Hi Jay, There are two different points here, the enabling of z/OSMF and its functions, and giving access to those functions.
It is important to enable the z/OSMF functions because they provide the REST APIs which are used by other things like Ansible automation and Zowe. While it's true the sample security setup has just a couple groups (namely IZUADMIN and IZUUSER) this is just an example and does not need to be followed, nor is it a recommendation that every user have the same access. Each z/OSMF plugin can be authorized independently, allowing fine-grained separation of duties. The practice you've been following to tailor access based on need is certainly what the recommendation should be. There may be some specific functions where wide access could be useful, for example the File and Dataset REST services would be needed for anyone using Zowe. This shouldn't be generalized to include the other services, in particular things like software management and z/OSMF settings. I hope this helps explain why you'd be hearing that the plugins should be enabled, which is good advice. You're spot on questioning giving wide access to the plugins. Tailored access is the way to go. David Shackelford [email protected] z/OSMF Architecture On Wed, 5 Nov 2025 08:50:10 -0600, Jay Maynard <[email protected]> wrote: >We have had a philosophical question about z/OSMF come up at our shop. We >have Sirius contracted to do our system maintenance. Our approach to z/OSMF >has been to enable and give access to modules as need arises, making sure >to limit access to functions people need to do their jobs. This has always >been considered good security practice. > >We're now getting told that "z/OSMF should not be done piecemeal", and that >IBM and vendors are counting on it all to be there and enabled and keep >processes supported for years to come, and that this should be done for all >systems in our configuration. > >Who's right? What's the z/OSMF philosophy? Should we just turn on the world >and give access to all of it or none, no in between? >-- >Jay Maynard > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
