Lionel, that is exactly our problem too! The security aspect is so over the top, that seems damn near impossible. We too are CA-TSS shop. Also, for clarity, the security that the actual STC needs is straight forward. It's configuring the user security I am talking about.
I've advocated with the IBM'ers responsible for development to see if they could provide an easier mechanism. What I want here at our shop is to setup role based profiles something like the following that layer on additional privileges based on need: - minimal access you get with IZUGUEST - options ok to see without being logged on - general authenticated user - app developers, those that might make "cloud" requests - DBA - DB2 staff, - SYSPROG - my team - ZOSMF Administrators - subset of my team Then adding additional users would be a breeze. But we aren’t even to this point yet. Compunding the issue is that ZOSMF required zOS components that we hadn’t previously configured and turned on like PFA, CIM, etc. That’s our own fault, but just adds to the load of configuring. _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Dyck, Lionel B. (TRA) Sent: Friday, February 02, 2018 10:16 AM To: [email protected] Subject: Re: [EXTERNAL] Re: zOSMF - remove plug-in **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** The challenge is implementing the security rules so that this happens. We've been "fighting" for months to get the rules cleaned up as when zOSMF was implemented 2+ years ago the rules were not implemented properly so we are deleting and starting over. I'm not a security person and we use CA Top Secret instead of RACF, but I can say that the rules look both overly cumbersome and completely convoluted. -------------------------------------------------------------------------- Lionel B. Dyck <sdg>< Mainframe Systems Programmer - TRA -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Kurt Quackenbush Sent: Friday, February 02, 2018 9:11 AM To: [email protected] Subject: [EXTERNAL] Re: zOSMF - remove plug-in On 2/1/2018 3:30 PM, Jousma, David wrote: > The way I understand it, the option in the left side bar does not show up, if > you are not allowed to use it. However, I have not proven that out. That is correct, if a user is not authorized to a particular z/OSMF task, then that task is not displayed in the navigation pane for that user. Kurt Quackenbush -- IBM, SMP/E Development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
