Hi Mark, The option prevents all the violations when you 's' select the entire job. It won't help when you select the job with ? and then select individual SYSOUTs. For the latter, it is WAD.
Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- From: Steely.Mark [mailto:steely.m...@aaa-texas.com] Sent: Wednesday, May 25, 2022 12:04 PM To: IBM Mainframe Discussion List Cc: Robert S. Hansel (RSH) Subject: RE: SDSF & TSS (RACF) Importance: High Thanks for the update - yes I did forget the custom parameter. It may work for what I need. When I select the complete report it comes back as unauthorized. If I expand the report with a ? and select a report it still get the violation and after several attempt it suspend the ID. Is there anything for that ? Thank You -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, May 25, 2022 5:53 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: FW: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Mark, I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in _all_ your GROUP statements that points to the PROPLIST NAME(proplist) statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all the SDSF servers? Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse l&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149 048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI wHQysYGDRo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data =05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c 2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgn sek0%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=0 5%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2d d97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D& amp;reserved=0 -----Original Message----- Date: Tue, 24 May 2022 15:02:50 +0000 From: "Steely.Mark" <steely.m...@aaa-texas.com> Subject: Re: SDSF & TSS (RACF) Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret). -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2 FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca 2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7C TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s data=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3D&reserved=0 Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse l&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149 048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI wHQysYGDRo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data =05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c 2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgn sek0%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=0 5%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2d d97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D& amp;reserved=0 -----Original Message----- Date: Mon, 23 May 2022 20:55:48 +0000 From: "Steely.Mark" <steely.m...@aaa-texas.com> Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID Owner C Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobID Owner Prty C ODisp Dest B100042B JOB09087 TS0242 144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000002.JESM> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000003.JESJ> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000004.JESY> TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ****** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
