Rex, There are many RACF profiles for z/OSMF in ZMFAPLA. My guess is the last one.
Jerry IZUDFLT.ZOSMF.WORKFLOW.ADMIN IZUDFLT.ZOSMF.WORKFLOW.EDITOR IZUDFLT.ZOSMF.WORKFLOW.RUNASUSER IZUDFLT.ZOSMF.WORKFLOW.SIGNER IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.ENWRP IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Pommier, Rex Sent: Thursday, May 7, 2026 1:31 PM To: [email protected] Subject: [EXTERNAL] zOSMF security question Hey all, I have a question that's bugging me with z/OSMF security. Background is I have a development manager who wants to access z/OSMF for front-ending ISPF. I created a new z/OSMF group with limited access. I was able to successfully remove the group from accessing software management and some of the other z/OSMF functions. However I also want to remove them from being able to access workflows. I found the profile IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS in the ZMFAPLA class and verified their group isn't in the access list and it has a UACC of none but they can still get into that item. I specifically added the group to the access list with access level of NONE but they can still get in. I did the SETROPTS refresh of the ZMFAPLA class. Any idea what I'm missing? TIA Rex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
