Vince, OS/390? IBM's final release of OS/390 occurred nearly 15 years ago, and IBM support for that release ended over a decade ago. Did you really mean OS/390? Or are you asking about how to provision (and presumably, hopefully de-provision) new users to access both TSO/E (my guess for "OS/390") and z/OS UNIX System Services (my guess for "z/OS")?
I share Shmuel's concern that we could use more information to offer you a more informed, more helpful answer. Otherwise we're just guessing, a lot. Here are some details that would be helpful: 1. Which operating system(s), and which release(s)? 2. Which security subsystem(s) are you using? Examples: IBM z/OS Security Server (with RACF), CA ACF2, CA TopSecret. 3. Which operating system services (at which release levels)? Examples: TSO/E, z/OS UNIX System Services, CICS Transaction Server for z/OS, DB2 for z/OS, IBM HTTP Server for z/OS, FTP/FTPS, OpenSSH, IPSec, IBM Directory Server for z/OS (LDAP).... 4. What privileges do you want a new user to have? 5. May we assume you also need the ability to de-provision users correctly and completely? 6. How do you want the provisioning and de-provisioning to be accessible? For example, do you want users themselves to be able to initiate provisioning requests through a Web page? Does that need two factor authentication (e.g., sending 6-digit code to the user's registered mobile number via SMS for the user to then provide back to the provisioning system)? Do you want an automation or scheduling tool to manage execution of the provisioning/de-provisioning steps? Which tool(s)? Is there an approval process of some kind that needs to be supported? Does anybody need to get notified when a user is provisioned or de-provisioned? What is the required form of notification? An e-mail, for example, or something else? 7. Do the provisioning and de-provisioning tasks need to record their activities in some particular log(s), for audit and other reasons? What log (s)? 8. Do the provisioning and de-provisioning tasks need to be coordinated with other systems and services? As one example, if the user is de-provisioned, should their VPN access also be revoked? As another example, do you have to obtain the user's ID from a preexisting directory (or validate it, to avoid issuing a duplicate ID for example)? As yet another example, does something external need the ability to de-provision a user -- for example, if malware is detected, or if the user's mobile device is stolen, does that other security system need the ability to trigger de-provisioning? 9. As part of provisioning, is there a requirement to provide the user with a particular set of default programs and/or data? As part of de-provisioning, is there a requirement to save and archive that de-provisioned user's programs, data, and/or logs? 10. What security credentials do you want the new user to have? Do you want to generate and issue a TLS/SSL client certificate for RACF client certificate authentication, for example? Do you want to enforce longer passphrases (greater than 8 characters) rather than shorter passwords? Do you want to retrieve some external data of some kind in order to set the initial passphrase? 11. Do you want to enforce other policies? For example, do you want to suspend or de-provision a new user if the new user doesn't "claim" his/her ID within a particular deadline? Do you want to de-provision user accounts that have not seen recent activity? Do you want to notify users of impending de-provisioning before it occurs? How? 12. Do you need to support self-service password reset requests? Though a Web page, for example? That's a reasonably good list for now. :-) -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
