SDSF provides users with the ability to securely monitor and control their z/OS® system(s). Information that is displayed in SDSF includes batch job output, Unix System Services (USS) processes, started tasks, TSO user IDs, system configuration, printers, and other z/OS resources and components. With the deprecation of ISFPARMS security support for SDSF, SAF with an ESM (RACF, for example) becomes the only supported security method starting V2R5. Every action that users can perform on each SDSF panel is protected by a SAF profile, majority in SDSF class and a few in other classes, whose number is up to 400 and more. As SDSF continues adding new features, there will be more new profiles adding into SDSF.

As a security administrator, you might want to know what profiles have been defined already, and how a specific user or a group of people are authorized to these profiles. IBM has listed a full list of profiles required for SDSF on their website here https://www.ibm.com/docs/en/zos/2.5.0?topic=guide-racf-classes-profiles-that-protect-sdsf It takes 35 pages to print out all the profiles on an A4 paper. It will take you hours to days to validate all the profiles. Using generic profiles will simplify the whole process but you still won't be able to get it done in minutes unless you can use the latest enhancement SDSF has made with z/OSMF SCA.

The latest enhancement that SDSF and z/OSMF have made is delivered in SDSF APAR PH53477 and z/OSMF APAR PH48846. Once you have the two APARs installed, you can navigate to z/OSMF SCA task from z/OSMF Desktop interface. Go to "Imported Products" panel and click the "Import" button on the right. In the popup dialog, input /usr/lpp/sdsf/sca and click Enter on your keyboard. SCA will list all SDSF security definition jsons shipped in PH53477. Then click the "Load" button.

As SDSF Panel Access has the most number of profiles, so I'll use it as an example. SCA will list the full list of profiles that needs to be checked for panel access.
 

You cannot validate these profiles directly because you need to tell SCA how you have defined the profiles in your system. Each profile has 1 - 3 variables await your input. Now you can click on the Action button of a profile. In the popup dialog, you can input the value of the variable.

Many profiles share the same variable. You don't need to input all these variables one by one. Enable the option "Apply this value to all the resource names that contain same variables". SCA will assign the value of all other profiles in this SDSF category for you programmatically.

Now input the user ID you would like to validate access for and click the validate button, the whole validation process will complete in seconds. When you apply a new APAR from SDSF that ships an updated json, you just need to close SCA and reopen SCA task. The updated json will be loaded automatically. You don't even need to restart z/OSMF. Isn't that easy for you?
 

If you are an application developer, and if your application also uses several SAF profiles to protect user access of your application. Why not start writing security definition JSON for your product? A lot of applications have already delivered their JSONs, including DFSMS and SDSF etc. It will save plenty of time for security admin of your application!

Learn more about Security Configuration Assistant at here.

Disclaimer:
1.    This document intends to represent the views of the author rather than IBM.
2.    The recommended solutions are not guaranteed, please contact the author lilzhi@cn.ibm.com instead of IBM service for any questions.