Matan,
You should be aware of a few things ....
1. System Consoles are exempt from OPERCMDS security if they do not log
on. This was to ensure that MVS consoles would continue to use native
console authorities even when OPERCMDS is active.
2. Started Tasks are never exempt from OPERCMDS security - or any other
security when they run "undefined". They have whatever authority any batch
job would have - that is, whatever UACC allows.
3. It is always in your best interest to define ALL started tasks to RACF
properly. Those listed in the IBM manuals as "TRUSTED" should be defined
as trusted to RACF. At z/OS 1.11 (this has not changed in awhile) the
following Started Tasks should be trusted:
CATALOG DUMPSRV IEEVMPCR IOSAS IXGLOGR JES2 (or JES3) JESXCF
LLA NFS RACF RMF RMFGAT SMF TCPIP VLF VTAM XCFAS
Optional candidates for the TRUSTED attribute include the following:
APSWPROA, APSWPROB, APSWPROC, APSWPROM, or APSWPROT
DFHSM DFS GPMSERVE OMVSKERN SMSVSAM
4. Anytime you see an ICH408I message with JOB( ) and STEP( ) - it is a
violation that is occurring where the caller has not provided a RACF
UserID and is running undefined. In the case of cross-memory checks (as
most of the OPERCMDS checks are), JOB and STEP reflect the address space
where the violation is occurring - NOT where it came from. So the
violation occurred in LLA's address space but may not have been caused by
LLA. It is issues like this which necessitate having few if not zero
undefined users in your system. If the users run "undefined" you will not
be able to determine what is causing the problem - you will only be able
to determine which resource is involved.
5. RACF related questions are best asked on the RACF-L.
Hayim
_____________________________________
Hayim Sokolsky, CISSP
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760
Tel. (813) 470-2177
Matan Cohen <matancohen...@gmail.com>
Sent by: IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu>
2010.02.23 08:22
Please respond to
IBM Mainframe Discussion List <IBM-MAIN@bama.ua.edu>
To
IBM-MAIN@bama.ua.edu
cc
Subject
Re: TSO reconnect (ikjefln2) reject by RACF
yes , but if i will define the lla as a started task to RACF . I'm afraid
this will make lla other security problems.
On Tue, Feb 23, 2010 at 1:42 PM, Elardus Engelbrecht <
elardus.engelbre...@sita.co.za> wrote:
> matan cohen wrote:
>
> >trying to reconnect was unsuccessfull because of RACF , i got the next
> message :
>
> >ICH408I JOB(MSTJCL00) STEP(LLA ) MVS.VARY.NET CL(OPERCMDS)
> > INSUFFICIENT ACCESS AUTHORITY
> > ACCESS INTENT(UPDATE ) ACCESS ALLOWED(NONE )
>
> >should i define the lla as started task?
>
> You need to create a STARTED class profile for LLA. Started Tasks not
> properly not defined to RACF will have JOB instead of USER in the
ICH408I
> message.
>
> Then you can give access to LLA where needed in class OPERCMDS.
>
> HTH!
>
> Groete / Greetings
> Elardus Engelbrecht
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>
--
best regards,
matan cohen
MF System Administrator.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
