Skip to main content (Press Enter).
Skip auxiliary navigation (Press Enter).
IBM Community Home
AIOps & Management
Cloud Pak for Data
Hybrid Data Management
IBM Z & LinuxONE
Internet of Things
WebSphere & DevOps
IBM Z and LinuxONE Community
Skip main navigation (Press Enter).
Hybrid User Group
Upcoming Community Events
All Community Events
z/OS Communications Server - Group home
IBM Z and LinuxONE - Software
Back to Blog List
zERT | Best practices: Sorting out the different z/OS user IDs involved with the zERT Network Analyzer
Fri April 03, 2020 02:46 AM
Mark as Inappropriate
With z/OS Encryption Readiness Technology (zERT), you are now able to
discover and analyze the status of the network cryptographic protection of your z/OS TCP and Enterprise Extender workloads.
If you have adopted zERT, you might
already be familiar with IBM zERT Network Analyzer which makes it easy for you to query and analyze the data that zERT provides.
Based on some of recent discussions we've had, there seems to be some confusion over the different z/OS user IDs involved with the zERT Network Analyzer, and which SAF permissions each one requires. This blog entry will hopefully clear up that confusion.
There are three different types of z/OS user IDs involved with the zERT Network Analyzer.
z/OSMF server’s user ID
This is the z/OSMF started task user ID ( the user ID under which z/OSMF and zERT Network Analyzer plug-in execute). When the network analyzer imports SMF data from SMF dump data sets, it is running under the z/OSMF user ID. Because of this, the network analyzer requires the z/OSMF user ID to have one permission beyond those required by z/OSMF itself.
e z/OSMF user
have READ access to
the SMF dump data sets
from which the network analyzer imports zERT SMF records.
zERT Network Analyzer end
These are the user IDs that log into t
he zERT Network Analyzer plug-in to use the functions
the network analyzer
Any user ID that needs to log into the the zERT Network Analyzer plug-in must have the appropriate SAF permission to access the plugin.
The zERT Network Analyzer
end-user user IDs must have proper access to a couple different SAF resources.
See the IZUNASEC sample in
setting up security for the z/OSMF plug-ins
for details on how to
permit this access
via SAF group IZUZNA.
It is also important to note that when a network analyzer user exports the results of a network analyzer query, the export operation is performed under the logged-in user's user ID instead of the z/OSMF user ID. This way, the zERT Network Analyzer ensures that export files written to the z/OS Unix file system will be written according to the logged-in user's z/OS Unix credentials.
zERT Network Analyzer database user ID
This is a separate, dedicated user ID that the zERT Network Analyzer uses to connect to the Db2 for z/OS database. All the zERT Network Analyzer database operations are executed under this user ID, including queries, insertions, and deletions. This user ID is configured on the zERT Network Analyzer Database Settings panel and must have the appropriate set of permissions to perform the database operations that the network analyzer requires.
Create a separate, dedicated user ID for this purpose.
Required Db2 privileges:
Before you start
the zERT Network Analyzer
MUST provide t
to ensure proper operation
various network analyzer
INSERT, SELECT, UPDATE, DELETE privileges for the following tables (or to the tables upon which these names are defined as ALIASes, depending on how your DBA chooses to set up the zERT Network Analyzer database):
About the authors
Chris Meyer is the network security architect for z/OS and an IBM senior technical staff member.
Joshua Bennetone is the lead developer for the zERT Network Analyzer.
Reason for Moderation
Describe the reason this content should be moderated (required)
High-speed connector configurable connection timeout support (APAR PJ46390)
, an hour ago
SAP on IBM Z webcast "invoke Db2 Procedures by SQL/PL Triggers": ready, set, enroll!
, an hour ago
#026【z/OS V2R2/V2R3/V2R4新機能】ICKDSF INIT処理（オフラインDASD装置）が不完全な場合のVARY ONLINE不可
, 2 hours ago
New IMS course: IMS System Programming in a DBCTL Environment
, 2 days ago
New IMS course: IMS Diagnostics
, 2 days ago
Copyright 2019 IBM Z and LinuxONE Community. All rights reserved.
Powered by Higher Logic
Tags for IBM Z and LinuxONE group.
Add a tag
User Tags may not contain the following characters: @ # $ & :