Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Dennis,

Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article "TEMPDSN and CA-Endevor" in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:

http://www.rshconsulting.com/racfres.htm

One reason for activating the TAPEVOL class would be to implement
restrictions on the use of Bypass Label Processing (BLP) using the FACILITY
class profile ICHBLP when your tape management system is IBM's DFSMSrmm.
However, if you activate tape protection using PARMLIB DEVSUPxx parameter
TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the
ICHBLP profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Fri, 18 Feb 2011 20:25:12 +
From:"Givens, Dennis W." 
Subject: RACF Resource Classes

I am working on the resolution of exceptions produced by the recently
activated Health Checker feature on a Z/OS 1.10 system.
Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the
security administrator at your
installation activate this class and define in it the profiles to properly
protect your system.

  CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
Check Severity: Medium
IRRH229E The class TEMPDSN is not active.
Explanation:  The class is not active. IBM recommends that the security
administrator at your
installation activate this class and define in it the profiles to properly
protect your system.

I am contemplating activating both of these resource classes but have no
immediate plans for using them in any profiles.
My concern is that the activation of these classes will in itself cause me
problems. Any experiences or insight would be much appreciated.

Signed A Novice RACF Administrator

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Tom,

CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM
govern the use of DD statement parameter EXPDT=98000. Use of BLP is
controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
resources BLPRES and BLPNORES with CA-1.

Dennis,

Very few installations fully implement the TAPEVOL class. By fully
implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape
Volume Table of Contents) that lists every dataset on the tape by its full
44-character dsname so that RACF verifies the user is properly specifying
the dsname when accessing a dataset on the tape. Most installations rely on
their tape management system to verify the proper dsname is used. While the
RACF TVTOC dsname validation check is somewhat more secure than the one done
by the tape management system, few installations are willing to incur the
overhead of maintaining and processing TAPEVOL profiles for this added level
of protection.

On the other hand, many installations do activate the TAPEVOL class just to
enable use of FACILITY class profile ICHBLP. They don't bother to create
TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's
SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create
and maintain TAPEVOL profiles to guard its own tapes.

All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise,
the TAPEVOL profiles are essentially ignored.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Sun, 20 Feb 2011 19:58:48 -0500
From:Pinnacle 
Subject: Re: RACF Resource Classes

- Original Message -
From: "Givens, Dennis W." 
Newsgroups: bit.listserv.ibm-main
Sent: Friday, February 18, 2011 3:25 PM
Subject: RACF Resource Classes


>I am working on the resolution of exceptions produced by the recently
>activated Health Checker feature on a Z/OS 1.10 system.
> Specifically the following 2 checks:
>
>  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
>  Check Severity: Medium
> IRRH229E The class TAPEVOL is not active.
>Explanation:  The class is not active. IBM recommends that the
> security administrator at your
> installation activate this class and define in it the profiles to properly
> protect your system.
>

Dennis,

I've implemented both RMM and CA-1 in many different shops and I've never
implemented TAPEVOL.  It's extremely difficult to administer, and better
controls are available.  Not sure why Bob Hansel and Russ Witt say you need
it for ICHBLP with RMM.  RMM added STGADMIN.EDG profiles to handle BLP tapes
that mirror the FORRES and FORNORES controls of CA-1, and that's all I've
ever needed to implement for BLP under RMM.  I don't know about the new
TAPAUTHDSN control that they reference, I have no experience with it.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Russ,

I tend to agree with you on this. If this particular Health Checker check
were to first confirm that PARMLIB DEVSUPxx TAPEAUTHDSN is set to NO, then
it makes sense to raise activation of TAPEVOL as an issue. However, the
verbiage should probably mention TAPEAUTHDSN as an alternative. I don't know
whether the check does or doesn't look at this parameter. Perhaps the check
author can shed light on this.

In general, I too think DEVSUPxx is the better way to go, but I wouldn't
rule out the use of TAPEVOL universally. An installation with tapes that are
not defined to its tape management system could optionally use TAPEVOL
profiles to guard them. If they set TAPEAUTHDSN to YES, the TAPEVOL checks
are nullified.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Sat, 19 Feb 2011 09:09:15 -0600
From:Russell Witt 
Subject: Re: RACF Resource Classes

That is the part I don't understand. With the new DEVSUPxx parameters, why
even use TAPEVOL and/or TAPEDSN as RACF options? They perform a similar
function and do it better (in my opinion). So, why a HealthCheck to make
sure that the old (obsolete?) TAPEVOL class is active?

And if you are attempting to control BLP; then it really depends on your
tape management system. With RMM, yes you would need this. But with both CA
TLMS and CA 1; they have better BLP protection available within them.

Russell Witt
CA 1 L2 Support Manager

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Robert S. Hansel (RSH)
Sent: Saturday, February 19, 2011 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes

Dennis,

Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article "TEMPDSN and CA-Endevor" in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:

http://www.rshconsulting.com/racfres.htm

One reason for activating the TAPEVOL class would be to implement
restrictions on the use of Bypass Label Processing (BLP) using the FACILITY
class profile ICHBLP when your tape management system is IBM's DFSMSrmm.
However, if you activate tape protection using PARMLIB DEVSUPxx parameter
TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the
ICHBLP profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Tom,

If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES,
and if you do not also define profile ICHBLP to the FACILITY class, then
RACF is not guarding the use of BLP and anyone can use BLP with RMM.
Granted, you can limit the use of BLP to specific job classes using JESPARMS
JOBCLASS parameter BLP=NO (this is still true even when ICHBLP is fully
functional), but RACF isn't involved in enforcing this limitation.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Mon, 21 Feb 2011 09:22:30 -0500
From:Pinnacle 
Subject: Re: RACF Resource Classes

- Original Message -----
From: "Robert S. Hansel , RSH" 
Newsgroups: bit.listserv.ibm-main
Sent: Monday, February 21, 2011 6:18 AM
Subject: Re: RACF Resource Classes


> Tom,
>
> CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for
> RMM
> govern the use of DD statement parameter EXPDT=98000. Use of BLP is
> controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
> resources BLPRES and BLPNORES with CA-1.
>

Bob,

I've never enabled TAPEVOL with RMM, and I've never had a problem using BLP
with RMM.  What am I missing?

Thanks,
Tom

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Shmuel,

If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES,
no authorization check will be made to FACILITY class resource ICHBLP, and
therefore, any associated profile is meaningless.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Tue, 22 Feb 2011 07:05:54 -0500
From:"Shmuel Metz (Seymour J.)" 
Subject: Re: RACF Resource Classes

In , on
02/22/2011
   at 05:56 AM, "Robert S. Hansel (RSH)" 
said:

>If you do not activate either the TAPEVOL class or DEVSUPxx
>TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
>FACILITY class, then RACF is not guarding the use of BLP and anyone
>can use BLP with RMM.

I believe that the point at issue is what happens if you define ICHBLP
in the FACILITY class but do not activate either the TAPEVOL class or
DEVSUPxx TAPEAUTHDSN=YES.

--
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see <http://patriot.net/~shmuel/resume/brief.html>
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

[Robert S. Hansel (RSH)]

Elardus,

Setting BLP to YES or NO on a JES2 JOBCLASS statement merely determines
whether you can or cannot use BLP in jobs submitted via that particular
class. Many installations reserve one or two JOBCLASSes for BLP use and some
limit who can use these classes via exits.

Note: If you have DITTO or File Manager and it is running APF-authorized,
and you have READ access to FACILITY class resource DITTO.TAPE.BLP or
FILEM.TAPE.BLP respectively, you can submit BLP jobs using these utilities
in any JOBCLASS. It overrides JOBCLASS BLP=NO.

The authorization check for FACILITY class resource ICHBLP is made in
addition to JES, DITTO, or FILEM allowing using of BLP.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Wed, 23 Feb 2011 07:12:08 -0600
From:Elardus Engelbrecht 
Subject: Re: RACF Resource Classes

Shmuel Metz (Seymour J.) wrote:
>I believe that the point at issue is what happens if you define ICHBLP in
the
FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES.

Robert S. Hansel (RSH) wrote:
>>If you do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

What about this JES2 init statement with above combination(s)?

 JOBCLASS(?),BLP=YES(or NO)

What will happens when BLP is YES or when it is NO?

Just curious, because I can't test it for a while.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SDSF SAF how allow overtype for output CLASS and DESTN

[Robert S. Hansel (RSH)]

John,

Here is a note regarding these fields in the SDSF manual that may have a
bearing on this.

"SDSF uses the subsystem interface (SSI) when you overtype the C (JES output
class) or DEST (JES print destination name) on the JDS panel. You can change
the class or destination without releasing the output. In order to release
output when the JESSPOOL class is enabled, the user must have ALTER
authority to the JESSPOOL resource. This authority is implied for the
JESSPOOL resources created by the user."

Is the JESSPOOL class active? If yes, do these users have sufficient access
to the JESSPOOL resources protecting the output.

Is this problem preventing the Application Programmers from overtyping these
fields on their own output, or only on output created by other users? If it
effects their own output, there was an APAR that may be related - PM23076:
CUSTOMERS UNABLE TO ACCESS SPOOL FILES. ERRORS AFTER APPLYING UK58854 -OR-
ALSO RECEIVES MSGICH408I RACF AUTHORITY ERRORS -
http://www-01.ibm.com/support/docview.wss?uid=isg1PM23076

If the JESSPOOL class is inactive, here is a thought. It so happens that
beginning in z/OS 1.11, when accessing SYSLOG via SDSF, an authorization
check is made by JES in the JESSPOOL class to resource
"nodeid.+MASTER+.SYSLOG.SYSTEM.sysid". If the JESSPOOL class isn't active,
access is denied. To bypass the need for JESSPOOL to be active, a new SDSF
ISFPARMs PROPERTY Security.Syslog.UseSAFRecvr was created that could be set
to TRUE to allow access anyways. In your case, if the JESSPOOL class is
inactive, perhaps something like this is occurring relative to the
overtypeable fields. Bear in mind this is strictly a guess; I can't find
anything in the manuals or any APARs that suggest this would occur.

In either case, your Sysprog and OPS groups probably have Destination
Operator authority, which bypasses JESSPOOL checks. This would explain why
they aren't experiencing any issues.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Fri, 25 Feb 2011 17:32:08 -0800
From:John Mattson 
Subject: SDSF SAF how allow overtype for output CLASS and DESTN

Just got zOS 1.11 implemented (huzzah), and noticed that after my SAF
conversion most everything works right except the Applications programmers
cannot overtype the output Class and DESTN fields on the output screen.
Sysprog and OPS group get overtype as before the upgrade.  Been comparing
the groups both for RACF class settings and PARMLIB(ISFPRM00) member
settings, but I have not found the thing to make it work for my
programmers.  Even resorted to RTFM, and while I know it must be in these,
no luck so far.  Anybody help with the magic word?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: z/OS 1.12 & DITTO/ESA for MVS Release 3 - PTF level: INAFLV2

[Robert S. Hansel (RSH)]

Richard,

DITTO.DISK.FULLPACK and DITTO.OTHER.ALL are the full names of these
resources. With the '.*' on the end of the two related profiles, the
profiles would only match a resource whose name had one or more additional
qualifiers, and so they would never match these two resources. Delete these
two profiles and recreate them without the '.*' on the end.

When checking authority to resource DITTO.DISK.FULLPACK, even though it is
not covered by profile DITTO.DISK.FULLPACK.*, one would expect it to be
covered by DITTO.DISK.*. However, the Installation and Customization Guide
suggests that DITTO is looking specifically for profile DITTO.DISK.FULLPACK
when checking authorization.

Have you always had these same profiles, and did they work before? If yes,
then perhaps profile DITTO.DISK.* has been covering resource
DITTO.DISK.FULLPACK. In that case, I suggest you confirm DITTO is running
authorized. The Guide lists several steps to perform to confirm
authorization.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-


-Original Message-
Date:Sat, 26 Mar 2011 18:32:45 -0700
From:Richard Pinion 
Subject: Re: z/OS 1.12 & DITTO/ESA for MVS Release 3 - PTF level: INAFLV2

Ditto is running authorized.

Here is the RACF info.

DITTO.DISK.FULLPACK.* (G)
DITTO.DISK.* (G)
DITTO.OAM.* (G)
DITTO.OTHER.ALL.* (G)
DITTO.TAPE.* (G)
DITTO.VSAM.* (G)

CLASS  NAME
-  
FACILITY   DITTO.DISK.FULLPACK.* (G)

LEVEL  OWNER  UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-       ---  ---
 00SYS1READ  ALTERNO

INSTALLATION DATA

CLASS  NAME
-  
FACILITY   DITTO.DISK.* (G)

LEVEL  OWNER  UNIVERSAL ACCESS  YOUR ACCESS  WARNING
-       ---  ---
 00SYS1NONE  ALTERNO


Richard, Vickie, and Randy Pinion

--- r.skoru...@bremultibank.com.pl wrote:

From: "R.S." 
To: IBM-MAIN@bama.ua.edu
Subject: Re: z/OS 1.12 & DITTO/ESA for MVS Release 3 - PTF level: INAFLV2
Date: Sun, 27 Mar 2011 03:14:31 +0200

Richard Pinion pisze:
> Anyone running DITTO/ESA for MVS Release 3 - PTF level: INAFLV2 under
> z/OS 1.12?  I keep receiving message "No access authority" under the DB -
> Disk Browse utility.  We have the RACF Facility Class DITTO profiles
> defined.   But we are still getting the error.  Any ideas?

Idea1: insufficient authority
Idea2: wrong profiles

More data required:
List your profiles and your authority.
Does DITTO run APF-authorized?
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 025237
NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 168.248.328 zotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Protection for Initiiators - JES2

[Robert S. Hansel (RSH)]

Penny,

The following somewhat dated manual has sample code for JES Exit 6 that
should do what you want.

GG66-3218 - RACF Security Administrator's Quick Reference

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

-Original Message-
Date:Mon, 18 Jan 2010 03:36:10 -0600
From:Penny Kay 
Subject: Re: RACF Protection for Initiiators - JES2

Historically at our site we checked the jobcard in Exit 2 which had
time specifications in the accounting field and then added time and class
according to those specifications.
Finally, we are moving from z/os 1.6 to 1.8 and have to either recode
exit 2 to include and add exit 52 or better yet use some dynamic mechanism
to restrict jobclasses in the jobcards.
The ideal solution which we hope to implement is to stop using time
within the jobclass jes2 parameter definition - allowing unlimited resources
which WLM will then control by userid, time of day, etc.
However, we still must restrict the user overriding the definitions
within WLM by defining the class in the jobcard.
Which brings us to your solution of checking jctjclas in exit 6 against
home-grown racf facility or jobclass. - amazing solution - we can't find the
right pointer in the cbt tapes - would you direct us please- thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: JES2 Rmt and Security Issue

[Robert S. Hansel (RSH)]

Does the LPAR where it is failing share its RACF database with the LPARs
where it is working?

Regards, Bob

-
Robert S. Hansel   | 2010 RACF Training (January - July)
Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Tue, 9 Feb 2010 16:42:27 +0200
From:=?UTF-8?B?157XqtefINeb15TXnw==?= 
Subject: Re: JES2 Rmt and Security Issue

the procedure is processing the command through a rexx calling this cmd rex=
x
:
ARG CCMD
PROF MSGID
/* NAME =3D 'AUTOCMD'  * USERID()   */
NAME =3D AUTOCMD
"CONSPROF SOLDISP(NO) SOLNUM(400)"
"CONSOLE ACTIVATE NAME("NAME")"
"CONSOLE SYSCMD("CCMD") CART('CMD1')"
CMD_RC =3D GETMSG('LINE.','SOL','CMD1',,2)
"CONSOLE DEACTIVATE"
IF LINE.0 > 0 THEN
   DO I =3D 1 TO LINE.0 ; SAY LINE.I ; END

all of this work fine in others lpars.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: JES2 Rmt and Security Issue

[Robert S. Hansel (RSH)]

Even though they are 'quite the same', they may not be 'exactly the same',
and I suspect the problem is due to some difference.

Is AUTOCMD defined as a RACF USERID on both systems?
Does AUTOCMD have an OPERPARM segment and is it the same on both systems?
Does IBMUSER have an OPERPARM segment and is it the same on both systems?
Is the class OPERCMDS active _and_ RACLISTed on both systems?
Every time you make a change to an OPERCMDS profiles, are you executing the
command:
  SETROPTS RACLIST(OPERCMDS) REFRESH
What results do you get from the following command on both systems?
  SEARCH CLASS(OPERCMDS) MASK(MVS.MCSOPER)
What results do you get from the following command on both systems?
  RLIST GLOBAL OPERCMDS

Regards, Bob

-
Robert S. Hansel   | 2010 RACF Training (January - July)
Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Wed, 10 Feb 2010 17:05:54 +0200
From:=?UTF-8?B?157XqtefINeb15TXnw==?= 
Subject: Re: JES2 Rmt and Security Issue

no , but the database are quite the same.

2010/2/10 Robert S. Hansel (RSH) 

> Does the LPAR where it is failing share its RACF database with the LPARs
> where it is working?
>
> Regards, Bob
>
> -
> Robert S. Hansel   | 2010 RACF Training (January - July)
> Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
> RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
> www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
> 617-969-8211   | Visit our website for registration & details
> -

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

RMM and STGADMIN.EDG Resources

[Robert S. Hansel (RSH)]

Mike Wood,

We have been taking a careful look at RACF protection for RMM resources,
specifically those protected by FACILITY class resources prefixed with
STGADMIN.EDG. Based on our review of the z/OS 1.10 manuals and limited
observed access activity, we've come to the following understanding as to
how it works. We are hoping you can confirm or correct our interpretation of
its functionality.

1) If a user has CONTROL access to STGADMIN.EDG.MASTER, the user
automatically has CONTROL access to all of the following resources (and no
others). Access permission to STGADMIN.EDG.MASTER is checked first, and if
CONTROL has been granted, no further access checking is performed for these
specific functions.

STGADMIN.EDG.ACTIONS.action
STGADMIN.EDG.AV.status.volser
STGADMIN.EDG.CMOVE.location.destination
STGADMIN.EDG.CRLSE.action
STGADMIN.EDG.DV.SCRATCH.volser
STGADMIN.EDG.INIT
STGADMIN.EDG.LIST
STGADMIN.EDG.MOVES.location.destination
STGADMIN.EDG.MASTER
STGADMIN.EDG.OWNER.userid
STGADMIN.EDG.RELEASE

2) If a user has less than CONTROL access to STGADMIN.EDG.MASTER and
attempts to access one of the resources listed above for which there is _no_
protecting RACF profile, the manuals seems to suggest RMM looks again at the
user's level of access permission to STGADMIN.EDG.MASTER to decide whether
to grant access. For instance, if a user attempts to perform a function
governed by resource STGADMIN.EDG.ACTIONS.RETURN which would ordinarily
require UPDATE permission and there is no RACF profile covering this
resource, RMM will see if the user has UPDATE access to STGADMIN.EDG.MASTER
and will allow the action if the user has this permission. Conversely, if
the user only had READ access to STGADMIN.EDG.MASTER, the user wouldn't be
allowed to perform the function.

3) Contrary to 2) above, if the user attempts to use CHANGEVOLUME on a
volume the user does _not_ own, and the corresponding resource
STGADMIN.EDG.OWNER.userid is _not_ defined to RACF, access is denied. UPDATE
to STGADMIN.EDG.MASTER alone is insufficient.

4) If STGADMIN.EDG.LISTCONTROL is protected by a profile, the profile
governs access. If not, the user requires CONTROL access to
STGADMIN.EDG.MASTER to use it.

5) If the user attempts to use the FORCE operand and has UPDATE access to
STGADMIN.EDG.FORCE, the user also needs CONTROL access to
STGADMIN.EDG.MASTER to perform the function.

6) What is meant by "Based on STGADMIN.EDG.MASTER access." for access level
of NONE to resource STGADMIN.EDG.OWNER.userid as stated in the DFSMSrmm
Implementation and Customization Guide.

Thank you for your time in helping us better understand RMM.

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - SEPT 22-24
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  | Visit our website for registration & details
617-969-8211   |
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF AUDITOR authority and OMVS segment

[Robert S. Hansel (RSH)]

Lucymarie,

Does this user have System-level AUDITOR authority or Group-level AUDITOR
authority? If you execute an LU command on her ID and "AUDITOR" appears in
the first couple of lines associated with ATTRIBUTES, she has System-level
AUDITOR and should be able to execute the command. If instead you see
"AUDITOR" associated with CONNECT ATTRIBUTES in one or more of her group
connections, she only has Group-level authority and will not be allowed to
examine segments unless she is given FIELD class profile permissions. To
allow her examine OMVS segment information, you might need to define a
profile like USER.OMVS.* in the FIELD class and give her READ access. You'll
first need to review any other profiles you may have defined in the FIELD
class to determine what is appropriate. Bear in mind that this would enable
her to list the OMVS segments of all users, not just those within her
otherwise limited scope of groups.

BTW, if you happen to know Juanita Dean, Jenny Kwok, or Cindy Skeim on the
security staff, please give them my regards.

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - SEPT 22-24
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  | Visit our website for registration & details
617-969-8211   |
-


-Original Message-
Date:Mon, 6 Jul 2009 20:41:23 -0500
From:Lucymarie Ruth 
Subject: RACF AUDITOR authority and OMVS segment

Hi.  The "z/OS V1R10.0 RACF Security Server RACF Administrator's
Guide" says that "The user who has the AUDITOR attribute can list all
of the profile information that is available to the SPECIAL user, as well
as information that is available to auditors."  In table 40 in the same
manual,  it says that a userid with AUDITOR authority can also specify
all operands of the RACF LISTUSER command.

However,  one of our user's with AUDITOR authority received a
message that she did not authority to view an OMVS segment when
issueing this:

LU  user-id  NORACF OMVS


Is this a bug, a feature, or just an anomaly that needs to be explained?

Anyone else noticed this?


Lucymarie Ruth,  Safeway,  Inc.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: moving RACF profiles to a new system

[Robert S. Hansel (RSH)]

Jim,

If the new system has fewer profiles, one option might be to add the
profiles in the new database to the existing database, make an IRRUT200 copy
of the latter, and port the copy over to the new system. Regardless of how
and in what direction you copy the profiles, you'll need to consider the
effect the copied dataset and general resource profiles will have on the
system to which they are being added (e.g., undercutting existing
permissions, protecting resources that were previously unprotected). For
other considerations, see our presentation on merging RACF databases
available at:

http://www.rshconsulting.com/racfres.htm

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - SEPT 22-24
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  | Visit our website for registration & details
617-969-8211   |
-


-Original Message-
Date:Wed, 12 Aug 2009 10:54:11 +0100
From:Jim McAlpine 
Subject: moving RACF profiles to a new system

I need to take our existing RACF profiles across to a new z/OS system which
has an existing RACF database and somehow merge them into the new system.
Is there a way to accomplish this.  I can't simply replace the RACF database
on the new system with my existing one because it contains profiles which
are required for the new system.

Jim McAlpine

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SMS activation - RACF AUDIT

[Robert S. Hansel (RSH)]

Jennifer,

Unfortunately, it is WAD. The ISMF programs do not use the FACILITY class
STGADMIN profiles for governing user authority. To control ISMF, you either
have restrict access to the ISMF program library or restrict access to the
ISMF programs using PROGRAM class profiles. Some organizations choose to
only protect program DGTFPF05 which allows you to switch to 'Storage
Administrator Mode', but this is not a rigorous control measure since the
mode is actually governed by a bit in your ISPF profile that acts as a
switch.

For more information, see our presentation titled "RACF and Storage
Administration" available through our website at url:

http://www.rshconsulting.com/racfres.htm

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - SEPT 22-24
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  | Visit our website for registration & details
617-969-8211   |
-

-Original Message-
Date:Thu, 13 Aug 2009 05:18:52 -0500
From:Jennifer Currell 
Subject: Re: SMS activation - RACF AUDIT

Hi there
Thanks for the tip. It looks like it is the other way around. If you
activate via
ISMF then it doesn't get logged into RACF type 80. But if I issue SETSMS
SCDS
(dsname) it does get picked up. I think I will raise a question with IBM.

Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: IDC3009I RC=110

[Robert S. Hansel (RSH)]

Scott,

Is it possible that in the interim since you did the last process either
PROTECTALL was activated for the first time or a prior profile (e.g.
PAGE.**) existed that was deleted?

Regards - Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Scott Rowe
Sent: Tuesday, August 18, 2009 2:12 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: IDC3009I RC=110

I understand all that, yet the fact remains that this process worked before,
when there was no PAGE.** profile defined.  I guess this is not a big deal
now, I was just trying to understand what had changed.

>>> John Laubenheimer  8/18/2009 2:46 PM >>>
Also, check the SETROPTS for the PROTECTALL option.  If you had a PAGE.* 
profile, which only covered the 2nd level, the PAGE.A.another_level is NOT 
protected, and RACF (actually DFSMS) would fail any access to the dataset.  
When you created PAGE.**, you then covered any number of levels after 
PAGE., and RACF/DFSMS would then allow access.

And, as previously stated (I think), when you rename a RACF protected 
dataset, the dataset name that it is renamed to must also be protected.  
(Level of protection doesn't really matter ... just covered by a profile.)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security

[Robert S. Hansel (RSH)]

Mike,

If you have RACF as your z/OS security product, I suggest you investigate
the use of the SERVAUTH class.

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - SEPT 22-24
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  | Visit our website for registration & details
617-969-8211   |
-


-Original Message-
Date:Fri, 25 Sep 2009 15:26:37 -0500
From:"Ward, Mike S" 
Subject: Security

Hello all, I have a question. Without using a firewall or access lists
on a router or switch, how would one keep specific IP addresses from
connecting to the OSA's? Or is there no protection there?
==
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity
to which they are addressed. If you have received this email in error please
notify the system manager. This message
contains confidential information and is intended only for the individual
named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please notify the
sender immediately by e-mail if you
have received this e-mail by mistake and delete this e-mail from your
system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any action
in reliance on the contents of this
information is strictly prohibited.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Multiple jobs/same name

[Robert S. Hansel (RSH)]

John & Tony,

John, you could use JESJOBS to restrict the batch use of non-PROTECTED IDs.
If the user does not have READ access to a profile such as the one below,
the user would not be permitted to submit jobs having USER=OTHERID with
either the password or SURROGAT authority:

JESJOBS SUBMIT.*.*.OTHERID

Use of these profiles would enable you to avoid having to code a submit
exit.

Tony, you might not be able to logon even with the password. If trying to
enter TSO, the ID would need a UADS entry or a TSO segment with access to
TSO resources. If trying to enter FTP, the ID would need an OMVS segment
with uid and be connected to a group with a gid. (BTW, this is an area where
FACILITY BPX.DEFAULT.USER can open exposures.)


This has been an interesting thread. I tend to fall into the camp of
preferring job naming conventions for jobs submitted by the job scheduler
primarily to identify the corresponding application and owner and thus help
production control and security ensure the correct batch ID is being
assigned to each job, which can also be enforced with job scheduler exits.
Several of my consulting engagements have involved straightening out batch
ID assignments and access authority, and the lack of naming conventions
makes this a much more difficult task.


Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   |
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Mon, 5 Oct 2009 15:08:18 -0500
From:"Tony B." 
Subject: Re: Multiple jobs/same name

If I knew the password I'd simply log on myself and submit..

From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of McKown, John
Sent: Monday, October 05, 2009 2:47 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Multiple jobs/same name

> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rick Fochtman
> Sent: Monday, October 05, 2009 2:33 PM
> To: IBM-MAIN@bama.ua.edu
> Subject: Re: Multiple jobs/same name

> But you still need to prevent testers from submitting jobs with a
> production USERID. We used a TSO exit to remove USER/PASSWORD parms
> from the JOB statement. Got a better idea?
>
> Please remember: much of what I describe was developed before RACF was
> able to filter job submission.
>
> Rick
>

Use a PROTECTED id in RACF and SURROGAT authority to allow the scheduler's
RACF id to submit jobs with the specified ID(s). PROTECTED says that you
cannot use USER= & PASSWORD= on the job card to assign the RACF id. RACF
will simply not allow it. The attempt fails with a RACF error. SURROGAT says
that the scheduler can specify USER= without PASSWORD= to run a job with the
specified (authorized) RACF id. This is what we do with CA-7 scheduling.

Of course, you still need the submit exit for non-PROTECTED ids which a
person may know the password to. And it is easy to bypass:

//MYIDA JOB
//SUBMIT EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT2 DD SYSOUT=(*,INTRDR)
//SYSUT1 DD DISP=SHR,DSN=some.pds(member)

some.pds(member):

//OTHERID JOB USER=otherid,PASSWORD=password
//* THE REST OF THE JOB
//* ...
//

--
John McKown
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell john.mck...@healthmarkets.com *
www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or
proprietary information. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message. HealthMarkets(r) is the brand name for products underwritten and
issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake
Life Insurance Company(r), Mid-West National Life Insurance Company of
TennesseeSM and The MEGA Life and Health Insurance Company.SM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Password?

[Robert S. Hansel (RSH)]

Ray,

I don't have an explanation for the panel, but this event raises an
interesting question. Do you leave you work station logged on and unlocked
when you leave the office at night such that someone else could use it to
access the network and email system under your ID and authority and with you
being held accountable for such actions?

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training
Lead RACF Specialist   |
RSH Consulting, Inc.   | > Audit for Results   - Boston - NOV 3-5
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Thu, 8 Oct 2009 08:08:55 -0400
From:"Baraniecki, Ray" 
Subject: Password?

When I arrived at work this morning there was a panel on my work station =
that was asking for my password for LISTSERV. I don't recall ever having =
a password or for that matter how to request a password.

Can someone help clear up this confusion?


Thanks,


Ray Baraniecki
Morgan Stanley Smith Barney
18th Floor
1 New York Plaza
New York, NY 10004
Office - 212-276-5641
   Cell - 917-597-5692

ray.baranie...@morganstanley.com=

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Prevent ISMF Access Via RACF

[Robert S. Hansel (RSH)]

Pat,

To prevent all access to ISMF, you can either (a) put UACC(NONE) on the ISMF
program libraries or (b) create a profile such as DGT* in the PROGRAM class
with UACC(NONE) and add the ISMF program libraries as members to the
profile. The libraries will probably be named SYS1.DGTLLIB and SYS1.DGTPLIB,
but check with your systems programmer to be sure and ask if copies of the
programs exist in any other libraries that need to be protected as well. In
either case, you would only permit access to the those individuals (e.g.,
storage administrators) whom you wanted to have use of ISMF.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

-Original Message-
Date:Tue, 17 Nov 2009 15:57:39 -0600
From:Pat Monk 
Subject: Prevent ISMF Access Via RACF

z/OS V1R9.0 DFSMSdss Storage Administration Guide
SC35-0423-08

The above manual states

"...You can set authorization levels for the following ISMF elements by
using
the program control feature of the z/OS Security Server RACF component:

ISMF itself
...".

It then discusses using RACF program control to protect parts and pieces of
ISMF.

I have not found how to prevent any/all access to ISMF.

Anyone know where to find the RACF profile(s) needed to prevent access to
ISMF?

Thanks,
Pat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF - Any way to find out before hand what the user's access is to a file

[Robert S. Hansel (RSH)]

Gil,

For datasets, the ICH408I message and associated SMF type 80 record will
show the Generic profile that was guarding the resource at the time of the
violation or warning. If they do not specify a profile, it is usually the
case that a Discrete profile (one exactly matching the name of the dataset
and its associated VOLSER) was guarding the dataset. An exception is where
SETROPTS PROTECTALL prevents access to a unprotected dataset (i.e., one not
covered by any profile).

The same is also generally true for general resources. However, for
resources checked as part of the logon process (e.g., APPL, SURROGAT,
JESJOBS), the logon failure message doesn't indicate the controlling
profile. SMF records will provide details.

You can also obtain this same information from SMF records if logging of
authorized access is requested, either for the resource or the user.

Note that the caller can suppress logging in the RACROUTE call, and this
overrides all RACF logging specifications.

Regards, Bob

-
Robert S. Hansel   | 2010 RACF Training (January - July)
Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Sat, 1 May 2010 19:04:47 -0500
From:Paul Gilmartin 
Subject: Re: RACF - Any way to find out before hand what the user's access
is to a file

On Sat, 1 May 2010 11:12:00 -0500, Tony wrote:
>
>1. rdef a surrogat profile USER1.submit and permit ourselves to it.
>2. run a batch job as user=USER1 that would attempt to allocate
>HLQ1.NODE2.WHATEVER.TESTRACF.FILE.
>3. run another job to load a record into said file.
>4. run another job to delete the file.
>
>Any failures would have created ICH408I messages.
>
>Simple, and the price is right.
>
Does it identify the rule by which access was granted?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF password rules

[Robert S. Hansel (RSH)]

Ulrich,

I believe they can cover both 7 and 8 character alphanumeric passwords in a
single rule of:

SETR PASSWORD( RULE1( LENGTH(7:8) ALPHANUM(1:8)))

Regards, Bob

-
Robert S. Hansel   | 2010 RACF Training (January - July)
Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Sat, 1 May 2010 15:02:23 +0200
From:Ulrich Boche 
Subject: Re: RACF password rules

Serenity schriebam 26.04.2010 16:47:
>> SETR PASSWORD( RULE1( LENGTH(8) ALPHANUM(1:8)))
>
> As I read it, this sets an 8 char password with an alphanumeric in any
> of the 8 positions.
>
> I'd like to require at least one numeric, but in any position.
>
> Can this be done without an exit?

As others already mentioned, the rule I proposed requires 8-char.
passwords with at least one alphabetic and one numeric character. The
letters and digits can be in any position of the password, but there
must be at least one of each. Basically, it allows any combination of
seven letters with one digit to one letter with seven digits and
anything in-between.

This may not be exactly what you're looking for, but it is a nit to
implement in comparison with writing, installing and maintaining a
new-password exit in RACF.

If you also want to allow 7-char. passwords, add the following
additional rule:

SETR PASSWORD( RULE2( LENGTH(7) ALPHANUM(1:7)))

But remember that allowing 7-char. passwords in addition to 8-char.
passwords is unlikely to improve your security: the total no. of
possible passwords increases just marginally but your users might opt
for the easiest way out and use the shorter passwords to a large proportion.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF - Any way to find out before hand what the user's access is to a file

[Robert S. Hansel (RSH)]

Ted,

In those banking environments, did you protect or monitor the use of the
LISTDSD, RLIST, or SEARCH commands and their aliases? As discussed in the
October 2009 issue of our RSH RACF Tips newsletter, these commands offer a
wealth of information to a would-be hacker, and their use is not logged by
default.

Regards, Bob

-
Robert S. Hansel   | 2010 RACF Training (January - July)
Lead RACF Specialist   | > Audit for Results   - Boston - MAY 4-6
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - MAY 25-27
www.rshconsulting.com  | > Securing z/OS Unix  - WebEx  - JUL 13-15
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Sat, 1 May 2010 13:01:24 +
From:Ted MacNEIL 
Subject: Re: RACF - Any way to find out before hand what the user's access
is to a file

>> wants away to check security.

Coming from a Banking background, I believe a user should not have the
ability to check beforehand.
That's a security exposure, because the user may find something that they
normally wouldn't.

Also, don't blame it on out-sourcing.
I've seen incompetent in-house security staff, as well.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SAS is gone - long live ... ICETOOL?

[Robert S. Hansel (RSH)]

Moira,

You may find our presentation titled "DFSORT & ICETOOL" helpful. You can
obtain a copy of the slides from our website at the following url:

www.rshconsulting.com/racfres.htm

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
617-969-8211
www.linkedin.com/in/roberthansel
RSH Consulting, Inc.
www.rshconsulting.com

-
2010 RACF Training
> Securing z/OS Unix  - WebEx  - JUL 13-15
> Intro & Basic Admin - Boston - OCT 5-7
> Audit for Results   - Boston - OCT 26-28
Visit our website for registration & details
-

-Original Message-
Date:Fri, 25 Jun 2010 08:56:17 -0500
From:M Hunter 
Subject: SAS is gone - long live ... ICETOOL?

I know I'm not the only one to suffer this, but "management" have decided
that SAS is too expensive and as it is only used by the technical group (OK,
I'm the only one who writes it, though others use the reports) it has got to
go.  Frankly, I'm surprised I managed to hold on to it for so long.

So, what to replace it with?  There's no money to buy a replacement (not
even a SAS windows licence) so I'm limited to existing software only.  That
basically means z/OS and DFSORT.

Forgetting about SMF and MXG for the moment, most of the other reports
process data from DCOLLECT and RACF IRRDBU, IRRADU.  One feature that is
used a lot is PROC SUMMARY (or PROC MEANS) to group (sum) data for a
subset, for example by high-level qualifier, or part of dsname.

I'm happy with REXX but a novice with ICETOOL, my ICETOOL experience
being limited to tinkering with sample reports.  Does anyone have any hints,
gotchas, examples for how I might replace my reports?

Thanks,

Moira

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF PROGRAM ADDMEM and SYMBOLICRELATE

[Robert S. Hansel (RSH)]

Alan,

As you surmised, you cannot use aliases or symbolics in PROGRAM class
profile ADDMEM library entries. You'll have to specify the fully-qualified
actual name.

In setting up PROGRAM profiles in support of Unix and BPX.DAEMON, you
probably created a catchall profile of * or **. Just add the library to this
profile. There is no need to create another profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
617-969-8211
www.linkedin.com/in/roberthansel
RSH Consulting, Inc.
www.rshconsulting.com

-
2010 RACF Training
> Securing z/OS Unix  - WebEx  - JUL 13-15
> Intro & Basic Admin - Boston - OCT 5-7
> Audit for Results   - Boston - OCT 26-28
Visit our website for registration & details
-

-Original Message-
Date:Mon, 12 Jul 2010 15:52:29 -0700
From:"Starr, Alan" 
Subject: RACF PROGRAM ADDMEM and SYMBOLICRELATE


Hi list,

I just added an FTP exit to a user loadlib that has a DSN (VTOC entry) of
SYS2.LINKLIB.Z19. This dataset is assigned a SYMBOLICRELATE alias of
SYS2.LINKLIB to facilitate z/OS-release-independent accesses.

FTP Server requires access to the FACILITY called BPX.DAEMON which, in turn,
requires that its exits reside in a "controlled" dataset.

I therefore want to RDEFINE   PROGRAM   FT*   ADDMEM(dataset-name//PADCHK)

I strongly suspect (but have not tested) that specifying the alias name of
SYS2.LINKLIB is not going to produce the desired effect because the OPENed
DSN (in LNKLST) is SYS2.LINKLIB.Z19 (i.e. the alias was resolved by OPEN and
then forgotten).

I have tried specifying a static system symbol (&MVSDSNQ = .Z19) as part of
the DSN - ADDMEM('SYS2.LINKLIB&MVSDSNQ'//PADCHK) - but RACF didn't accept
that.

Am I stuck having to specify a full-qualified "truename" and change the
MEMBER segments of all PROGRAM resources every time I upgrade?

Cheers,
Alan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Access to RACF entries dataset. Operation attribute

[Robert S. Hansel (RSH)]

Jorge,

It is not clear you fully understood Walt's advice. Assuming PR002 is a
group, try connecting T99CTM to it with USE authority (the default) as shown
below. This should prevent Control-M from creating the dataset. Before
testing, remove WARNING from the profile.

CO T99CTM GROUP(PR002)

What catalog is your dataset cataloged in? Does T99CTM have ALTER access to
the dataset profile protecting this catalog, either by an explicit permit or
using OPERATIONS authority? ALTER access to the catalog would allow T99CTM
to delete the dataset.

Is the dataset on a non-SMS managed DASD volume? If yes, what is the VOLSER
and is this VOLSER covered by a DASDVOL profile? Does T99CTM have ALTER
access to this DASDVOL profile, either by an explicit permit or using
OPERATIONS authority? ALTER access to the profile would allow T99CTM to
delete the dataset.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
617-969-8211
www.linkedin.com/in/roberthansel
RSH Consulting, Inc.
www.rshconsulting.com

-
2010 RACF Training
> Intro & Basic Admin - Boston - OCT 5-7
> Audit for Results   - Boston - OCT 26-28
Visit our website for registration & details
-

-Original Message-
Date:Thu, 15 Jul 2010 16:04:02 -0500
From:Jorge Garcia 
Subject: Re: Access to RACF entries dataset. Operation attribute

Elardus:

<>

It doesn't work.

<>

No. It's Z99OWNE. Its the same user for all STC, profile datasets etc.

<

The eventual group access is T99GRP00.

>

No It doesn't

<>

TRUSTD = No and PRIVILEGED= NO

Walt:

First, sorry for my poor English. I'll try to explain better.


<< make sure the data set is not covered by a GLOBAL DATASET member that
allows ALTER. >>

We've defined a profile dataset
called "PRO02.AT00.P02.TCPRBD02.VSAM.NOVALE" (generic)
It's the name of dataset. There is another profile dataset called "PRO02.*"
and
T99CTM has access ALTER in the access list.

<>

Yes It's right. My user has operations attribute. I remove it and when I
submit
the job, I can delete the dataset but I can not defined:

$HASP373 MIGHP01  STARTED - INIT 30   - CLASS A - SYS LEG1
IEF403I MIGHP01 - STARTED - TIME=14.40.05
-  --TIMINGS (MINS.)--
-STEPNAME PROCSTEPRC   EXCP   CONNTCBSRB  CLOCK   SERV
-PASO05   00 91 20.00.00 .0803
ICH408I USER(JGARCI1 ) GROUP(U90ATSF ) NAME(JORGE GARCIA JU )
  PRO02.AT00.P02.TCPRBD02.VSAM.NOVALE CL(DATASET ) VOL(*BLANK)
  DEFINE - INSUFFICIENT AUTHORITY
-PASO10   12 39 11.00.00 .0347
IEF404I MIGHP01 - ENDED - TIME=14.40.05

---
//PASO05   EXEC   PGM=IDCAMS,COND=(4,LT)
//* BORRADO DEL VSAM
//SYSPRINT  DD   SYSOUT=*,OUTLIM=0
//SYSIN DD   *
   DELETE PRO02.AT00.P02.TCPRBD02.VSAM.NOVALE

---

//PASO10   EXEC   PGM=IDCAMS,COND=(4,LT)
//SYSPRINT  DD   SYSOUT=*,OUTLIM=0
//SYSIN DD   *
   DEF CL -
   (NAME (PRO02.AT00.P02.TCPRBD02.VSAM.NOVALE) -
RECSZ (32752 32752) -
BUFSP (65536) -
CISZ (32768) -
REUSE -
SHR (2 3) -
VOLUMES (SIS512) -
TRK (1 1) -
NUMBERED)
/*



All the authoritys are USE. I've pasted below:

USER=T99CTM  NAME=STC CONTROLM  OWNER=Z99OWNE
CREATED=00.049
 DEFAULT-GROUP=T99GRP00 PASSDATE=N/APASS-INTERVAL=N/A
PHRASEDATE=N/A
 ATTRIBUTES=SPECIAL OPERATIONS
 ATTRIBUTES=PROTECTED AUDITOR
 REVOKE DATE=NONE   RESUME DATE=NONE
 LAST-ACCESS=10.196/22:46:50
 CLASS AUTHORIZATIONS=NONE
 NO-INSTALLATION-DATA
 NO-MODEL-NAME
 LOGON ALLOWED   (DAYS)  (TIME)
 -
 ANYDAY  ANYTIME
  GROUP=T99GRP00  AUTH=USE  CONNECT-OWNER=Z99OWNE   CONNECT-
DATE=00.049
CONNECTS= 5,092  UACC=NONE LAST-
CONNECT=10.196/22:46:50
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE   RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
 NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED

---


INFORMATION FOR GROUP PRO02
SUPERIOR GROUP=R90MINFO OWNER=Z99OWNE
CREATED=05.158
INSTALLATION DATA=GRUPO PERFILES ORACLE PREPRODUCCION
NO MODEL DATA SET
TERMUACC
NO SUBGROUPS
USER(S)=  ACCESS=  ACCESS COUNT=  UNIVERSAL ACCESS=
  Z99OWNE   USE   00   NONE
 CONNECT ATTRIBUTES=NONE
 REVOKE DATE=NONE RESUME DATE=NONE


---

Regards

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message:

Re: Access to RACF entries dataset. Operation attribute

[Robert S. Hansel (RSH)]

Barry & Jorge,

Barry, CREATE authority to a group will allow a user to create a dataset
with an HLQ matching the group name even when the user is permitted less
than ALTER access to the group's dataset profiles. CONNECT and JOIN
authority will do the same since they include CREATE authority. OPERATIONS
authority users have implicit CREATE authority in all groups. To prevent an
OPERATIONS user from creating a group dataset, it is necessary to connect
the OPERATIONS user to the group with USE authority in addition to
permitting the user less than ALTER access to the dataset profile.
Therefore, connecting T99CTM to MPRO02 was required.

Jorge, I'm pleased to hear you got this sorted out. Do be aware that if you
have other OPERATIONS users, they too will be able create and delete this
dataset. To restrict OPERATIONS users, I usually create a group with a name
something like NO#OPER, connect all the OPERATIONS users to it, and permit
this group access of less than ALTER to resources I want them kept out of,
especially catalogs, APF libraries, and DASDVOL profiles. If there are many
OPERATIONS users, connecting them all to MPRO02 with USE authority might be
a bit cumbersome; perhaps connecting T99CTM alone is sufficient for your
purposes.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
617-969-8211
www.linkedin.com/in/roberthansel
RSH Consulting, Inc.
www.rshconsulting.com

-
2010 RACF Training
> Intro & Basic Admin - Boston - OCT 5-7
> Audit for Results   - Boston - OCT 26-28
Visit our website for registration & details
-

-Original Message-
Date:Fri, 16 Jul 2010 10:24:34 -0700
From:"Schwarz, Barry A" 
Subject: Re: Access to RACF entries dataset. Operation attribute

There does not appear to be any reason to connect T99CTM to MPRO02.

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Jorge Garcia
Sent: Friday, July 16, 2010 2:54 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Access to RACF entries dataset. Operation attribute

We've solved the problem. The main topics below:

- Define a separate user catalog with alias with the special dataset
(CAT.USUARIO.MIGHP).
- Define in profile user catalog access list NONE to operation user
(T99CTM).
- Define a group (MPRO02) with a same HLQ of dataset
- Define a profile dataset with the special dataset
(MPRO02.AT00.P02.TCPRBD02.VSAM.NOVALE). T99CTM Access NONE.
- Connect user T99CTM to group MPRO02.
- Now, T99CTM could't delete or define dataset. It's operations yet.

Walt give us the solution.

<>


The key is Connected the USERID of an OPERATIONS user to the Group
matching a dataset HLQ with USE authority ...

It was difficult.

Thanks a lot!!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SDSF Security

[Robert S. Hansel (RSH)]

Hal,

Is the problem that the users cannot get to the SR panel, or they can't act
on a message once they get there?

To get to the panel, they need READ access to SDSF class resource
ISFCMD.ODSP.SR.system. If they have access, SR System Requests should show
up on their SDSF Primary Option Menu when they enter SDSF. If not and they
attempt to enter the SR command, they should get an ICH408I violation
message. If it is not defined to RACF, ISFPARMS governs, and if they don't
have access, they will only get "COMMAND NOT AUTHORIZED".

If they can get to the SR panel, they will need READ access to either, or
both, ISFSR.ACTION.system.jobname or ISFSR.REPLY.system.jobname in order to
act on messages. If these resources are protected by RACF, and they don't
have sufficient access, they will get an ICH408I message and "NOT AUTHORIZED
FOR CMD". If they are not protected by RACF, ISFPARMS governs, and if they
don't have access, they will only get "NOT AUTHORIZED FOR CMD".

Based on what you've said, I'm guessing you defined and granted them access
to ISFCMD.ODSP.SR.system but didn't define profiles for the ISFSR resources,
and the ISFPARMS don't give them access.

One final consideration which you've probably already thought of but just in
case. If defined to RACF, is the SDSF class RACLISTed and did you do a
REFRESH on the system where executed? If not, is the profile(s) protecting
these SDSF resources generic and did you do a GENERIC REFRESH (or have the
user logon/logoff)?

Hope this helps. Happy Holidays.

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training (January - July)
Lead RACF Specialist   | > Intro & Basic Admin - Boston - APR 28-30
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 19-21
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details
-
 Register for a 2009 training seminar at 2008 prices!
  See website for details.   
-

-Original Message-
Date:Tue, 16 Dec 2008 11:27:11 -0600
From:Hal Merritt 
Subject: SDSF Security

My operations folks would like to use the SR panel to manage WTOR's. All
of the applicable  RACF profiles seem to be in place and they can issue
the replies from the LOG screen.

The diagnosis procedure in the FM for the error message wasn't
productive.

The error message returned is "Not authorized for cmd". Nothing else
even though WTPMSG is in effect.

Could someone fax me a clue? J

Thanks.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: new ftp userid

[Robert S. Hansel (RSH)]

Dave

Does the new ID have an OMVS segment with a UID?

Regards, Bob

-
Robert S. Hansel   | 2009 RACF Training (January - July)
Lead RACF Specialist   | > Intro & Basic Admin - Boston - APR 28-30
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 19-21
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details
-

-Original Message-
Date:Tue, 24 Feb 2009 14:47:48 -0500
From:David Hanson 
Subject: Re: new ftp userid

Thanks Hal.

I reset the password and specified no to expired. 

Thanks, Dave Hanson
464-8889

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A New Threat for password hacking

[Robert S. Hansel (RSH)]

John,

I believe RACF only uses single DES, not Triple DES.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Intro & Basic Admin - WebEx  - JAN 24-28
> Securing z/OS Unix  - WebEx  - FEB 8-10
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Sun, 28 Nov 2010 19:37:37 -0600
From:John McKown 
Subject: Re: A New Threat for password hacking

RACF password encryption is explained here:

http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza290/3.3.1

It uses Triple DES where the password is a key to encrypt the userid,
which encrypted value is then stored in the DB. So two different users
with the same password would have two different encrypted values. It
also states it is a "one way" encryption. There is no way to "back out".
To crack a password would require having the unencrypted RACF id, the
encrypted stored value, and the exact algorithm. Now, I'm not a
cryptographer, but I don't think you can use that information to
recreate a valid password easily. So you're more likely to try a brute
force dictionary attack. Again, using an NSA quality supercomputer, I
have no idea how long this would take. I think I'd just play the lotto
and win sooner. But that is my ignorance speaking.

On Sun, 2010-11-28 at 19:15 -0600, Paul Gilmartin wrote:
> On Sun, 28 Nov 2010 15:56:36 -0600, Russell Witt wrote:
>
> >Easy to say "do not share your RACF db"; harder in reality. Most sites
> >believe they are safe because their RACF db is security protected and the
> >dasd is not shared. And then completely forget that backups (to physical
or
> >virtual tape) contain the exact same information. And quite often the DSN
> >used for the backup tapes is some type of dasd-manager HLQ, since it was
> >most likely a full-volume backup that happen'ed to contain the RACF db.
And
> >even if the HLQ for the full-volume backups is read-protected; it is
still
> >far easier to hack a tape dataset. Often, tape libraries (physical and
> >virtual) are shared with less-secure test machines and quite often even
with
> >non z/OS systems. Granted, you will need the physical layout of the RACF
db;
> >but not the entire layout. Just enough to identify where the passphrases
are
> >maintained.
> >
> Aren't the passwords encrypted?  But how strong is the encryption?
>
> It would be peculiarly pointless to store fewer bits of the encrypted
> password than are used in the encrypting key.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
> Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
John McKown
Maranatha! <><

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Retricting jobs that use a certain DDNAME, certain DSNAME to a groups of classes

[Robert S. Hansel (RSH)]

Gadi,

Please tell us more about your environment and the jobs. Do you run JES2 or
JES3? If JES2, does each LPAR have its own spool and nodename or are all the
LPARs using a MAS shared spool with a single nodename? What security
software do you use (e.g., RACF)? Do all the LPARs share the same security
software database? Are all the jobs that perform updates a known, fixed set,
and are they all submitted by your job scheduler? Can these jobs be assigned
a unique USERID that is different than those assigned to jobs that simply
read the file? Are the programs used to update the file a known, fixed set?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
> Intro & Basic Admin - WebEx  - JAN 24-28
> Securing z/OS Unix  - WebEx  - FEB 8-10
> Audit for Results   - Boston - APR 12-14
> Intro & Basic Admin - Boston - MAY 10-12
Visit our website for registration & details
-

-Original Message-
Date:Tue, 28 Dec 2010 13:05:29 +0200
From:=?windows-1255?Q?=E2=E3=E9_=E1=EF_=E0=E1=E9?= 
Subject: Retricting jobs that use a certain DDNAME, certain DSNAME to a
groups of classes

Hi,

I have the following request:
Check if a job uses a certain DD, and that DD references a certain DSNAME,
make sure that the job runs on a specified LPAR.

Thanks

Gadi

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: TPX and two RACF systems

[Robert S. Hansel (RSH)]

Mark,

One of my former clients had a Courion product (don't know if it was
PasswordCourier) that would send Windows password changes to its software
agent running on the mainframe to sync passwords. I believe it would also
optionally take a password change entered on the mainframe and propagate it
out to other platforms, which I assume could include another mainframe.
Since you already have the product, this may be worth investigating.

As others have mentioned, RRSF is also a good option. A colleague of mine
set up RRSF at a bank where he was formerly employed and found it to work
very well. If you are only concerned with RACF to RACF synchronization, I
would tend to favor RRSF over solutions such as Courion as it is (a)
designed for just this one specific function, (b) doesn't require additional
software licensing or costs, and (c) doesn't rely on software running on
other platforms to carry out the propagation.

I suggest giving further consideration to merging databases as it could
simplify RACF administration as well as solve the problem you are trying to
address. It is not as daunting an effort as it might seem at first. For
ideas on merging databases, see our recently updated presentation on this
topic at the following url:

http://www.rshconsulting.com/RSHpres/RSH_Consulting__Merging_RACF_Databases_
_June_2008.pdf

or

http://preview.tinyurl.com/5ges78

Regards - Bob

Robert S. Hansel
LTCOL - USMCR-Retired (1976-1997)
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211 

-Original Message-
Date:Fri, 22 Aug 2008 09:24:11 -0700
From:"Mark T. Regan, K8MTR" <[EMAIL PROTECTED]>
Subject: Re: TPX and two RACF systems

We also have the Courion PasswordCourier product installed. It's mainly used
to reset passwords via a web or phone interface, so only the IP interface is
being used. Does anyone know if it has a VTAM 3270 interface of any kind so
that TPX can use a ACL to change the password using it?

Thanks

Mark T. Regan, K8MTR
CTO1 USNR-Retired (1969-1991)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF education/books/papers...

[Robert S. Hansel (RSH)]

Ron,

You may find the information on our website useful, particularly the RACF
newsletters, white papers, and presentations available via the RACF Center
page. You'll also find information about various RACF Users Group which
might be close by. Here is the url:

http://www.rshconsulting.com


Regards, Bob


Robert S. Hansel   | 2008 RACF Training
Lead RACF Specialist   | > Intro & Basic Admin - Boston - OCT 7-9
RSH Consulting, Inc.   | > Audit for Results   - Boston - OCT 28-30
www.rshconsulting.com  |
617-969-8211   | > Visit our website for registration & details



-Original Message-
Date:Mon, 6 Oct 2008 10:12:54 -0500
From:Ron <[EMAIL PROTECTED]>
Subject: RACF education/books/papers...

At our shop we're currently using CA-ACF2, but will be using IBM-RACF in the
future. My knowledge of RACF is very limited, and the official IBM classes
will be too late to get at least a basic knowledge of RACF.

Besides the IBM redbooks, IBM-z/OS (security server) manuals is there any
other reading material or websites or online training that you would
recommend in order to get my RACF knowledge up to par?

thanks,

Ron

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: VTAMLST - Who needs to read it

[Robert S. Hansel (RSH)]

Chris,

When IBM suggests UACC(NONE) for a system dataset, this is usually an indicator 
the dataset contains security control information that should be kept secret. 
In this particular case, it may have to do with options such as the ability to 
specify clear text passwords with PRTCT= on VTAM APPL definitions. Whereas the 
RACF team at IBM may not always provide detailed information about why they 
made a particular suggestion, I have always found them to be very thoughtful 
and never arbitrary.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2012 RACF Training
- Audit for Results   - Boston - APR 24-26
- Intro & Basic Admin - Boston - MAY 8-10
-

-Original Message-
Date:Fri, 9 Mar 2012 12:03:03 -0600
From:Chris Mason 
Subject: Re: VTAMLST - Who needs to read it

Juan

> IBM suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix 
> D- Security for system datasets).

Why should the RACF developers be the arbiters of what is the correct access 
policy for VTAMLST? I would say that they were as likely to get such a proposal 
correct as any other development shop commenting on the products of another 
development shop. In other words, they are very, very likely to get it quite 
wrong - a phenomenon I have observed time and again!

Indeed, I have sometimes been very pleasantly surprised when a manual written 
by one development shop happened to come up with a clear explanation of how to 
use products from another development shop. Actually the only case I can 
remember over many years is GDDM talking about the 3270 data stream.

> (RACF Security Administrator Guide, apendix D- Security for system datasets)

Please - and this applies to all posters - provide an URL when referring to 
something state in a manual.
 
I suggest you post this query on the RACF-L list and challenge the gurus I 
notice there are not backward in coming forward and see if any of them can 
provide a reasoned argument why the following recommendation - which I dug out! 
- is present:



D.0 Appendix D. Security for system data sets

Table 48. UACC values for system data sets

Data set/UACC/Comments

...

SYS1.VTAMLST/NONE/

...



http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza7c0/D.0

Note that the people responsible for this table couldn't even imagine any 
justifying comment to add. I suspect they had wet fingers in the air!

If the RACF-L gurus cannot provide a reasoned argument, I suggest you treat 
this recommendation with the pinch of salt which in my opinion it deserves.

Remember "There is no substitute for understanding what you are doing.", a 
maxim that isn't necessarily ingrained on the conscience of IBM developers!

-

Anyhow the "users" who need to access VTAMLST are obviously the user of the 
VTAM/NET address space and any system programmer's TSO address space where the 
system programmer is responsible for maintaining the VTAMLST partitioned data 
set. I cannot see any reason why a user of the VTAM API would require access to 
VTAMLST for the reason that he/she was using the VTAM API.

-

Incidentally, while you are challenging the RACF-L gurus over access to 
VTAMLST, you might care equally to challenge them over the recommendation to 
specify universal access of READ for the VTAMLIB partitioned data set where, 
again, the comment field is completely absent in the now famous table. Again, I 
suspect a wet finger!

-

Moreover, take a look at the comments where the authors bothered to add 
comments and note whether there appear to have been any guidance other than 
common sense and - it must be said - note the considerable equivocation!

-

Chris Mason

On Fri, 9 Mar 2012 09:00:34 -0800, Juan Mautalen  
wrote:

>Hi:
>
>We currently have our VTAMLST libraries protected with UACC(READ). IBM 
>suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix D- 
>Security for system datasets) . I want to make the change, but of course i 
>know i must be extremely carefull with this change. I need to detect all users 
>needing read access to VTAMLST. Human users are not my problem, my worry is 
>about non-human ones (users of system tasks, started tasks, etc.).
>
>What users need read access of VTAMLST?
>Does any userid associated with a VTAM application need to read VTAMLST?
>
>Thanks in advance for your help,
>
>Juan Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: Endevor(Change Management Software)

[Robert S. Hansel (RSH)]

Our firm used to offer CA-Endevor consulting services, and the former lead of 
our CA-Endevor practice implemented change control over system libraries at a 
her former employer, an insurance firm as I recall. There was the expected 
initial resistance by the systems staff, but once they got used to it, I 
understand they grew to like the ability to report on the details of changes 
and easily back them out. Contact me off-list if you'd like me to try to put 
you in touch with this person.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Wed, 14 Mar 2012 12:29:05 -0500
From:gsg 
Subject: Endevor(Change Management Software)

Is anyone out there using CA-Endevor?  Do you manage your system changes using 
Endevor?  If so, how are you doing this and was it hard to setup?

We are looking into this, but there are so many system libraries that could be 
changed, it needs a lot of thought to get it right.

Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

FACILITY Class Resources for IBM's HOURGLASS product

[Robert S. Hansel (RSH)]

Greetings all,  (cross-posted to IBM-MAIN & RACF-L)

I am once again updating my presentation on the FACILITY class and its many
resources. (If you are unfamiliar with my presentation, a copy is available
on our website via the RACF Center webpage.)

I've come across a set of FACILITY resources for the IBM product HOURGLASS
(acquired from Princeton Softech) which are not documented in the product's
manual. The resources are HOURGLASS_CX_ADMIN, HOURGLASS_CX_USER, and
HOURGLASS_CX_REFR. Two of them are mentioned in APAR PK89016, which
indicates these resources are documented in the AGGCXT1 member of the
product's SAGGSAMP library. I would greatly appreciate someone assisting me
with my research of these resources by providing me with a copy of this
member. I want to ensure I properly describe these resources and the access
permissions they require in my presentation. Please reply directly to me.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.*** Celebrating our Twentieth Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel 
www.rshconsulting.com 
-
2012 RACF Training
- Audit for Results   - Boston - OCT 30 - NOV 1
- Securing z/OS UNIX  - WebEx - JUL 31 - AUG 2
- Intro & Basic Admin - WebEx - OCT 15-19
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

ITOM SAF Resource MENU.ADM?N

[Robert S. Hansel (RSH)]

(Cross-posted to RACF-L and IBM-MAIN)

Greetings all,

The IBM Tivoli Output Manager (ITOM) User's Guide has the SAF resource name
for the administrator panel listed two different ways - one as MENU.ADMIN
and the other as MENU.ADMN. I'd like to know which of the two it really is.
If you can tell me, please respond. TIA.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.*** Celebrating our Twentieth Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
-
2012 RACF Training
- Audit for Results   - Boston - OCT 30 - NOV 1
- Securing z/OS UNIX  - WebEx - JUL 31 - AUG 2
- Intro & Basic Admin - WebEx - OCT 15-19
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: how to cut down RACF auth & run rexx under diff auth

[Robert S. Hansel (RSH)]

Aman,

If your intent is to allow these individuals to perform a limited set of
RACF administrative tasks without giving them RACF authority, you'll need
write an APF-authorized program they can execute to perform the tasks.
Alternatively, you can let them keep their RACF authority and write a RACF
IRREVX01 command processing exit to restrict the scope of their authority.
You won't be able to accomplish this with normal Panels/REXX, nor will using
batch with a SURROGAT ID give you effective control. Call if you wish to
discuss these options in more detail.

Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Sr. RACF Specialist| > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details


-Original Message-

Date:Sat, 5 Jan 2008 16:34:11 -0600
From:Aman Naqvi <[EMAIL PROTECTED]>
Subject: how to cut down RACF auth & run rexx under diff auth

Dear all,

We have two security operations teams who are defined in RACF with the
group-Special attribute and hold CLAUTH on a class to define profiles.

The issue is that we need to cut down their access.

The task is to only provide these teams access through Panels/REXX and to
cut off their group-Special attribute and Class authority. My problem is
that if
the REXX executes online it is executing under the authority of the user
(who's access im trying to cut down)

Any ideas how I can achieve this without going to batch?

Thanks.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Abend S013 using ICHDSM00 procedure

[Robert S. Hansel (RSH)]

Carlos,

Something like the following is all you should need in the way JCL.

//jobname  JOB (account),'username',CLASS=x,MSGCLASS=x
//STEP0001 EXEC PGM=ICHDSM00
//SYSPRINT DD  SYSOUT=*
//SYSUT2   DD  SYSOUT=*
//SYSINDD  *
  FUNCTION option
/*
//

If the program ICHDSM00 is protected by a RACF profile in the PROGRAM class,
you will need EXECUTE or greater access permission to the profile to execute
it. Otherwise, you will need the RACF AUDITOR attribute. Lastly, if the
FACILITY class resource ICHDSM00.SYSCAT is protected by a profile, you will
need at least READ access to it to get user catalog information associated
with FUNCTION SYSCAT (or ALL). You do not need any access permissions
whatsoever to the RACF database.

Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Sr. RACF Specialist| > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details


-Original Message-
Date:Mon, 3 Mar 2008 12:39:42 -0600
From:Carlos Cordero <[EMAIL PROTECTED]>
Subject: Abend S013 using ICHDSM00 procedure

Hi everybody!!

Please, somebody can help me with this:  i tried to use the ICHDSM00 program
using SYS1.BRODCAST library, then using a DSMON sentences to get RACF
report.

so, i get an abend S013 when jcl fails; what are the main reason for this
abend?

Tanks.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Tivoli Output Manager - SAF Security Activation Options

[Robert S. Hansel (RSH)]

Greeting all,

I'm studying the Tivoli Output Manager User's Guide to determine how to
implement RACF security using the SAF interface and have the following
questions.

1) The guide only shows setting the SAF ID via what appear to be console
commands to be entered after product initialization. Is it possible to set
the SAF ID in configuration options, such as the BJT#IN03 parameter library
member? Can it be changed via the ADMIN menus, and if yes, via which menu
resource?

2) How do you set the SAF CLASS parameter? Based on the descriptions found
in the messages section of the guide, it appears this is done via console
commands like SET ID. Is it possible to set SAF CLASS in configuration
options? Can it be changed via the ADMIN menus?

3) Is the FACILITY class the default value for the SAF CLASS parameter?


Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Sr. RACF Specialist| > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Execution job class restriction

[Robert S. Hansel (RSH)]

If you can find a copy of the IBM publication GG66-3218-01 "RACF Security
Administrator's Quick Reference", March 1992, there is a sample JES Exit 6
in Appendix G for controlling the use of JES input class. It uses profiles
in the FACILITY class of the format JOBCLASS.x, where 'x' is the class
designator. Given its age, it might need some tweaking to work with the most
recent versions of JES2 and RACF.

Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Sr. RACF Specialist| > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details



-Original Message-
Date:Wed, 12 Mar 2008 02:10:59 -0500
From:gsg <[EMAIL PROTECTED]>
Subject: Execution job class restriction

Is there a way to restrict jobs from running it a particular job class?  Is
there
more than one way and if so, what is the easiest?  TIA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Cloning a RACF user profile

[Robert S. Hansel (RSH)]

Ituriel,

You may want to include the processing of 0205 User Group Connect Detail
Records. By relying solely on 0102 records, you will miss any connections to
Global groups.

Perhaps what you could do is process the 0205 records first to create the
group connects followed by the 0102 records to modify the connects with any
AUTHORITY of other than USE.

Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Lead RACF Specialist   | > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Audit for Results   - Boston - MAY 20-22
www.rshconsulting.com  |
617-969-8211   | Visit our website for registration & details


-Original Message-
Date:Mon, 24 Mar 2008 15:17:00 -0300
From:ITURIEL DO NASCIMENTO NETO <[EMAIL PROTECTED]>
Subject: RES: Cloning a RACF user profile

As suggested by someone, you can use SORT to generate the appropriate
commands.
I've build the following JCL, which you can use as a starting point to
your needs.

... (snip)

//SORTOF4   DD   DSN=SO.S1.RACF.REG102,DISP=(,CATLG),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
...
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND,
  019,8,CH,EQ,C'USERID'),FILES=4,
  CONVERT,OUTREC=(5,300),VLFILL=C' '
...
//CONNECT  EXEC PGM=SORT
//SYSOUTDD SYSOUT=*
//SORTINDD DSN=SO.S1.RACF.REG102,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD  *
  SORTFIELDS=COPY
  OUTREC  FIELDS=(C' CONNECT ',
  15,8,C'GROUP(',06,8,C') ',
  C'OWNER(',06,8,C') ',
  C'AUTHORITY(',24,8,C') ')
  END
...

Atenciosamente / Regards / Saludos

Ituriel do Nascimento Neto
Banco Bradesco S/A
4254/DPCD Alphaville
Engenharia de Software - Sistemas Operacionais Mainframes

Tel: 55 11 4197-2021 Fax: 55 11 4197-2814

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: A Question on ViewDirect EXIT04

[Robert S. Hansel (RSH)]

Brad,

Using the APPL class would be an effective means of governing entry into
ViewDirect. Starting with the .SOURCE(RACF) member as Ken advised, you
simply need to modify the RACROUTE REQUEST=VERIFY macro therein to include
the APPL=applid parameter. The inclusion of this parameter prompts the APPL
class profile check. If you run several instances of ViewDirect and want a
different APPLID for each, you'll either need to include additional code to
determine and set the APPLID value for each call, or you'll need to have an
individual copy of the exit for each instance with a hard-coded value.

Alternatively, if you have a VTAM Session Manager, you could use its
facilities to govern what application(s) a user may access.

Regards, Bob

Robert S. Hansel
RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

-Original Message-
Date:Tue, 20 Nov 2007 11:52:49 -0500
From:Ken Porowski <[EMAIL PROTECTED]>
Subject: Re: A Question on ViewDirect EXIT04

Check your View Direct .SOURCE library for member RACF (or TOPSECRT or
ACF2).
These are supplied INEXIT04s for RACF, ACF2 or Top Secret logon
security.
We use the TOPSECRT one with no modifications.

RTFM - Users Guide - Appendix C - Customization - INEXIT04

YMMV.

Ken Porowski
AVP Systems Software
CIT Group
E: [EMAIL PROTECTED]



-Original Message-
Brad Carson

Hello IBM-MAINers,

We are trying to tackle an issue with ViewDirect (now ASG formally
Mobius) and control which users can logon to a region via the RACF APPL
class.  We know that exit 4 would be a good place to check this since
that is where the RACF userid/password is validated.  So my questions
are:

1. Does anyone know of a ViewDirect users group out on the net anywhere?
2. Would checking against the RACF APPL class be the way to do this?
If not what else would you suggest?
3. Anyone have samples of their INEXIT04 that they would like to share?

Frustrated in Burlington, NC.


Brad S. Carson
Manager z/Series Technical Support
Enterprise Systems
Laboratory Corporation of America

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Question regarding RACF migration.

[Robert S. Hansel (RSH)]

Sridhar,

Theoretically, you could just apply the templates for the target z/OS
release to the old database and reIPL with it. This assumes the database in
the restructured format introduced with RACF 1.9 (MVS/ESA). However, there
are many other factors that would determine whether your system would run
effectively such as (just to name a few) whether there are exits involved
(both RACF and other products calling RACF), what resource classes and
profiles are defined, what release of CICS are you migrating from/to (there
was a significant change in CICS transaction security at release 4.1), and
what release of z/OS you are migrating to (for instance, FACILITY class
profiles to allow the use of HSM commands are required in z/OS 1.6 and
later). Depending on the size of the RACF database and the span of releases,
you may need 2 to 4 weeks or more just to analyze the possible impacts and
plan the creation of new profiles needed to accommodate the requirements of
the target z/OS release.

Regards, Bob

Robert S. Hansel
RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

-Original Message-
Date:Tue, 20 Nov 2007 12:07:58 +0530
From:Sridhar K Veena <[EMAIL PROTECTED]>
Subject: Question regarding RACF migration.

G'day,

I want to know from a technical perspective if some one needs to migrate
an existing system from an older version of OS (say MVS/ESA, OS/390 etc
to Z/Os) what is the impact on RACF?. Would migrating the RACF to a
newer version be a big enough Project(like a 6 months to 1 year kind of
project)?. Or as in any migration from one version to another, RACF is
also automatically handled?.  Please advice.

Thanks in advance for your response.

Thanks

Sridhar K Veena

Accenture   -  Bangalore
Host  Centric Capability
+91-80-39170641 (Direct)
+91-9242-227797 (Mobile)
AIM:   Sridhar Veena

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dynamic CDT problem

[Robert S. Hansel (RSH)]

Marian,

After executing both RDEFINE commands, did you execute the following:

SETROPTS RACLIST(CDT) REFRESH

If you are sharing the RACF database between multiple LPARs and are not
using RACF Sysplex communications or data sharing, you will need to perform
the refresh on all LPARs individually.

If you execute SETROPTS LIST (after performing the REFRESH), to you see both
classes?

Regards, Bob


Robert S. Hansel   | 2007 RACF Training
RACF Specialist| > Intro & Basic Admin - Boston, MA - SEPT 25-27
RSH Consulting, Inc.   | > Audit for Results   - Charlotte, NC - NOV 6-8
www.rshconsulting.com  |
617-969-8211   |


-Original Message-
Date:Thu, 28 Jun 2007 12:02:09 +0200
From:=?ISO-8859-1?Q?Slab=FD_Mari=E1n?= <[EMAIL PROTECTED]>
Subject: Dynamic CDT problem

Hi all,


we want to use dynamic CDT. We have defined new class profiles by commands

RDEFINE CDT TEU#WTRN CDTINFO( CASE(UPPER) DEFAULTRC( 4 ) +
 DEFAULTUACC( NONE ) FIRST( ALPHA NATIONAL NUMERIC SPECIAL ) +
 GENLIST( DISALLOWED ) GROUP( GEU#WTRN ) KEYQUALIFIERS( 0 )  +
 MACPROCESSING(NORMAL) MAXLENX( 13 ) MAXLENGTH( 13 ) OPERATIONS(NO)  +
 OTHER( ALPHA NATIONAL NUMERIC SPECIAL ) POSIT( 39 ) +
 PROFILESALLOWED( YES ) RACLIST( DISALLOWED ) SIGNAL( NO )   +
 SECLABELSREQUIRED( NO ) )

RDEFINE CDT GEU#WTRN CDTINFO( CASE(UPPER) DEFAULTRC( 4 ) +
 DEFAULTUACC( NONE ) FIRST( ALPHA NATIONAL NUMERIC SPECIAL ) +
 GENLIST( DISALLOWED ) KEYQUALIFIERS( 0 ) MACPROCESSING( NORMAL )+
 MAXLENX( 13 ) MAXLENGTH( 13 ) MEMBER( TEU#WTRN ) OPERATIONS( NO )   +
 OTHER( ALPHA NATIONAL NUMERIC SPECIAL ) POSIT( 39 ) +
 PROFILESALLOWED( YES ) RACLIST( DISALLOWED ) SIGNAL( NO )   +
 SECLABELSREQUIRED( NO ) )

and activate them by command SETROPTS CLASSACT(CDT) RACLIST(CDT).
After defining profiles in new class GEU#WTRN and adding the class to
RACLIST and GENERIC we started CICS with SIT parameter XTRAN=EU#WTRN.

We received msg :
DFHXS CICSEUAX  339
06/27/2007 13:48:38 CICSEUAX  Security violation by user CICSEURO
for resource CATA in class TEU#WTRN. SAF codes are
(X'0004',X''). ESM codes are (X'0004',X'').
DFHXS1113 CICSEUAX  340
The region userid cannot access system transaction CATA. CICS will
terminate. SAF codes are (X'0004',X''). ESM codes are
(X'0004',X'').

Msgs inform that RACF profiles for transactions do not exist.

We checked the CDT by IBM tool LISTCDT and we saw CLASS PROBLEM CODE -
ASSOCIATED GROUP CLASS MISSING IN CDT for class TEU#WTRN.

>From this problem code I think that something is wrong with class group
profile, but I can't find the reason. I have checked CDT class and I see
both class profiles TEU#WTRN, GEU#WTRN.


Any help appreciated,

Marian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Catalog Search Interface (IGGCSI00) & ALTER Access

[Robert S. Hansel (RSH)]

Greetings all,

We are removing unnecessary ALTER access permissions to catalogs in a RACF
protected environment. In investigating why certain users were using ALTER
access, we noticed that the number of times these users accessed the
catalogs at ALTER corresponded exactly with the number of times they invoked
the Catalog Search Interface IGGCSI00. Based on further testing and
observation, we have surmised that when a user with ALTER access permission
to a catalog invokes IGGCSI00, the catalog is accessed at the ALTER level.
Conversely, when a user with less than ALTER access permission invokes
IGGCSI00, the catalog is accessed at READ.

There doesn't appear to be any difference in behavior or added functionality
when IGGCSI00 accesses the catalog at ALTER as opposed to READ, so we are
wondering why it does so.

Regards, Bob


Robert S. Hansel   | 2008 RACF Training (January - July)
Lead RACF Specialist   | > Intro & Basic Admin - Boston - APR 29 - MAY 1
RSH Consulting, Inc.   | > Intro & Basic Admin - Boston - OCT 7-9
www.rshconsulting.com  | > Audit for Results   - Boston - MAY 20-22
617-969-8211   | > Audit for Results   - Boston - OCT 28-30
   | Visit our website for registration & details


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SDSF and External Security

[Robert S. Hansel (RSH)]

Michael,

Your assumption is essentially correct. Depending on what you are attempting
to do within SDSF, RACF will make authorization calls to the SDSF, JESSPOOL,
WRITER, and/or OPERCMDS classes. It only makes these calls if the
corresponding class is active, and in the case of OPERCMDS also RACLISTed.
(The other classes can be optionally RACLISTed.) If RACF sends back a return
code of 0 (authorized) or 8 (not authorized), SDSF grants or denies the
access based on this. If RACF sends back a 4 (not protected), SDSF reverts
to ISFPARMs.

Regards, Bob

Robert S. Hansel
RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

-Original Message-
Date:Fri, 16 Mar 2007 07:11:15 -0500
From:Michael Babcock <[EMAIL PROTECTED]>
Subject: SDSF and External Security

Sorry for the bad formatting.  Hope this is better.

What's the best way to tell if SDSF is using external security?  We have
some LPARs that have the SDSF class active, but few profiles.  SDSF's
ISFPARMS don't appear to be using external security.  Is there a way to
tell definitively?  Or will SDSF use a combination?

I would assume it would use external security for those profiles that
are defined, but revert to ISFPARMs if no profile was defined. Am I correct?

For example, one LPAR has the SDSF class active (but not RACLISTed).
These are the profiles defined in the SDSF class (and there is no catchall).

(snip)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: discrete profiles for tape protection.

[Robert S. Hansel (RSH)]

Mike,

Your comments about running without TAPEVOL and/or TVTOC raises the
following issue. It is my understanding that with RMM the only way to
protect against unauthorized access to a tape dataset by taking
inappropriate advantage of tape label containing just the last 17 characters
of the dsname (e.g., opening PAY.PROD.MASTER.FILE by calling it
MYID.PROD.MASTER.FILE) is by implementing RACF TAPEVOL profiles with TVTOC
and setting RMM option TPRACF to either (P) or (A). This causes RACF to keep
track of the full dsnames on a given tape and guard against someone
falsifying the name. Does RMM have other features or functionality that
prevents misnaming tape datasets without involving TAPEVOL TVTOCs? Is yes,
can you help me find the reference where it is described?

Thanks, Bob


Robert S. Hansel   | 2006 RACF Training
RACF Specialist| > Intro & Basic Admin  - Cinci., OH - JUN 6-7
RSH Consulting, Inc.   | > Audit for Results- Boston, MA - MAY 23-24
www.rshconsulting.com  | > Advanced Admin *NEW* - Boston, MA - MAY 2-4
617-969-8211   | See our website for details & registration form


-Original Message-
Date:Thu, 9 Mar 2006 13:17:19 -0600
From:Mike Wood <[EMAIL PROTECTED]>
Subject: Re: discrete profiles for tape protection.

John,
  You do not give any details about your setup of rmm and RACF, but I
would guess that you are using rmm parmlib option TPRACF(P) or TPRACF(A).
It is very likely that it is rmm creating the TVTOC and the first data set
gets added either by OPEN issuing RACROUTE in DATASET class or by rmm when
the data set is closed.

You could consider larger logical volumes sizes since VTS now supports
this option, or you have to avoid the problem by not using both TAPEVOL
class and the TAPEDSN option.  Many people do use TAPEDSN without TAPEVOL.
As long as you have tape management, and you do, you can consider running
without TVTOCs, and most likely this means not using TAPEVOL.

There are other considerations such as BLP and use of ustilities such as
IEHINITT.

Limitations such as this are just some of the reasons why we have
previewed new tape data set security options in z/OS 1.8.
http://www-
03.ibm.com/servers/eserver/zseries/zos/overview/zosnew18_preview.html

Mike WoodRMM Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RMM & Tape Dataset Protection (was: discrete profiles for tape protection.)

[Robert S. Hansel (RSH)]

Mike,

This tread has prompted me to reread the RMM manuals to see where I may have
misinterpreted them. Based on this review and comments from Russell and you,
here is what I now understand.

RMM will itself match the dsname and tape requested by the user against the
list of dsnames contained on the tape in its control dataset and reject the
request if the full dsname specified by the user doesn't match the full
dsname on the list. So in this manner, RMM protects against a user trying to
access a tape dataset by falsifying the name. If a RACF TAPEVOL profile with
TVTOC is defined, RACF will also validate the dsname for the requested tape
and check for the flag indicating a discrete profile. Further, it is
necessary for RMM OPMODE to be set to PROTECT for this protection to be
fully functional. The RMM option REJECT ANYUSE(*) requires all tapes to be
defined to RMM before they can be used, blocking the use of undefined tapes
(e.g., foreign tapes), and thereby ensuring the dsname validation is
comprehensive.

In addition, to bypass this check, the user must have READ (for input) or
UPDATE (for output) to FACILITY class profile
STGADMIN.EDG.IGNORE.TAPE.volser which is checked when EXPDT=98000 specified,
and use of the exit EDGUX100 is required to implement this functionality.

All this being true, the use of TAPEVOL profiles with TVTOCs does not seem
necessary unless you want to use discrete profiles for a tape dataset or you
want to grant access to tapes at the volume level, both of which are rarely
done. This would make me shy away from using TPRACF(P) or (A) so as not to
have to deal with the TAPEVOL profiles. Are there other security-related
reasons why someone would want to maintain these profiles?

Thanks, Bob

-Original Message-
From: Mike Wood [mailto:[EMAIL PROTECTED]
Sent: Monday, March 13, 2006 5:06 AM
To: IBM-MAIN@BAMA.UA.EDU; Robert Hansel
Subject: Re: discrete profiles for tape protection.


Bob, To build on to what Russell has said..
In rmm you force all tapes to be rmm managed by including
REJECT ANYUSE(*)
in parmlib. Now to bypass rmm control you need authorized to have tapes
ignored by rmm; very few usres would have that ability.
By default rmm forces full 44 character dsname validation for all files on
a tape it is managing; you do not need to rely on RACF TVTOC to get that.

With a tape management system set up correctly you should be able to use
generic DATASET profiles for full tape data set protection.

Mike Wood   RMM Development

On Sat, 11 Mar 2006 15:57:12 -0500, Robert S. Hansel (RSH)
<[EMAIL PROTECTED]> wrote:

>Mike,
>
>Your comments about running without TAPEVOL and/or TVTOC raises the
>following issue. It is my understanding that with RMM the only way to
>protect against unauthorized access to a tape dataset by taking
>inappropriate advantage of tape label containing just the last 17
characters
>of the dsname (e.g., opening PAY.PROD.MASTER.FILE by calling it
>MYID.PROD.MASTER.FILE) is by implementing RACF TAPEVOL profiles with TVTOC
>and setting RMM option TPRACF to either (P) or (A). This causes RACF to
keep
>track of the full dsnames on a given tape and guard against someone
>falsifying the name. Does RMM have other features or functionality that
>prevents misnaming tape datasets without involving TAPEVOL TVTOCs? Is yes,
>can you help me find the reference where it is described?
>
>Thanks, Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF user id revocation

[Robert S. Hansel (RSH)]

Jeff,

Here are a few more things to consider. Did you check SMF records for ALU
REVOKE commands and for all logon events related to the ID? There may be
records other than just passwords violations that could help explain this
event. Do you have any RACF exits that might effect it? Also, do you have a
database unload from just before the time when it became revoked to see if
there was a REVOKE(date) on the ID?

Regards, Bob

-Original Message-
Date:Fri, 26 May 2006 12:03:48 -0500
From:=?iso-8859-1?Q?Jeff_Ruegsegger?= <[EMAIL PROTECTED]>
Subject: RACF user id revocation

We had a RACF userid for one of our STC's get revoked this week.  I've
since made it a PROTECTED user.  I can't seem to find out how/who/when/where
the ID got revoked.  No msgs in SYSLOG, RAN SYNCTOOL reports (pw violations
and ALU PW Commands) and can't find out what happened.  I have just opened
an issue with IBM but was wondering if anyone could point me somewhere I
havn't already been.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Query

[Robert S. Hansel (RSH)]

Crispin,

Run the following command to see what profile is protecting creation of
aliases and who has access to it.

RLIST FACILITY STGADMIN.IGG.DEFDEL.UALIAS ALL

This may answer your question.

Regards, Bob


Robert S. Hansel   | 2006 RACF Training
RACF Specialist| > Intro & Basic Admin  - Boston, MA - NOV 8-9
RSH Consulting, Inc.   |
www.rshconsulting.com  |
617-969-8211   | See our website for details & registration form


-Original Message-
Date:Fri, 16 Jun 2006 14:46:37 +0100
From:Crispin Hugo <[EMAIL PROTECTED]>
Subject: 

I have a RACF profile defined for the master catalog CATALOG.Z17.MASTER
which has a UACC of READ with group TSG in the access list with ALTER. The
profile is owned by group TSG. The profile is defined as Generic although it
is the fully qualified name. Group SYS1 is not mentioned at all in the
profile.



It seems however that any userid that is in group SYS1 can still UPDATE the
master catalog. For example a DEFINE ALIAS works from any userid or task
associated with a group SYS1 user. Is this set up as a standard? I can't
find anything obvious in the documentation.



Thanks







Crispin Hugo Systems Programmer, Macro 4

http://www.macro4.com/

Macro 4 plc, The Orangery, Turners Hill Road, Worth, Crawley, RH10 4SS

Direct Line: +44 (0)1293 872121 Switchboard: +44 (0) 1293 872000

Fax: +44 (0) 1293 872001

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SYS1.BRODCAST security?

[Robert S. Hansel (RSH)]

John,

If you change the UACC and Global Access Table entry for SYS1.BRODCAST to
READ, you will need to permit UPDATE access to SYS1.BRODCAST to whomever
administers TSO Segments on RACF IDs.

Regards, Bob


Robert S. Hansel   | 2006 RACF Training
RACF Specialist| > Intro & Basic Admin  - Boston, MA - NOV 8-9
RSH Consulting, Inc.   |
www.rshconsulting.com  |
617-969-8211   | See our website for details & registration form


-Original Message-
Date:Fri, 22 Sep 2006 09:54:23 -0500
From:"Chase, John" <[EMAIL PROTECTED]>
Subject: Re: SYS1.BRODCAST security?

> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of R.S.
>
> Chase, John wrote:
>
> > Is there documented anywhere the "recommended" RACF access
> > characteristics of the SYS1.BRODCAST data set?  [ snip ]
>
> It is documented in SAG (RACF Security Admin. Guide)
> Appendix: Security for System Data Sets.
> However the recommendation has changed. Now (z/OS 1.7) it is READ.
> I suspect the change is because of application changes - you
> can define "personal" BRODCAST datasets.

Thanks.  I see it is UACC(READ) in the z/OS 1.5 SAG as well.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

[Robert S. Hansel (RSH)]

Debbie,

See if there is an entry in the RACF global access table like
&RACUID.**/ALTER that enables users to create and access datasets prefixed
with their own ID without the need for a profile. Executing the following
command will display this information.
RL GLOBAL DATASET


Regards, Bob


Robert S. Hansel   | 2006 RACF Training
RACF Specialist| > Intro & Basic Admin  - Boston, MA - NOV 8-9
RSH Consulting, Inc.   |
www.rshconsulting.com  |
617-969-8211   | See our website for details & registration form



-Original Message-
Date:Wed, 8 Nov 2006 14:08:35 -0600
From:=?ISO-8859-1?Q?Debbie_Mitchell?=
<[EMAIL PROTECTED]>
Subject: Dataset created without corresponding RACF profile

I encountered a problem that I'm trying to understand where to even look for
the answer.  A user connected to our mainframe (z/OS 1.4) through Attachmate
and then logged onto TSO.  From the Ready prompt, he initiated a file
transfer from his PC to a mainframe dataset (using the Attachmate Tools
menu).  The file transfer was complete but the dataset created had no
associated RACF dataset profile.  No error messages appeared on the SYSLOG.
 Until a dataset profile was created for this dataset, we were unable to do
anything with it, including running our nightly backups.  Where should I
look for the "hole" that is allowing a dataset to be created for which there
is no RACF profile?  Our security admin is also posing the question to the
RACF list, but I thought one of you might be able to point me in the right
direction.  I am not familiar with Attachmate and don't have it available to
do any testing, etc., except through the user.

Thanks in advance for any help you can provide.

Debbie Mitchell
Utica National Insurance Group

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

HSM Access To RMM's Resource FACILITY Class STGADMIN.EDG.RELEASE

[Robert S. Hansel (RSH)]

(Cross-posted to IBM-MAIN and RACF-L)

Greetings all,

In a client environment, Started Task HSM has the RACF TRUSTED attribute.
Yet, when it is attempting to release empty tapes, it needs READ access
permission to RMM's FACILITY class resource STGADMIN.EDG.RELEASE in order to
perform this function. I find this odd because I would have expected its
TRUSTED authority to allow this access. I presume RMM is initiating the
RACROUTE access authorization call and am curious as to how it is doing so
such that HSM's TRUSTED authority is not coming into play. For instance, is
RMM using RACROUTE REQUEST=FASTAUTH or is it building a separate ACEE for
HSM rather than using the one associated with the Started Task. Your
shedding light on this matter will be greatly appreciated.


Regards, Bob

Robert S. Hansel
RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html