Skip to main content
Version: v2.13.x LTS

Addressing security requirements

Addressing security requirements

Roles required: security administrator

During configuration of server-side components, it is necessary to configure various system security settings. Your organization may require your security administrator to complete steps to configure Zowe security. As a system administrator/programmer, first consult with your security administrator before you start the installation process.


This article addresses configuring Zowe security during the Zowe z/OS components installation process, and does not address security configuration to extend Zowe. For more information about security configuration to extend Zowe, see the following articles:

Tasks performed by your security administrator

To configure Zowe security, your organization's security administrator is required to perform various tasks. Some of the tasks apply to general Zowe configuration, while other tasks are required during installation if you plan to use specific Zowe components or features.

The following required configuration tasks are performed by your organization's security administrator during the post-installation configuration:

If your Zowe server-side installation includes the features listed in the following table, consult your security administrator to perform the associated security tasks after installation:

Feature of a Zowe server-side componentConfiguration Task
If using Top Secret as your security manager
Note: No specific configuration is necessary for security managers other than Top Secret.
Configuring multi-user address space (for TSS only)
High AvailabilityConfiguring ZWESLSTC to run Zowe high availability instances under ZWESVUSR user ID
z/OSMF authentication or onboarding of z/OSMF serviceGranting users permission to access z/OSMF
ZSS component enabled (required for API ML certificate and identity mapping)Configuring an ICSF cryptographic services environment
Configuring security environment switching
API Mediation Layer certificate mappingConfiguring main Zowe server to use client certificate identity mapping
API Mediation Layer identity mappingConfiguring main Zowe server to use distributed identity mapping
API Mediation Layer Identity Tokens (IDT)Configuring signed SAF Identity tokens (IDT)
Cross memory server (ZIS)Configuring the cross memory server for SAF
Configuring cross memory server load module
Configuring cross-memory server SAF configuration

Assign security permissions to users

As a security administrator, assign users (ZWESVUSR and ZWESIUSR) and the ZWEADMIN security group permissions required to perform specific tasks.

For more information about assigning these permissions, see Assigning security permissions to users.