Lionel, that is exactly our problem too!   The security aspect is so over the 
top, that seems damn near impossible.   We too are CA-TSS shop.   Also, for 
clarity, the security that the actual STC needs is straight forward.  It's 
configuring the user security I am talking about.   

I've advocated with the IBM'ers responsible for development to see if they 
could provide an easier mechanism.   What I want here at our shop is to setup 
role based profiles something like the following that layer on additional 
privileges based on need:

- minimal access you get with IZUGUEST - options ok to see without being logged 
on
- general authenticated user - app developers, those that might make "cloud" 
requests
- DBA - DB2 staff, 
- SYSPROG - my team
- ZOSMF Administrators - subset of my team

Then adding additional users would be a breeze.  But we aren’t even to this 
point yet.

Compunding the issue is that ZOSMF required zOS components that we hadn’t 
previously configured and turned on like PFA, CIM, etc.   That’s our own fault, 
but just adds to the load of configuring.
_________________________________________________________________
Dave Jousma
Manager Mainframe Engineering, Assistant Vice President
david.jou...@53.com
1830 East Paris, Grand Rapids, MI  49546 MD RSCB2H
p 616.653.8429
f 616.653.2717

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Dyck, Lionel B. (TRA)
Sent: Friday, February 02, 2018 10:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: zOSMF - remove plug-in

**CAUTION EXTERNAL EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

The challenge is implementing the security rules so that this happens. We've 
been "fighting" for months to get the rules cleaned up as when zOSMF was 
implemented 2+ years ago the rules were not implemented properly so we are 
deleting and starting over. I'm not a security person and we use CA Top Secret 
instead of RACF, but I can say that the rules look both overly cumbersome and 
completely convoluted.

--------------------------------------------------------------------------
Lionel B. Dyck <sdg><
Mainframe Systems Programmer - TRA


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Kurt Quackenbush
Sent: Friday, February 02, 2018 9:11 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: zOSMF - remove plug-in

On 2/1/2018 3:30 PM, Jousma, David wrote:
> The way I understand it, the option in the left side bar does not show up, if 
> you are not allowed to use it.  However, I have not proven that out.
That is correct, if a user is not authorized to a particular z/OSMF task, then 
that task is not displayed in the navigation pane for that user.

Kurt Quackenbush -- IBM, SMP/E Development

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL 
EMAIL**

**DO NOT open attachments or click on links from unknown senders or unexpected 
emails**

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to