Hi,
If I understand correctly APF data sets cannot be migrated on the system
where they are APF authorized. If you have an asymmetrical
configuration in a Sysplex with shared DASD you can have data sets that
are infrequently used and APF authorized only a test system migrated on
another LPAR where DFHSM migration runs. This could also occur in the
same scenario with command migration on the other LPAR. We worked
through this scenario with RACF Level-2 when we saw data sets flagged V
instead of M in RACF_SENSITIVE_RESOURCES. APAR OA15290 corrected the
display in the check.
The CSV_APF_EXISTS and RACF_SENSITIVE_RESOURCES checks have been very
useful to us!
This has allowed us to close real integrity exposures identified by
RACF_SENSITIVE_RESOURCES and to tightly police the APF list. We
discover typos or miscommunication between groups making requests and
the z/OS team right away.
I would like to see the checking done by CSV_APF_EXISTS removed from
RACF_SENSITIVE_RESOURCES. The biggest problem with
RACF_SENSITIVE_RESOURCES is that it surfaces too many different problems
in once check where some are much more urgent than others. I imagine
some customers would like to see CA ship checks ACF_SENSITIVE_RESOURCES
and TOP_SECRET_SENSITIVE_RESOURCES for their customers!
I think the Health Checker for z/OS as delivered combined with the way
IBM continues to enhance it, developing and shipping meaningful checks
is one of the most useful and beneficial features implemented in base
z/OS in years. We had for so long not had a framework for exceptions
that could be known to be available. Now we have a good framework with
great content provided by IBM and the ability to add our own in as well
as integrate checks from third party vendors.
Best Regards,
Sam Knutson, GEICO
System z Performance and Availability Management
mailto:[EMAIL PROTECTED]
(office) 301.986.3574
"Think big, act bold, start simple, grow fast..."
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Peter Relson
Sent: Tuesday, October 23, 2007 9:00 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Healthcheck (IBMCSV,CSV_APF_EXISTS)
I had not responded yet because I have not yet been able to get the
complete answer. But it seems that something needs to be said in the
meantime.
When we had developed the check, we had conferred with the HSM folks and
were told that they did not allow APF data sets to be migrated.
If that proves to be incorrect, then we will change the check not to
flag
that case as an exception.
If that is correct, however, and your scenario was that the data set was
migrated and then subsequently added to the APF list, then an exception
is
reasonable.
Was Barbara saying that other mechanisms than HSM were used to migrate
data
sets? If so, then we can consider some sort of "rules" parameter. .
Peter Relson
z/OS Core Technology Design
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
