Rex, Looks like you have things covered. One other thing to check and that is the 'default' z/OSMF groups. See if the UserID is connect to any of these groups:
Here are the default ones: IZUACCT z/OSMF ACCTNUM IZUADMIN z/OSMF Admin Group IZUFPROC z/OSMF TSO procedure IZUSECAD z/OSMF Security Admin Group IZUUNGRP z/OSMF Undefined User Group IZUUSER z/OSMF User Group The last thing that comes to mind, is to make sure you refreshed the GENERIC and RACLIST for the profile. If that doesn't resolve it, then here is the list of SYS1.SAMPLIB member and their function. It might help. IZUNUSEC z/OSMF Nucleus basic IZUNFSEC z/OSMF Notifications IZURFSEC z/OSMF data set and file REST IZURJSEC z/OSMF Jobs REST IZUSWSEC z/OSMF Support Swagger Document IZUTSSEC z/OSMF TSO/E address space IZUTLSEC z/OSMF AT-TLS security IZUICSEC z/OSMF hardware crypto (ICSF) IZUAUTH z/OSMF authorize user IZUASSEC z/OSMF AUTOSTART function IZUSKSEC z/OSMF key ring and certificate IZUAISEC z/OSMF AI Control Interface IZUATSEC z/OSMF Administrator tasks IZUCASEC z/OSMF Network Configuration Assistant IZUCPSEC z/OSMF Capacity Provisioning IZUDCSEC z/OSMF Discover CPC IZUDMSEC z/OSMF Software Management IZUGCSEC z/OSMF Oerator Consoles IZUILSEC z/OSMF Incident Log IZUISSEC z/OSMF ISPF IZUMSSEC z/OSMF Management Services Catalog IZUNASEC z/OSMF zERT Network Analyzer IZUPMSEC z/OSMF Parmlib Management IZUPRSEC z/OSMF Cloud Provisioning IZURHSEC z/OSMF RTD(Runtime Diagnostics) IZURMSEC z/OSMF Resource Monitoring IZUSASEC z/OSMF Security Configuration Assistant IZUSEC z/OSMF default security IZUSGSEC z/OSMF Storage Management IZUSPSEC z/OSMF Sysplex Management task IZUSTSEC z/OSMF settings IZUSVSEC z/OSMF System Variables Service IZUWFSEC zOSMF Workflows IZUWMSEC z/OSMF Workload Management -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Pommier, Rex Sent: Thursday, May 7, 2026 2:01 PM To: [email protected] Subject: [EXTERNAL] Re: zOSMF security question Thanks, Jerry. Here's what I have for those profiles - imbedded - and I also have a backstop of IZUDFLT.** with UACC NONE and nobody in the user list. -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Edgington, Jerry Sent: Thursday, May 7, 2026 12:36 PM To: [email protected] Subject: [EXTERNAL] Re: zOSMF security question Rex, There are many RACF profiles for z/OSMF in ZMFAPLA. My guess is the last one. Jerry IZUDFLT.ZOSMF.WORKFLOW.ADMIN group not on access list IZUDFLT.ZOSMF.WORKFLOW.EDITOR group not on access list IZUDFLT.ZOSMF.WORKFLOW.RUNASUSER profile not defined IZUDFLT.ZOSMF.WORKFLOW.SIGNER profile not defined IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.ENWRP profile not defined IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW group not on access list -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Pommier, Rex Sent: Thursday, May 7, 2026 1:31 PM To: [email protected] Subject: [EXTERNAL] zOSMF security question Hey all, I have a question that's bugging me with z/OSMF security. Background is I have a development manager who wants to access z/OSMF for front-ending ISPF. I created a new z/OSMF group with limited access. I was able to successfully remove the group from accessing software management and some of the other z/OSMF functions. However I also want to remove them from being able to access workflows. I found the profile IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS in the ZMFAPLA class and verified their group isn't in the access list and it has a UACC of none but they can still get into that item. I specifically added the group to the access list with access level of NONE but they can still get in. I did the SETROPTS refresh of the ZMFAPLA class. Any idea what I'm missing? TIA Rex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
