI35927
       UP16/03/18  P  F603
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"227","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"227","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 April 2016
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback