Further update. Imported SDSF plugin. With support from new SDSFAUX task, we can do lots of sweet things. Once SAF is setup properly, the new 'authorized commands' can be run also in regular TSO SDSF:
APF LNK LPA PAG PARM SYS Very cool. . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson Sent: Monday, April 18, 2016 4:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Setting up z/OSMF under 2.1 Update. I now have the z/OSMF server up and running with PARMLIB member IZUPRMxx. Have not tried any plugins except ISPF, which works well so far. An interesting wrinkle with ISPF. I you want to use it from z/OSMF at the same time you're logged in via TSO, you have to include an option I did not even know about: ISPF/PDF SHRPROF The default is EXCLPROF, which causes exclusive enqueue on the profile. The doc says this can be made 'permanent' by specifying PROFILE_SHARING in the ISPF Configuration Table. We've had multi-system ISPF support for years by allocating a unique ISPPROF dataset on each sharing system. But in the case of z/OSMF, you're logging on the same system as your TSO session, so you need SHRPROF. For the record, I got an enqueue conflict on the ISPLOG dataset, but that's more noise than trouble. This is all pretty cool. As promised, the z/OSMF server with Liberty profile initializes very quickly. 14.47.09 Start the server. 14.48.12 "CWWKF0011I: The server zosmfServer is ready to run a smarter planet." . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Monday, April 18, 2016 12:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Setting up z/OSMF under 2.1 Jesse 1 Robinson wrote: >In particular I'm getting a RACF error starting the second z/OSMF task >IZUSVR1. I can't help with z/OSMF even while we're now on 2.1, but that is on my radar screen for future exploitation... >I get this: >ICH408I USER(IZUSVR ) GROUP(IZUADMIN) NAME(ZOSMF STARTED TASK U) > /var/zosmf/configuration/configuration_planned.cfg > CL(DIRACC ) FID(C2E2F3F0F0F605710000000000020001) > INSUFFICIENT AUTHORITY TO OPEN > ACCESS INTENT(-W-) ACCESS ALLOWED(OTHER ---) > EFFECTIVE UID(0000900700) EFFECTIVE GID(0000900698) Bob Young gave you a great reply! Thanks Bob! You can do this command too to see what accesses are defined for this file: ls -l /var/zosmf/configuration/configuration_planned.cfg And also issue ls -l for each of the directories from the top down to the last folder. You need to check all accesses for all folders and files and see to what group(s) that id IZUSVR is connected to. >IIRC DIRACC is phantom error because there is no such class. Something is >defined wrong. This is one of the classes which you can't define a profile. You use DIRACC amongst other classes to do auditing on OMVS. >The ZFS containing /var/zosmf/ is 'SPP.IZU.ZFS', covered by RACF profile >'SPP.IZU.ZFS*'. Group IZUADMIN has ALTER access to this profile. Dataset profile covering that dataset does NOT cover the OMVS files INSIDE that dataset. ALTER to dataset means nothing for the OMVS contents *inside* that dataset. >I'm a total bumbler when it comes to USS authorization. What else do I need to >look at? You're not alone. RACF-L and IBM-MAIN are full of such posts were RACF and OMVS are confused simply because the message is prefixed by ICH408. >P.S. cannot post to RACF-L because the confirmation email for my current >sce.com userid gets blocked by corporate policy (Sender field is blank as if >spam). Use the web page interface (of course, your company better not block that too) to post your messages. This is what I use for all the discussion lists. Simply because I want to keep my Inbox 'clean' and to bypass any e-mail limits. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
