Sorry about the formatting This one
IZUDFLT.IzuManagementFacilityWorkflow.izuUsers Allow the user to connect to the Workflows task. EJBROLE IZUUSER IZUADMIN IZUSECAD READ _______________________________ Dave Jousma Vice President | Director, Platform Engineering Fifth Third Bank | 1830 East Paris Ave, SE | Grand Rapids, MI 49546 From: IBM Mainframe Discussion List <[email protected]> on behalf of Jousma, David <[email protected]> Date: Thursday, May 7, 2026 at 3:20 PM To: [email protected] <[email protected]> Subject: Re: zOSMF security question CAUTION EXTERNAL EMAIL This message came from outside your organization. DO NOT open attachments or click on links from unknown senders or unexpected emails. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MwwqYLOC6b6whF7V!oVOEVp8lgm6hUUR5Qjhu-YZwmMeqAqIYkMO25yMmRAE0mXx4jomj_EKFjwYM7G2JnjgvdsOttQhidB7NPiba1JHIjaSt1zg3kDHeEPre9gad1Z6pg72mdAPw6ew-wk-eqgLE79UY6966UYjUKp4$> YOu might run the zOSMF security config assistant. You can plug in the ID you want to test, and it will tell you if access is there or not. The rules that pop up are mostly what you said, but the 4th one down isn’t on your list. Resources for z/OSMF Workflows Description Class Who needs the access Required Access Validated ID Validation Result Action IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS Allow the user to access the Workflows task. ZMFAPLA IZUUSER IZUADMIN READ IZUDFLT.ZOSMF.WORKFLOW.ADMIN Permit definitions for the Workflow administrator role. ZMFAPLA IZUADMIN READ IZUDFLT.ZOSMF.WORKFLOW.EDITOR Allow user to access the Workflow Editor task. ZMFAPLA IZUUSER IZUADMIN READ IZUDFLT.IzuManagementFacilityWorkflow.izuUsers Allow the user to connect to the Workflows task. EJBROLE IZUUSER IZUADMIN IZUSECAD READ IZUDFLT.ZOSMF.WORKFLOW.RUNASUSER Permit definitions for the Workflow RunAsUser role. ZMFAPLA IZUUSER READ IZUDFLT.ZOSMF.WORKFLOW.SIGNER Permit definitions for the Workflow Signer role. ZMFAPLA IZUADMIN READ _______________________________ Dave Jousma Vice President | Director, Platform Engineering Fifth Third Bank | 1830 East Paris Ave, SE | Grand Rapids, MI 49546 From: IBM Mainframe Discussion List <[email protected]> on behalf of Pommier, Rex <[email protected]> Date: Thursday, May 7, 2026 at 2:02 PM To: [email protected] <[email protected]> Subject: Re: zOSMF security question CAUTION EXTERNAL EMAIL This message came from outside your organization. DO NOT open attachments or click on links from unknown senders or unexpected emails. Report Suspicious<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/MwwqYLOC6b6whF7V!odOElr_FgiBAnko57dhud74X9Aph41BpYpuho0fRGxEimEddek7QyZLbf4pMoNnao1oIFvBkWkmngzRMv8Cux6XgUoR1ROPvhviFIxxz2qGLNbNl0WQ-OTV6g4vYER3nhfj5eVI5OLRhMg$ > Thanks, Jerry. Here's what I have for those profiles - imbedded - and I also have a backstop of IZUDFLT.** with UACC NONE and nobody in the user list. -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Edgington, Jerry Sent: Thursday, May 7, 2026 12:36 PM To: [email protected] Subject: [EXTERNAL] Re: zOSMF security question Rex, There are many RACF profiles for z/OSMF in ZMFAPLA. My guess is the last one. Jerry IZUDFLT.ZOSMF.WORKFLOW.ADMIN group not on access list IZUDFLT.ZOSMF.WORKFLOW.EDITOR group not on access list IZUDFLT.ZOSMF.WORKFLOW.RUNASUSER profile not defined IZUDFLT.ZOSMF.WORKFLOW.SIGNER profile not defined IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.ENWRP profile not defined IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.INSTALL group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.MODIFY group not on access list IZUDFLT.ZOSMF.WORKLOAD_MANAGEMENT.WORKLOAD_MANAGEMENT.VIEW group not on access list -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Pommier, Rex Sent: Thursday, May 7, 2026 1:31 PM To: [email protected] Subject: [EXTERNAL] zOSMF security question Hey all, I have a question that's bugging me with z/OSMF security. Background is I have a development manager who wants to access z/OSMF for front-ending ISPF. I created a new z/OSMF group with limited access. I was able to successfully remove the group from accessing software management and some of the other z/OSMF functions. However I also want to remove them from being able to access workflows. I found the profile IZUDFLT.ZOSMF.WORKFLOW.WORKFLOWS in the ZMFAPLA class and verified their group isn't in the access list and it has a UACC of none but they can still get into that item. I specifically added the group to the access list with access level of NONE but they can still get in. I did the SETROPTS refresh of the ZMFAPLA class. Any idea what I'm missing? TIA Rex ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
