z/OSMF Software Management ability to hide Software Instances

However, how is learning the existence of a CSI through z/OSMF Software Management different from learning the existence of a cataloged CSI data set using ISPF option 3.4? Is ISPF option 3.4 (Data set list) also a security exposure?

^^If this is sarcasm, it's not appreciated. We realize that everything seen through Software Management can indeed be found in ISPF 3.4 and that RACF will protect assets. What we're pointing out is that a potential threat would have to know naming schemes and explicitly search to find this information, versus logon to z/OSMF and have it handed to them on a silver platter, and if security lets them, view into all the defined datasets associated to it, the FMID's, etc, etc. Making this association to ISPF 3.4 is comparing apples to oranges. This gui lets them click into instances that finds out much more information, quicker, and easier that ISPF 3.4. We're trying to make a point of why let the user's see instances that they don't or shouldn't have access to? Why make the user filter through 100's of instances that don't pertain to them, and let z/OSMF config and/or security calls just not show what they don't already have access to anyways?

We'll attempt to use the filter and categories options to see how this works for us, but as more and more users adopt this, it could get very clunky to filter through tons and tons of instances that a user doesn't care about and shouldn't know about, or easily be able to obtain this information from the defined instances. We would hope, and turned in this RFE for a more robust security and/or config options for Software Management.

Thank you for the feedback. We are hoping you can provide some clarification regarding the perceived security vulnerability. It is true on the Software Instance list page of Software Management a user may learn the existence of many CSI data sets. However, how is learning the existence of a CSI through z/OSMF Software Management different from learning the existence of a cataloged CSI data set using ISPF option 3.4? Is ISPF option 3.4 (Data set list) also a security exposure?

As for "hiding" certain software instances from view on the list page, the Filter capability available on all z/OSMF table columns is exactly intended to allow a user to determine which software instances should be displayed and which should be hidden. The display can be filtered using any column value, such as the CSI, the userid that added the software instance, or any number of Categories you might define. In fact, Categories in Software Management are a powerful mechanism to help you organize and filter software instances. Consider defining category values that identify software SRELs, vendor, geography, software life cycle, business unit, etc. For example, consider categories such as Db2, IMS, z/OS, IBM, Broadcom, East Coast, Bloomington, Test, Production, Accounts Receivable, etc. No matter the specified value, a user can Filter the display to include or hide software instances based on Category.

We hope the Filter capability is sufficient to shrink the number of software instances in a display to a list of those most interesting to a particular user. If this is not sufficient, please let us know specifically how it can be improved. Thank you.