IBM z/OSMF

IBM z/OSMF

IBM z/OSMF

The IBM z/OS Management Facility framework improves programmer productivity by using simplified, streamlined and automated tasks. This easier-to-use functionality reduces both programmer training time and the learning curve.

 View Only

Security Provisioning using zOSMF

By ZHI LI posted Tue February 28, 2023 10:09 PM

  

Security Configuration Assistant (SCA) is a great tool to validate z/OSMF security. Security administrators might be wondering if it’s possible to get the security problems fixed directly in the SCA task. Now this has come true.

You might already be aware of leveraging SCA task to perform security checks. SCA is now enhanced to fix missing authorizations, and it is quite easy and secure! It is easy because you just need to click “Review&Fix” button to start an error fix process. The whole fixing process will only take you a few clicks. It is secure because unless you have the permission to run the fixing commands in 3270, nothing would be changed without security authorization.

Here are the steps to get a general security problem fixed in SCA.

On the z/OSMF SCA page, if a resource profile returns with a status value of Failed after validation, select Action > Review & Fix to correct the authorization issue.

You can fix the failed validation one by one or fix all the failed ones in a component at once.

Then you get a Command tab which displays the commands that are set to be run to define the specified resource profile and permit required access. Confirm the commands by clicking Submit.

Only the z/OS security administrator, for example, the SPECIAL user for RACF, can submit and fix eventually.

This great capability is also available for programming interface. It would be helpful to provision required security when deploying dev-ops environments.

This new REST service allows you to focus on security requirements that could be organized by product or function, instead of the need to understand complex command syntax and differences among various security products.

The security requirements can be specified directly in the HTTP request body or in a separate USS file. For either way, the format of requirements is in JSON which is easy to understand and code. Here is an example

{

  "resourceItems": [

    {

      "resourceProfile": "IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT",

      "resourceClass": "ZMFAPLA",

      "access": "READ"

    }

  ]

}

If the security requirements are described in the HTTP request body, post request should be sent to z/OSMF in below format

POST /zosmf/config/security/v1/provision?userid=<userid>

If the security requirements are described in a standalone USS file, post request will be like

POST /zosmf/config/security/v1/provision/descriptor?userid=<user-id>

And the HTTP request body should be replaced with the path of that USS file, for example:

{

  "path": "/tmp/example.json"

}

The SCA Provisioning REST APIs accept the above security requirements and then automatically validates if the target user or group (specified by <userid>) has access to the specified security requirements. If not, the API provision required security for you automatically and then returns results in HTTP response body like below:

{

  "resourceItems": [

    {

      "resourceProfile": "IZUDFLT.ZOSMF.CONFIGURATION.SECURITY_ASSISTANT",

      "resourceClass": "ZMFAPLA",

      "access": "READ",

      "actionObjectId": "zosmft1",

      "status": "passed",

      "action": "provision",

      "validatedId": "zosmft1"

    }

  ]

}

"provision" status means the described security requirement has been provisioned by this API calling.

Disclaimer: This document intends to represent the views of the author rather than IBM. Please contact the author lilzhi@cn.ibm.com instead of IBM service for any questions.

0 comments
6 views

Permalink

https://community.ibm.com/community/user/blogs/zhi-li1/2023/02/28/security-provisioning-using-zosmf