Z​/OS UNIX System Services; USS Security Engineer

Role Overview

The USS Security Engineer is responsible for securing and administering z/OS UNIX System Services (USS) environments on the mainframe. This role focuses on enforcing least privilege, protecting privileged access, and ensuring alignment between UNIX permissions, ESM controls (RACF/TSS), and enterprise security standards. The engineer will partner closely with Enterprise Z security architect, system programmers, middleware teams, and audit/compliance stakeholders to maintain a secure and compliant USS platform.

• Administer and manage USS identities, including UIDs, GIDs, OMVS segments, and service/shared IDs based on policy.
• Enforce naming standards, ownership traceability, and lifecycle controls for USS users and services.
• Manage and audit POSIX permissions, ownership, and execution rights across critical USS file systems.
• Control and monitor privileged access, including UID(0), setuid/setgid programs, and elevated authorities.
• Administer USS related ESM controls (RACF/TSS), including UNIXPRIV, FACILITY resources, and STARTED task identities.
• Secure USS configuration files, shell environments, PATH settings, and file system mount options.
• Monitor USS security events, logs, and audit records.
• Support production issues, security incidents, and access related investigations.
• Develop and maintain USS security standards, procedures, and documentation.

• Bachelor's degree and 5+ years of experience with mainframe and z/OS UNIX System Services.
• Strong hands‑on experience securing USS environments.
• Proven experience administering RACF or equivalent ESM for USS.
• Solid understanding of:
  • UIDs, GIDs, OMVS segments, and service IDs
  • POSIX permissions, ownership, and execution controls
  • USS related security controls, including:
    • UNIXPRIV class
    • FACILITY class resources impacting OMVS
    • STARTED task identities for USS services
  • Working knowledge of zFS/HFS file systems, mount options, and USS SMF/audit logging.
• Strong understanding of least privilege and separation of duties principles.

• Experience with PKI, digital certificates, Kerberos, SSL/TLS, SSH, or OpenSSL.
• Exposure to systems programming concepts (e.g., SMP/E, SYS1 datasets, Assembler).
• Understanding of mainframe networking concepts.
• Experience supporting or securing middleware technologies (e.g., MQ).

Expected base pay rates for the role will be between $95,000 and $135,000 per year at the commencement of employment. Base pay is determined on an individualized basis and is only part of the total compensation package, which may also include commission earnings, incentive compensation, discretionary bonuses, other short and long‑term incentive packages, and other Morgan Stanley sponsored benefit programs.

Morgan Stanley is an equal opportunity employer committed to building and maintaining a workforce that is diverse in experience and background. Our recruiting efforts reflect our strong commitment to a culture of inclusion, where individuals are hired, developed, and advanced based on their skills and talents. For more information, please visit: