Matan, You should be aware of a few things ....
1. System Consoles are exempt from OPERCMDS security if they do not log on. This was to ensure that MVS consoles would continue to use native console authorities even when OPERCMDS is active. 2. Started Tasks are never exempt from OPERCMDS security - or any other security when they run "undefined". They have whatever authority any batch job would have - that is, whatever UACC allows. 3. It is always in your best interest to define ALL started tasks to RACF properly. Those listed in the IBM manuals as "TRUSTED" should be defined as trusted to RACF. At z/OS 1.11 (this has not changed in awhile) the following Started Tasks should be trusted: CATALOG DUMPSRV IEEVMPCR IOSAS IXGLOGR JES2 (or JES3) JESXCF LLA NFS RACF RMF RMFGAT SMF TCPIP VLF VTAM XCFAS Optional candidates for the TRUSTED attribute include the following: APSWPROA, APSWPROB, APSWPROC, APSWPROM, or APSWPROT DFHSM DFS GPMSERVE OMVSKERN SMSVSAM 4. Anytime you see an ICH408I message with JOB( ) and STEP( ) - it is a violation that is occurring where the caller has not provided a RACF UserID and is running undefined. In the case of cross-memory checks (as most of the OPERCMDS checks are), JOB and STEP reflect the address space where the violation is occurring - NOT where it came from. So the violation occurred in LLA's address space but may not have been caused by LLA. It is issues like this which necessitate having few if not zero undefined users in your system. If the users run "undefined" you will not be able to determine what is causing the problem - you will only be able to determine which resource is involved. 5. RACF related questions are best asked on the RACF-L. Hayim _____________________________________ Hayim Sokolsky, CISSP Mainframe Security Architect DTCC Corporate Information Security 18301 Bermuda Green Dr, MS 1-CIS Tampa FL 33647-1760 Tel. (813) 470-2177 Matan Cohen <matancohen...@gmail.com> Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> 2010.02.23 08:22 Please respond to IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu> To IBM-MAIN@bama.ua.edu cc Subject Re: TSO reconnect (ikjefln2) reject by RACF yes , but if i will define the lla as a started task to RACF . I'm afraid this will make lla other security problems. On Tue, Feb 23, 2010 at 1:42 PM, Elardus Engelbrecht < elardus.engelbre...@sita.co.za> wrote: > matan cohen wrote: > > >trying to reconnect was unsuccessfull because of RACF , i got the next > message : > > >ICH408I JOB(MSTJCL00) STEP(LLA ) MVS.VARY.NET CL(OPERCMDS) > > INSUFFICIENT ACCESS AUTHORITY > > ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE ) > > >should i define the lla as started task? > > You need to create a STARTED class profile for LLA. Started Tasks not > properly not defined to RACF will have JOB instead of USER in the ICH408I > message. > > Then you can give access to LLA where needed in class OPERCMDS. > > HTH! > > Groete / Greetings > Elardus Engelbrecht > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- best regards, matan cohen MF System Administrator. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html <BR>_____________________________________________________________ <FONT size=2><BR> DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.</FONT> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html