Agreed, can you fwd the slide deck? Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com
-----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Rob Scott Sent: Tuesday, February 7, 2023 3:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Note that there is no jobname qualifier on the JES2.CANCEL.BAT profile. This is why SDSF has the extra JESSPOOL profile check that goes beyond vanilla JES2 cancel command security. This extra check is ONLY performed inside SDSF and is made before we build the operator command text. Coincidentally I gave a presentation at virtual GSE today entitled "SDSF Security - How does it work under z/OS 2.5?" and the sequence of SAF checks is described with a few examples. If you want, I can forward you the slide deck. Rob Scott Rocket Software Sent from Samsung Mobile on O2 Sent from Outlook for Android<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Sdtr7sGuH3Tkti7So%2B2D99AwPzFTNhAjPN8EuNPlHJI%3D&reserved=0> ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Shaffer, Terri <0000017d5f778222-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, February 7, 2023 6:10:11 PM To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: RACF - SDSF question EXTERNAL EMAIL Okay, so not sure I reall understand the way this works? Under jesspool, checks nodeid.userid.jobname.jobid, so I could add my cics jobname like C30TCI* here? Is this the SDSF command like C, P etc? Or under OPERCMDS I have JES2.CANCEL.BAT.C30TCI* (G) JES2.CANCEL.BAT.** (G) And now. MVS.CANCEL.BAT.C30TCI*.* (G) MVS.CANCEL.** (G) Where does the granularity take place, for certain jobs?? I want the users to be able to cancel some batch jobs and everything they submitted, but not CICS, DB2 or other system things. Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Rob Scott Sent: Tuesday, February 7, 2023 9:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe. Note that one of the "value add" functions of SDSF is that it can check for ALTER access to the JESSPOOL profile for the owner and jobname for destructive actions like "C" and "P". Does not stop them using freeform "slash" to issue the raw operator command, but removes the convenience of the action character. Rob Scott Rocket Software From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Roger W Suhr Sent: 07 February 2023 14:22 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF - SDSF question EXTERNAL EMAIL Hi Ms. Terri, The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command. I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id profile to protect the MVS CANCEL command. So in your case, that would be something like this: (if your running CICS as an STC!) MVS.CANCEL.STC.C30TCI* (G) MVS.CANCEL.STC.** (G) Roger W. Suhr suhr...@gmail.com<mailto:suhr...@gmail.com> -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU<mailto:IBM-MAIN@LISTSERV.UA.EDU>> On Behalf Of Shaffer, Terri Sent: Tuesday, February 7, 2023 8:32 To: IBM-MAIN@LISTSERV.UA.EDU<mailto:IBM-MAIN@LISTSERV.UA.EDU> Subject: RACF - SDSF question Hi, I know there is a RACF group, but hopefully this is simple and I am just missing something I have done 100 times over with no issues. We run our CICS regions as batch jobs, and I just found out a user instead of them issuing a CEMT PERF SHUT command, they are canceling it. Which then causing a 100 vsam messages on startup with all the verifies, and if something goes wrong they call me... So I tried to stop this habit, I know they are putting a C beside the CICS and a $CJ(xxxxx) command So I have 2 rules in RACF under OPERCMDS JES2.CANCEL.BAT.C30TCI* (G) JES2.CANCEL.BAT.** (G) If I restrict the BAT.** then they cant cancel even their own batch jobs, So I always thought more specific is looked at first? One of my previous co-workers implemented SDSF-RACF rules converted from ISFPARMS. Lastly, I understand this doesn't stop them from canceling any other jobs, but since this is a development shop we allow more access than most. But I don't want users canceling a CICS or DB2 etc. Any ideas how they are getting the access and not stopped with the more specific rule?? Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide - Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com<mailto:terri.shaf...@aciworldwide.com> ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg><https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>>] <http://www.aciworldwide.com<http://www.aciworldwide.com><http://www.aciworldwide.com<http://www.aciworldwide.com>>> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu<mailto:lists...@listserv.ua.edu> with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=zqNxgLH6hUeXhNI1xvln%2BioVOJPeukmvBPkFLJ3aus8%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=zqNxgLH6hUeXhNI1xvln%2BioVOJPeukmvBPkFLJ3aus8%3D&reserved=0> Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=WD%2F9IwqfP8DZF%2FW3s%2F449DkYErPr3C0CH6KeSlXarFQ%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=WD%2F9IwqfP8DZF%2FW3s%2F449DkYErPr3C0CH6KeSlXarFQ%3D&reserved=0> Privacy Policy - https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0> ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>] <http://www.aciworldwide.com<http://www.aciworldwide.com>> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Tp1S0q%2FwZVB33%2B20jQpHxS2mJ6mlt64hC6PEkDXegMI%3D&reserved=0 Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=3VWoY76grp2b2r8q2Dzcv32iNwNeWv90%2FEEbWVQ%2FnAU%3D&reserved=0 Privacy Policy - https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0 ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ________________________________ [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg] <http://www.aciworldwide.com> This email message and any attachments may contain confidential, proprietary or non-public information. The information is intended solely for the designated recipient(s). If an addressing or transmission error has misdirected this email, please notify the sender immediately and destroy this email. Any review, dissemination, use or reliance upon this information by unintended recipients is prohibited. Any opinions expressed in this email are those of the author personally. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
