Re: Dataset created without corresponding RACF profile

2006-11-15 Thread Debbie Mitchell 
Thanks to all.  The "problem" was, indeed, a GLOBAL DATASET entry 
for '&RACUID.**'/ALTER  

By way of explanation as to why our backups fail on this condition:
We are using FDR for our nightly backups.  We have the system option 
ALLCALL set to yes but do not have the DASDVOL class active in RACF.  
Therefore, FDR is getting stopped in it's tracks during the FDRFLASH 
portion of our backup process.  Our data security admin is looking into the 
most appropriate way to resolve this.  In the meantime, he has done an 
audit of all TSO userids and verified that dataset profiles exist for 
each.  

Thanks again to the list for the assistance.

Debbie Mitchell
Utica National Insurance Group

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-09 Thread Shmuel Metz (Seymour J.) 
In <[EMAIL PROTECTED]>, on 11/08/2006
   at 02:08 PM, Debbie Mitchell 
<[EMAIL PROTECTED]> said:

>I encountered a problem that I'm trying to understand where to even
>look for the answer.  A user connected to our mainframe (z/OS 1.4)
>through Attachmate and then logged onto TSO.  From the Ready prompt,
>he initiated a file transfer from his PC to a mainframe dataset
>(using the Attachmate Tools menu).  The file transfer was complete
>but the dataset created had no associated RACF dataset profile.

What was the full DSN of the created data set?
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-09 Thread Walt Farrell 

On 11/8/2006 3:08 PM, Debbie Mitchell wrote:

I encountered a problem that I'm trying to understand where to even look for
the answer.  A user connected to our mainframe (z/OS 1.4) through Attachmate
and then logged onto TSO.  From the Ready prompt, he initiated a file
transfer from his PC to a mainframe dataset (using the Attachmate Tools
menu).  The file transfer was complete but the dataset created had no
associated RACF dataset profile.  No error messages appeared on the SYSLOG.


Probably the dsname began with the user's user ID, and probably you have 
a GLOBAL DATASET entry for '&RACUID.**'/ALTER which would have allowed 
creation of the data set.



 Until a dataset profile was created for this dataset, we were unable to do
anything with it, including running our nightly backups.  


Your nightly backups should not have been affected.  They should get 
authority via some other mechanism.  With DFSMSdss, for example, your 
jobs should specify the ADMINISTRATOR keyword on the control statements, 
and get authority via various STGADMIN.something profiles in the 
FACILITY class.


Other products have similar controls, I believe, to avoid your 
backup/restore jobs needing to have explicit authority to all data sets.


Walt Farrell, CISSP
z/OS Security Design, IBM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-09 Thread Robert S. Hansel (RSH) 
Debbie,

See if there is an entry in the RACF global access table like
&RACUID.**/ALTER that enables users to create and access datasets prefixed
with their own ID without the need for a profile. Executing the following
command will display this information.
RL GLOBAL DATASET


Regards, Bob


Robert S. Hansel   | 2006 RACF Training
RACF Specialist| > Intro & Basic Admin  - Boston, MA - NOV 8-9
RSH Consulting, Inc.   |
www.rshconsulting.com  |
617-969-8211   | See our website for details & registration form



-Original Message-
Date:Wed, 8 Nov 2006 14:08:35 -0600
From:=?ISO-8859-1?Q?Debbie_Mitchell?=
<[EMAIL PROTECTED]>
Subject: Dataset created without corresponding RACF profile

I encountered a problem that I'm trying to understand where to even look for
the answer.  A user connected to our mainframe (z/OS 1.4) through Attachmate
and then logged onto TSO.  From the Ready prompt, he initiated a file
transfer from his PC to a mainframe dataset (using the Attachmate Tools
menu).  The file transfer was complete but the dataset created had no
associated RACF dataset profile.  No error messages appeared on the SYSLOG.
 Until a dataset profile was created for this dataset, we were unable to do
anything with it, including running our nightly backups.  Where should I
look for the "hole" that is allowing a dataset to be created for which there
is no RACF profile?  Our security admin is also posing the question to the
RACF list, but I thought one of you might be able to point me in the right
direction.  I am not familiar with Attachmate and don't have it available to
do any testing, etc., except through the user.

Thanks in advance for any help you can provide.

Debbie Mitchell
Utica National Insurance Group

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-08 Thread Tom Marchant 
On Wed, 8 Nov 2006 14:55:58 -0600, Debbie Mitchell
<[EMAIL PROTECTED]> wrote:

>>
>  I'm assuming that there's
>>no alias either, so the data set was cataloged in the master catalog.
>>If this was an ordinary user, he shouldn't be able to catalog any
>>data sets in the master catalog.
>>
>
>Actually, an alias did exist.  The HLQ was the userid of the programmer.  I
>am guessing that the TSO profile didn't specify NOPREFIX.
>

So the dataset was userid.some.thing?  And there's no userid.** profile?

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-08 Thread Debbie Mitchell 
>
  I'm assuming that there's
>no alias either, so the data set was cataloged in the master catalog.
>If this was an ordinary user, he shouldn't be able to catalog any
>data sets in the master catalog.
>
>
>Tom Marchant
>

Actually, an alias did exist.  The HLQ was the userid of the programmer.  I
am guessing that the TSO profile didn't specify NOPREFIX.  

Debbie Mitchell
Utica National Insurance Group 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Dataset created without corresponding RACF profile

2006-11-08 Thread Tom Marchant 
On Wed, 8 Nov 2006 14:08:35 -0600, Debbie Mitchell 
<[EMAIL PROTECTED]> wrote:

>I encountered a problem that I'm trying to understand where to even look 
for
>the answer.  A user connected to our mainframe (z/OS 1.4) through 
Attachmate
>and then logged onto TSO.  From the Ready prompt, he initiated a file
>transfer from his PC to a mainframe dataset (using the Attachmate Tools
>menu).  The file transfer was complete but the dataset created had no
>associated RACF dataset profile.  No error messages appeared on the SYSLOG.
> Until a dataset profile was created for this dataset, we were unable to do
>anything with it, including running our nightly backups.  Where should I
>look for the "hole" that is allowing a dataset to be created for which 
there
>is no RACF profile?  Our security admin is also posing the question to the
>RACF list, but I thought one of you might be able to point me in the right
>direction.  I am not familiar with Attachmate and don't have it available 
to
>do any testing, etc., except through the user.
>

This is not an answer to your question.  I'm assuming that there's
no alias either, so the data set was cataloged in the master catalog.
If this was an ordinary user, he shouldn't be able to catalog any
data sets in the master catalog.

The transfer is probably being done using IND$FILE, supported by
most terminal emulators.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Dataset created without corresponding RACF profile

2006-11-08 Thread Debbie Mitchell 
I encountered a problem that I'm trying to understand where to even look for
the answer.  A user connected to our mainframe (z/OS 1.4) through Attachmate
and then logged onto TSO.  From the Ready prompt, he initiated a file
transfer from his PC to a mainframe dataset (using the Attachmate Tools
menu).  The file transfer was complete but the dataset created had no
associated RACF dataset profile.  No error messages appeared on the SYSLOG.
 Until a dataset profile was created for this dataset, we were unable to do
anything with it, including running our nightly backups.  Where should I
look for the "hole" that is allowing a dataset to be created for which there
is no RACF profile?  Our security admin is also posing the question to the
RACF list, but I thought one of you might be able to point me in the right
direction.  I am not familiar with Attachmate and don't have it available to
do any testing, etc., except through the user.

Thanks in advance for any help you can provide.

Debbie Mitchell
Utica National Insurance Group

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html