Hello great Lizette, thanks for the reply :) We are using z/OS 1.12 and SDSF=HQX7770. We are also using ACF2.
Operator authority is not a problem, team specific access is; The problem is that some prod jobs have a NOTIFY of, let's say, NOTIFY=ABCD001 and we have a GPLEN(4) on isfparms, so all users that start with ABCD would have access over that job. The jobname itself doesn’t start with ABCD. Also, users have access to all jobs that start with the 4 first characters of their userid, and I couldn't find an easy way to do that though JESSPOOL that would not include defining tons of SAF profiles (one for each prefix). Any insight? Thanks! Leo -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Lizette Koehler Sent: Monday, August 19, 2013 10:30 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF ISFPARMs to SAF security What version of z/OS and/or SDSF? Which SAF are you going to? RACF, TSS, ACF2 The section on Security to SAF in SDSF manual SDSF Operation and Customization SA22-7670 should be helpful You can give operators access to jobs, output groups, or SYSIN/SYSOUT data sets for a particular destination, without authorizing the operators to those jobs, output groups, or SYSIN/SYSOUT data sets through the JESSPOOL class. This destination operator authority is the equivalent of specifying DEST for CMDAUTH and ADEST for DSPAUTH in ISFPARMS. This is also used for authorizing destinations as described in “Destination names” on page 182. To provide destination operator authority you: 1. Give the user READ authority to the ISFOPER.DEST.jesx profile in the SDSF class. This identifies a user as a destination operator for the SDSF session. 2. Give the user authorization for the profiles that protect destinations for jobs, Lizette -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Leonardo Vaz Sent: Monday, August 19, 2013 1:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: SDSF ISFPARMs to SAF security Hello list, We are willing to migrate from ISFPARM to SAF for our SDSF security, the thing that is preventing us is that there is no direct replacement for NOTIFY or GROUP in the CMDAUTH and DSPAUTH parameters. Any of you had a problem with this and could manage a workaround? Regards, Leonardo Vaz ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
