Assigning security permissions to users
Assigning security permissions to users
Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. Each TSO user ID that logs on to Zowe and uses Zowe services that use z/OSMF requires permission to access these z/OSMF services.
Overview of user categories and roles
Specific user IDs with sufficient permissions are required to run or access Zowe. Your organization's security administrator is responsible to assign the following user IDs during Zowe z/OS component configuration.
The following user IDs run Zowe:
- ZWESVUSR
This is the started task ID of the Zowe runtime user who runs most of the Zowe core components. To work with USS, this user ID must have a valid OMVS segment. For more information about OMVS segments, see the article The OMVS segment in user profiles in the IBM documentation. For detailed information about which permissions are required to run Zowe core services as well as specific individual components, see the Security Permissions Reference Table in this article. - ZWESIUSR
This user runs the cross memory server (ZIS). This is a started task ID used to run the PROCLIBZWESISTC
that launches the cross memory server (ZIS). This started task ID must have a valid OMVS segment.
The security administrator also assigns permissions to the security group ZWEADMIN. ZWEADMIN
is a group
consisting of ZWESVUSR
and ZWESIUSR
. This group must have a valid OMVS segment.
Additionally, the security administrator assigns permissions to individual Zowe users. If z/OSMF is used for
authentication and serving REST APIs for Zowe CLI and Zowe Explorer users, the TSO user ID for end users must belong to
one or both of the groups IZUUSER
or IZUADMIN
.
Security Permissions Reference Table
The following reference table describes which permissions are required for the user ID ZWESVUSR
to run Zowe core
services and specific individual components.
If you already successfully ran
the ZWESECUR
JCL either
separately or by running
the zwe init security
command, you do not need to perform the steps described in this section. The TSO commands to create the user IDs and
groups are executed during the JCL sections of ZWESECUR
. For more information about the zwe init security
command,
see zwe init security.
Feature of a Zowe server-side component | Resource class | Resource name | Type of access required | Reason | Actions |
---|---|---|---|---|---|
Core | FACILITY | BPX.JOBNAME | READ | Allow z/OS address spaces for unix processes to be renamed for ease of identification. | This parameter permits the Zowe main server to set the job name. Run the command that applies to your ESM. • RACF • ACF2 • Top Secret |
API Mediation Layer certificate mapping | FACILITY | IRR.RUSERMAP | READ | Optional Allow Zowe to map an X.509 client certificate to a z/OS identity. | This parameter permits the Zowe main server to use the client certificate mapping service. Run the command that applies to your ESM. • RACF • ACF2 • Top Secret |
API Mediation Layer identity mapping | FACILITY | IRR.IDIDMAP.QUERY | READ | Optional Allow Zowe to map a distributed identity to a z/OS identity. | This parameter permits the Zowe main server to use distributed identity mapping service. Run the command that applies to your ESM. • RACF • ACF2 |