Jay, I would agree that the whole thing should be done, and IBM has made it much easier now with their security setup tool that is in ZOSMF where you can test and see each function for access based on a particular user. At my shop, we are foraging into ZOWE, which uses ZOSMF for authentication purposes. ZOWE is getting more and more intertwined with such things a VSCODE extensions used in DEVOPS, DB2 Unified Management Server, and others. Of course, there is Serverpac there now, Policy Agent config tool, etc So now we have a lowest level profile that gives minimal access in ZOSMF, and then most other things are locked down to my team. We are working towards creating a few RACF GROUPS that we can lump users into with similar role requirements instead of a bunch of one-off permits.
_______________________________ Dave Jousma Vice President | Director, Technology Engineering Fifth Third Bank | 1830 East Paris Ave, SE | Grand Rapids, MI 49546 From: IBM Mainframe Discussion List <[email protected]> on behalf of Jay Maynard <[email protected]> Date: Wednesday, November 5, 2025 at 9:50 AM To: [email protected] <[email protected]> Subject: z/OSMF philosophy: access to everything? CAUTION EXTERNAL EMAIL This message came from outside your organization. DO NOT open attachments or click on links from unknown senders or unexpected emails. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MwwqYLOC6b6whF7V!o1OEdzGhxC-BMe41Y_KFfM_TC9CwNfNwDu-5EUx2xgxBPHDrOA0XOQeQrA7yYAmtV4lfymhVugMZgPgDiIpsA84koHifwouo6tuhStoIxyA4ssz39lmWdcSN5C6Eog$> We have had a philosophical question about z/OSMF come up at our shop. We have Sirius contracted to do our system maintenance. Our approach to z/OSMF has been to enable and give access to modules as need arises, making sure to limit access to functions people need to do their jobs. This has always been considered good security practice. We're now getting told that "z/OSMF should not be done piecemeal", and that IBM and vendors are counting on it all to be there and enabled and keep processes supported for years to come, and that this should be done for all systems in our configuration. Who's right? What's the z/OSMF philosophy? Should we just turn on the world and give access to all of it or none, no in between? -- Jay Maynard ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
