Skip to main content
Version: v2.18.x

Assigning security permissions to users

Assigning security permissions to users

Assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks. Each TSO user ID that logs on to Zowe and uses Zowe services that use z/OSMF requires permission to access these z/OSMF services.

Required roles: security administrator

Overview of user categories and roles

Specific user IDs with sufficient permissions are required to run or access Zowe. Your organization's security administrator is responsible to assign the following user IDs during Zowe z/OS component configuration.

The following user IDs run Zowe:

  • ZWESVUSR
    This is the started task ID of the Zowe runtime user who runs most of the Zowe core components. To work with USS, this user ID must have a valid OMVS segment. For more information about OMVS segments, see the article The OMVS segment in user profiles in the IBM documentation. For detailed information about which permissions are required to run Zowe core services as well as specific individual components, see the Security Permissions Reference Table in this article.
  • ZWESIUSR
    This user runs the cross memory server (ZIS). This is a started task ID used to run the PROCLIB ZWESISTC that launches the cross memory server (ZIS). This started task ID must have a valid OMVS segment.

The security administrator also assigns permissions to the security group ZWEADMIN. ZWEADMIN is a group consisting of ZWESVUSR and ZWESIUSR. This group must have a valid OMVS segment.

Additionally, the security administrator assigns permissions to individual Zowe users. If z/OSMF is used for authentication and serving REST APIs for Zowe CLI and Zowe Explorer users, the TSO user ID for end users must belong to one or both of the groups IZUUSER or IZUADMIN.

Security Permissions Reference Table

The following reference table describes which permissions are required for the user ID ZWESVUSR to run Zowe core services and specific individual components.

If you already successfully ran the ZWESECUR JCL either separately or by running the zwe init security command, you do not need to perform the steps described in this section. The TSO commands to create the user IDs and groups are executed during the JCL sections of ZWESECUR. For more information about the zwe init security command, see zwe init security.

Feature of a Zowe server-side componentResource classResource nameType of access requiredReasonActions
CoreFACILITYBPX.JOBNAMEREADAllow z/OS address spaces for unix processes to be renamed for ease of identification.This parameter permits the Zowe main server to set the job name. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
API Mediation Layer certificate mappingFACILITYIRR.RUSERMAPREADOptional Allow Zowe to map an X.509 client certificate to a z/OS identity.This parameter permits the Zowe main server to use the client certificate mapping service. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
API Mediation Layer identity mappingFACILITYIRR.IDIDMAP.QUERYREADOptional Allow Zowe to map a distributed identity to a z/OS identity.This parameter permits the Zowe main server to use distributed identity mapping service. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
API Mediation Layer SMF recordsFACILITYIRR.RAUDITXREADOptional Allow API Mediation Layer to issue SMF 83 records about activity of Personal Access Tokens. For more information about configuring MFA, see Multi-Factor Authentication (MFA)This parameter permits the Zowe main server to cut SMF records. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
ZSS (required for API ML certificate and identity mapping)FACILITYBPX.SERVER + BPX.DAEMONUPDATEAllow Zowe to run code on behalf of the API requester's TSO user ID. For more information, see Security Environment Switching.This parameter permits the Zowe main server to create a user's security environment. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
ZSS (required for API ML certificate and identity mapping)APPLOMVSAPPLREADAllow Zowe to run code on behalf of the API requester's TSO user ID. This permission is also required from a requester's TSO user. You can skip this requirement when the resource OMVSAPPL in the APPL class is not defined. For more information, see Security Environment Switching.This parameter permits the Zowe main server to run the code on behalf of the user. Run the command that applies to your ESM.
RACF
ACF2
Top Secret
ZSSFACILITYIRR.RADMIN.LISTUSERREADAllow Zowe to obtain information about OMVS segment of the user profile using LISTUSER TSO command.This parameter permits the Zowe main server to obtain information about OMVS segment of the user profile. Run the command that applies to your ESM.
• RACF
• ACF2
• Top Secret
ZSSCSFSERVMultipleREADGenerate symmetric keys using ICSF that is used by Zowe Desktop cookies.The list of IDs to enable include CSF1TRD , CSF1TRC , CSF1SKE , CSF1SKD. The full list of IDs is described in the z/OS Cryptographic Services user guide for your z/OS release level: 2.2, 2.3, 2.4 and 2.5.
Cross memory server (ZIS)FACILITYZWES.ISREADAllow Zowe ZWESLSTC processes to access the Zowe ZIS cross memory server.This parameter permits the Zowe main server to use ZIS cross memory server. Run the command that applies to your ESM.
RACF
ACF2
Top Secret

Granting users permission to access z/OSMF

Each TSO user ID that logs on to Zowe and uses Zowe services that use z/OSMF requires permission to access these z/OSMF services. It is necessary that every user ID be added to the group with the appropriate z/OSMF privileges, IZUUSER or IZUADMIN (default).

Required role: security administrator

This step is not included in the provided Zowe JCL because it must be done for every TSO user ID who wants to access Zowe's z/OS services. The list of those user IDs will typically be the operators, administrators, developers, or anyone else in the z/OS environment who is logging in to Zowe.

note

You can skip this section if you use Zowe without z/OSMF. Zowe can operate without z/OSMF but services that use z/OSMF REST APIs will not be available, specifically the USS, MVS, and JES Explorers and the Zowe Command Line Interface files, jobs, workflows, tso, and console groups.

To grant permissions to the user ID to access z/OSMF, issue the command(s) that corresponds to your ESM.

  • If you use RACF, issue the following command:

    CONNECT (userid) GROUP(IZUUSER)
  • If you use ACF2, issue the following commands:

    ACFNRULE TYPE(TGR) KEY(IZUUSER) ADD(UID(<uid string of user>) ALLOW)
    F ACF2,REBUILD(TGR)
  • If you use Top Secret, issue the following commands:

    TSS ADD(userid)  PROFILE(IZUUSER)
    TSS ADD(userid) GROUP(IZUUSRGP)

Next step

After you complete assigning security permissions, the next step is to configure certificates.