Mark, I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in _all_ your GROUP statements that points to the PROPLIST NAME(proplist) statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all the SDSF servers?
Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- Date: Tue, 24 May 2022 15:02:50 +0000 From: "Steely.Mark" <steely.m...@aaa-texas.com> Subject: Re: SDSF & TSS (RACF) Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret). -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ReJ7GWolmeh4hc2MkFDbyahA0i5EVDrdN7qsfXgAKW4%3D&reserved=0 Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=U7odhzAml3JLOoHEPMB0H%2BugsJ0Rls0Z%2Fpk8Ht9KnPc%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E8kbU8IAtv56Y%2BoiaQn%2BRuFS0IfJ6YswSdVy12zWCUo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BF%2BtoZaedniGmSARZrgDspVsvtLk624fxaEllI4har0%3D&reserved=0 -----Original Message----- Date: Mon, 23 May 2022 20:55:48 +0000 From: "Steely.Mark" <steely.m...@aaa-texas.com> Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID Owner C Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobID Owner Prty C ODisp Dest B100042B JOB09087 TS0242 144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000002.JESM> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000003.JESJ> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000004.JESY> TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ****** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
