David, thank you very much for the clear explanation! I've forwarded it internally and hope it will settle the argument.
Jay On Thu, Nov 6, 2025 at 8:37 AM David Shackelford <[email protected]> wrote: > Hi Jay, > > There are two different points here, the enabling of z/OSMF and its > functions, and giving access > to those functions. > > It is important to enable the z/OSMF functions because they provide the > REST > APIs which are used by other things like Ansible automation and Zowe. > While it's true the sample > security setup has just a couple groups (namely IZUADMIN and IZUUSER) this > is just an example > and does not need to be followed, nor is it a recommendation that every > user have the same access. > > Each z/OSMF plugin can be authorized independently, allowing fine-grained > separation of duties. > The practice you've been following to tailor access based on need is > certainly what the recommendation > should be. There may be some specific functions where wide access could > be useful, for example the > File and Dataset REST services would be needed for anyone using Zowe. > This shouldn't be generalized > to include the other services, in particular things like software > management and z/OSMF settings. > > I hope this helps explain why you'd be hearing that the plugins should be > enabled, which is good advice. > You're spot on questioning giving wide access to the plugins. Tailored > access is the way to go. > > David Shackelford > [email protected] > z/OSMF Architecture > > On Wed, 5 Nov 2025 08:50:10 -0600, Jay Maynard <[email protected]> > wrote: > > >We have had a philosophical question about z/OSMF come up at our shop. We > >have Sirius contracted to do our system maintenance. Our approach to > z/OSMF > >has been to enable and give access to modules as need arises, making sure > >to limit access to functions people need to do their jobs. This has always > >been considered good security practice. > > > >We're now getting told that "z/OSMF should not be done piecemeal", and > that > >IBM and vendors are counting on it all to be there and enabled and keep > >processes supported for years to come, and that this should be done for > all > >systems in our configuration. > > > >Who's right? What's the z/OSMF philosophy? Should we just turn on the > world > >and give access to all of it or none, no in between? > >-- > >Jay Maynard > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Jay Maynard ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
