How to protect with RACF an XCF group ?
Good morning list, Is there a way to protect with RACF whether (or not) one can connect to an XCF group ? I found in SYS1.MACLIB(IXCYCON) a reason code of IXCRSNCODENOSAFAUTH EQU X'084C' but was unable to find a RACF profile that protects the groups Any ideas ? Mauri. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Mauri Kanter wrote: Is there a way to protect with RACF whether (or not) one can connect to an XCF group ? I found in SYS1.MACLIB(IXCYCON) a reason code of IXCRSNCODENOSAFAUTH EQU X'084C' but was unable to find a RACF profile that protects the groups Check profile IXLSTR.structure-name in the FACILITY class. There may be others too... HTH! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Thank you Elardus ... I want to emphasize ... I'm not asking for a XES strucuture but an XCF group ... In assembler language, IXC* services rather than IXL* Mauri. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Mauri Kanter wrote: I want to emphasize ... I'm not asking for a XES strucuture but an XCF group ... In assembler language, IXC* services rather than IXL* Oops, my bad. Try looking for profile MVSADMIN.XCF.CFRM in FACILITY class. As I understand that variable is used by IXCCFCM according to 'MVS Programming: Sysplex Services Reference'. Hope this is the one you're searching... If not sorry... HTH! Groete / Greetings Elardus Engel brecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Elardus, Thank you again ... We are getting closer ... Seems MVSADMIN.XCF.CFRM is related to the ability to define something in the CFRM dataset ... I need to understand how to protect IXCCREAT Mauri. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Mauri Kanter wrote: We are getting closer ... Seems MVSADMIN.XCF.CFRM is related to the ability to define something in the CFRM dataset ... I need to understand how to protect IXCCREAT There is nothing about SAF or RACF for that macro IXCCREAT or the XCF group described. Not every IXC* macros have a paragraph about SAF protection according to the same book I mentioned earlier. (I could have missed something while RTFM...) It seemed to me the USAGE of the services are somewhat protected. What you can try, enable logging for all access attempts for RACF class FACILITY, maybe on a test system, put in a temporary backstop profile ** with WARNING on. Then you can search the SYSLOG or SMF for any clues. Maybe you'll discover a profile used by that macro. Remember to remove that backstop profile. Or write your own RACROUTE service. HTH! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
On Thu, 19 Mar 2009 08:32:10 -0500, Mauri Kanter itzuv...@013.net.il wrote: Elardus, Thank you again ... We are getting closer ... Seems MVSADMIN.XCF.CFRM is related to the ability to define something in the CFRM dataset ... I need to understand how to protect IXCCREAT IXCCREAT is protected by the requirement that a program needs to run in supervisor state or with a PKM allowing system key in order to use that service. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to protect with RACF an XCF group ?
Elardus and Walter, many thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
