On Wednesday, 03/09/2011 at 11:29 EST, "Vogtmann, Wallace B" <wvogt...@tcfbank.com> wrote: > We're new to zVM. Have the system operational with standard IBM supplied > User/Guest definitions. For example, we've implemented RACF, DIRMAINT, > & PERF TK (soon Omegamon XE). > > Our security folks don't really like us logging in as MAINT, TCPMAINT, > RACMAINT, etc. to do our changes - can't really tell who is doing what. > Plus it's hard to have good/secure passwords when need to have multiple > real users login to multiple guests, etc. > > Is there any examples of what would be good definitions for (1) standard > system programmer guest accounts and (2) standard service machines? What > RIGHTS and ACCESS definitions should be standard. We only plan on running > Linux guests and standard IBM/3rd party tools, so just need a few > Users/Guests > that have the appropriate access for SysProg support, etc. > > Basically, we have the system in and operational, but NOW how should we > REALLY > have it setup to run/manage it securely and effectively. Any RedBooks? > I've looked, but don't see any that fit the bill.
Wally, look at the z/VM 6.1 RACF Security Administrator's Guide (even if you're running 5.4) and read "Defining Shared IDs" in Chapter 4. That book is your new best friend. As the book recommends, remove the shared ID's password (ALTUSER ... NOPASSWORD NOPHRASE). That ensures that the user can't be revoked due to invalid password attempts (like when you forget to use the BY operand!). Those without an ESM should set the directory password of those shared IDs to "LBYONLY" and use the LOGONBY directory statement to authorize shared access. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
