Re: SDSF Security
We have a winner!! Please claim the virtual brew of your choice. To recap the problem, operators were able to call the SR screen, but an attempt to reply failed with NOT AUTHORIZED FOR CMD. Just that, no other messages or syslog entries at all. None. Nada. Bob not only nailed the scenario but put me on the path for a simple resolution. I found that there were no ISFSR profiles defined at all. I need to go back to the FM to see where I missed that discussion. But, as I pondered the ISFSR profiles to craft the change commands, I saw how folks were assigned to the groups defined in ISFPRMS. That is, the resource GROUP. in the SDSF class equates to the GROUP definition in ISFPARMS. READ access to the resource puts that user in that group and gives the authorities therein. Thanks all and special thanks to Bob! To all: The very best of the season to you, yours and theirs. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, December 17, 2008 7:24 AM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Hal, Is the problem that the users cannot get to the SR panel, or they can't act on a message once they get there? To get to the panel, they need READ access to SDSF class resource ISFCMD.ODSP.SR.system. If they have access, SR System Requests should show up on their SDSF Primary Option Menu when they enter SDSF. If not and they attempt to enter the SR command, they should get an ICH408I violation message. If it is not defined to RACF, ISFPARMS governs, and if they don't have access, they will only get COMMAND NOT AUTHORIZED. If they can get to the SR panel, they will need READ access to either, or both, ISFSR.ACTION.system.jobname or ISFSR.REPLY.system.jobname in order to act on messages. If these resources are protected by RACF, and they don't have sufficient access, they will get an ICH408I message and NOT AUTHORIZED FOR CMD. If they are not protected by RACF, ISFPARMS governs, and if they don't have access, they will only get NOT AUTHORIZED FOR CMD. Based on what you've said, I'm guessing you defined and granted them access to ISFCMD.ODSP.SR.system but didn't define profiles for the ISFSR resources, and the ISFPARMS don't give them access. One final consideration which you've probably already thought of but just in case. If defined to RACF, is the SDSF class RACLISTed and did you do a REFRESH on the system where executed? If not, is the profile(s) protecting these SDSF resources generic and did you do a GENERIC REFRESH (or have the user logon/logoff)? Hope this helps. Happy Holidays. Regards, Bob - Robert S. Hansel | 2009 RACF Training (January - July) Lead RACF Specialist | Intro Basic Admin - Boston - APR 28-30 RSH Consulting, Inc. | Audit for Results - Boston - MAY 19-21 www.rshconsulting.com | 617-969-8211 | Visit our website for registration details - Register for a 2009 training seminar at 2008 prices! See website for details. - -Original Message- Date:Tue, 16 Dec 2008 11:27:11 -0600 From:Hal Merritt hmerr...@jackhenry.com Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The diagnosis procedure in the FM for the error message wasn't productive. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Could someone fax me a clue? J Thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
snip- Pigpen?--I'm a pig pin? -unsnip-- Fellow traveler - remember C. W. McCall's CONVOY recording? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Pinnacle - Original Message - From: George Fogg Why all this work with SAFTRACE and SDSF trace? Why not look in the log. If you are using RACF and have the proper profile then you should see: ICH408I USER(USERA ) GROUP(HZSXXX ) NAME(TEST ID FOR G FOGG ) 987 ISFCMD.ODSP.SR.BOST CL(SDSF) INSUFFICIENT ACCESS AUTHORITY FROM ISFCMD.ODSP.SR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) George, That's a negatory Pigpen. SDSF generates hundreds of RACROUTE calls per screen, Hyperbole? Hundreds ... per screen seems spectacularly inefficient, and if even remotely close to literally true would seem to argue vigorously against converting to RACF protection for SDSF. I'd guess a noticeable increase in VWLC for starters -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Hal, Is the problem that the users cannot get to the SR panel, or they can't act on a message once they get there? To get to the panel, they need READ access to SDSF class resource ISFCMD.ODSP.SR.system. If they have access, SR System Requests should show up on their SDSF Primary Option Menu when they enter SDSF. If not and they attempt to enter the SR command, they should get an ICH408I violation message. If it is not defined to RACF, ISFPARMS governs, and if they don't have access, they will only get COMMAND NOT AUTHORIZED. If they can get to the SR panel, they will need READ access to either, or both, ISFSR.ACTION.system.jobname or ISFSR.REPLY.system.jobname in order to act on messages. If these resources are protected by RACF, and they don't have sufficient access, they will get an ICH408I message and NOT AUTHORIZED FOR CMD. If they are not protected by RACF, ISFPARMS governs, and if they don't have access, they will only get NOT AUTHORIZED FOR CMD. Based on what you've said, I'm guessing you defined and granted them access to ISFCMD.ODSP.SR.system but didn't define profiles for the ISFSR resources, and the ISFPARMS don't give them access. One final consideration which you've probably already thought of but just in case. If defined to RACF, is the SDSF class RACLISTed and did you do a REFRESH on the system where executed? If not, is the profile(s) protecting these SDSF resources generic and did you do a GENERIC REFRESH (or have the user logon/logoff)? Hope this helps. Happy Holidays. Regards, Bob - Robert S. Hansel | 2009 RACF Training (January - July) Lead RACF Specialist | Intro Basic Admin - Boston - APR 28-30 RSH Consulting, Inc. | Audit for Results - Boston - MAY 19-21 www.rshconsulting.com | 617-969-8211 | Visit our website for registration details - Register for a 2009 training seminar at 2008 prices! See website for details. - -Original Message- Date:Tue, 16 Dec 2008 11:27:11 -0600 From:Hal Merritt hmerr...@jackhenry.com Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The diagnosis procedure in the FM for the error message wasn't productive. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Could someone fax me a clue? J Thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
SDSF Security
My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The diagnosis procedure in the FM for the error message wasn't productive. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Could someone fax me a clue? J Thanks. NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
On Tue, 16 Dec 2008 11:27:11 -0600, Hal Merritt hmerr...@jackhenry.com wrote: My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The diagnosis procedure in the FM for the error message wasn't productive. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Could someone fax me a clue? J Perhaps AUTH=SR Class Access SDSF Resource Name Description SDSF READ ISFCMD.ODSP.SR.system Gives user authority to issue the SR command. Appendix B. SAF equivalents for ISFPARMS Bruno Sugliani zxnetconsult(at)free(dot)fr http://zxnetconsult.free.fr -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
- Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
- Original Message - From: Cebell, David cebe...@aafes.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 3:05 PM Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. David, Interesting question! My take is that the high number of classes checked by SDSF (OPERCMDS, FACILITY, WRITER, JESSPOOL, etc.) make a WARN mode problematic (I assume you're talking warn mode at the CLASS level and not NOPROTECTALL). Also, I believe SDSF would still suppress the ICH408I messages even in warn mode. You would get the warn mode records cut to SMF, but that's a big PITA and a delay compared to the SDSF security trace. My $.02, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Just some profiles I played with when installing 1.8; 1. Authorize CK command in SDSF. a. Added ISFCMD.** to SDSF CLASS. UACC(NONE) b. Added ISFCMD.DSP.SCHENV.** to SDSF CLASS. UACC(NONE) c. Added ISFCMD.FILTER.** to SDSF CLASS. UACC(READ) d. Added ISFCMD.DSP.** to SDSF CLASS. UACC(READ) e. Activated SDSF CLASS Maybe this will give you a starting point. Jimmy -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Did you enter the complete TRACE function? In SDSF, enter TRACE ON followed by TRACE 0080. Then in SDSF select the job/command you are interested in and enter TRACE OFF. There will be an ISFTRACE dataset created under your TSU id in JES2 output. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 3:31 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Did as you suggesed. No ISFTRACE. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Dennis Trojak Sent: Tuesday, December 16, 2008 3:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Did you enter the complete TRACE function? In SDSF, enter TRACE ON followed by TRACE 0080. Then in SDSF select the job/command you are interested in and enter TRACE OFF. There will be an ISFTRACE dataset created under your TSU id in JES2 output. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 3:31 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Ignore my last. The trace was in the SDSF address space. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Dennis Trojak Sent: Tuesday, December 16, 2008 3:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Did you enter the complete TRACE function? In SDSF, enter TRACE ON followed by TRACE 0080. Then in SDSF select the job/command you are interested in and enter TRACE OFF. There will be an ISFTRACE dataset created under your TSU id in JES2 output. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 3:31 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Are you sure you're using RACF to control authority in SDSF? You can also use a compiled ISFPARMS module, or an ISFPRMxx parmlib member. If you're using the SDSF server, as you seem to be, you have to be using the ISFPRMxx member. Kevin McKenzie External Phone: 845-435-8282, Tie-line: 8-295-8282 z/OS BCP SVT, Dept FXKA, Bldg 706/2D38 Hal Merritt hmerr...@jackhenry.com Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu 12/16/2008 04:31 PM Please respond to IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu To IBM-MAIN@bama.ua.edu cc Subject Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Why all this work with SAFTRACE and SDSF trace? Why not look in the log. If you are using RACF and have the proper profile then you should see: ICH408I USER(USERA ) GROUP(HZSXXX ) NAME(TEST ID FOR G FOGG ) 987 ISFCMD.ODSP.SR.BOST CL(SDSF) INSUFFICIENT ACCESS AUTHORITY FROM ISFCMD.ODSP.SR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) George Fogg -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 2:01 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Ignore my last. The trace was in the SDSF address space. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Dennis Trojak Sent: Tuesday, December 16, 2008 3:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Did you enter the complete TRACE function? In SDSF, enter TRACE ON followed by TRACE 0080. Then in SDSF select the job/command you are interested in and enter TRACE OFF. There will be an ISFTRACE dataset created under your TSU id in JES2 output. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Tuesday, December 16, 2008 3:31 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security I activated the SAF trace (mask 80) and saw nothing. Nothing at all. I'm beginning to wonder if SDSF is calling RACF at all. Why wouldn't it? The FM does not mention any kind of switch to turn that on or off. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Cebell, David Sent: Tuesday, December 16, 2008 2:00 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security Good suggestions on the trace. Could one just put RACF in warn mode, try the command and determine what is causing the command to fail. -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 1:21 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: Hal Merritt hmerr...@jackhenry.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 12:28 PM Subject: SDSF Security My operations folks would like to use the SR panel to manage WTOR's. All of the applicable RACF profiles seem to be in place and they can issue the replies from the LOG screen. The error message returned is Not authorized for cmd. Nothing else even though WTPMSG is in effect. Hal, SDSF does so many RACROUTEs that it suppresses nearly all ICH408I messages for security failures. To fix this, you need to turn on the SDSF security trace (I forget the details, RTFM), run your command, turn off the trace, then look at the output. It will show you the RACROUTE call, the resource, and the return codes, so you can code up the proper PERMIT. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use
Re: SDSF Security
- Original Message - From: George Fogg gf...@nwlink.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 8:16 PM Subject: Re: SDSF Security Why all this work with SAFTRACE and SDSF trace? Why not look in the log. If you are using RACF and have the proper profile then you should see: ICH408I USER(USERA ) GROUP(HZSXXX ) NAME(TEST ID FOR G FOGG ) 987 ISFCMD.ODSP.SR.BOST CL(SDSF) INSUFFICIENT ACCESS AUTHORITY FROM ISFCMD.ODSP.SR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) George, That's a negatory Pigpen. SDSF generates hundreds of RACROUTE calls per screen, so they actively suppress about 99.99% of the ICH408I messages that would otherwise be issued. Every now and then you will get the ICH408I as you did above, but the vast majority of the time in SDSF, you won't see a thing. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF Security
Pigpen?--I'm a pig pin? SDSF did 31 RACROUTE REQUEST=AUTHs when I entered SDSF and issued the DA, LOG and ST commands. I didn't see hundreds of RACROUTE calls as you say but I suppose if you enter SDSF commands all day then hundreds may be found. Of the 31 RACROUTE calls, 26 specified LOG=NOSTAT so no ICH408Is if failures. Four of the 31 calls had LOG=ASIS so you would see ICH408I messages on failures. I still suggest to look at the log first before spending time with traces. As I stated in my original post, he would have found the ICH408I message showing the SDSF resource name and profile that failed for the SR command. George Fogg -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Pinnacle Sent: Tuesday, December 16, 2008 6:07 PM To: IBM-MAIN@bama.ua.edu Subject: Re: SDSF Security - Original Message - From: George Fogg gf...@nwlink.com Newsgroups: bit.listserv.ibm-main Sent: Tuesday, December 16, 2008 8:16 PM Subject: Re: SDSF Security Why all this work with SAFTRACE and SDSF trace? Why not look in the log. If you are using RACF and have the proper profile then you should see: ICH408I USER(USERA ) GROUP(HZSXXX ) NAME(TEST ID FOR G FOGG ) 987 ISFCMD.ODSP.SR.BOST CL(SDSF) INSUFFICIENT ACCESS AUTHORITY FROM ISFCMD.ODSP.SR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) George, That's a negatory Pigpen. SDSF generates hundreds of RACROUTE calls per screen, so they actively suppress about 99.99% of the ICH408I messages that would otherwise be issued. Every now and then you will get the ICH408I as you did above, but the vast majority of the time in SDSF, you won't see a thing. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Are you referring to the ISFPRM00 parmlib member? The ISFOPER group starts off like this: GROUP NAME(ISFOPER),/* Group name */ TSOAUTH(JCL,OPER), /* User must have JCL and OPER */ ACTION(ALL),/* All route codes displayed */ ACTIONBAR(YES), /* Display action bar on panels*/ APPC(ON), /* Include APPC sysout */ AUPDT(2), /* Minimum auto update interval*/ AUTH(LOG,I,O,H,DA,PREF,DEST,/* Authorized functions*/ SYSID,ACTION,FINDLIM,ST, INIT,PR,ULOG,MAS,SYSNAME,LI, SO,NO,PUN,RDR,JC,SE,RES), CMDAUTH(ALL), /* Commands allowed for all jobs */ I added: ILPROC(BATCH), and refreshed SDSF (F SDSF,REFRESH). I reran my job and I see just my job. Dennis Trojak wrote: Add ILPROC=BATCH to your ISFOPER group name parameters in ISFGRP and it should let you run batch jobs with your ISFOPER definitions for userid=P390. Dennis -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
On Wed, 26 Mar 2008 08:25:04 -0500, Rich Smrcina [EMAIL PROTECTED] wrote: Are you referring to the ISFPRM00 parmlib member? The ISFOPER group starts off like this: GROUP NAME(ISFOPER),/* Group name */ TSOAUTH(JCL,OPER), /* User must have JCL and OPER */ ACTION(ALL),/* All route codes displayed */ ACTIONBAR(YES), /* Display action bar on panels*/ APPC(ON), /* Include APPC sysout */ AUPDT(2), /* Minimum auto update interval*/ AUTH(LOG,I,O,H,DA,PREF,DEST,/* Authorized functions*/ SYSID,ACTION,FINDLIM,ST, INIT,PR,ULOG,MAS,SYSNAME,LI, SO,NO,PUN,RDR,JC,SE,RES), CMDAUTH(ALL), /* Commands allowed for all jobs */ I added: ILPROC(BATCH), and refreshed SDSF (F SDSF,REFRESH). I reran my job and I see just my job. Dennis Trojak wrote: Add ILPROC=BATCH to your ISFOPER group name parameters in ISFGRP and it should let you run batch jobs with your ISFOPER definitions for userid=P390. Dennis -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Rich, Have you tried looking at the SDSF Operation and Customization manual? If so, you can see a similar example. Just adding ILPROC(BATCH) isn't good enough. You need to add an NTBL also. But I see 2 problems: 1) That still won't get you to fall into the ISFOPER group since it has TSOAUTH(JCL,OPER) and batch only gets TSOAUTH(JCL). Did you read my post from yesterday on this? 2) If you create a group with just TSOAUTH(JCL) and ILPROC(BATCH) and give it super user authority, anyone running SDSF in batch will have that authority. I will walk you though this: 1) Create a new group. Copy it from ISFOPER or ISFSPROG (depending on your requirements) and make sure it is defined *prior* to those based on TSOAUTH only. 2) Remove the TSOAUTH() definition from this new group 3) In place of TSOAUTH add IUID(idgroup1), 4) Near the end of the ISFPRM00 member define an NTBL: NTBL NAME(idgroup1) NTBLENT STRING(your_userid),OFFSET(1) NTBLENT STRING(other_userid1),OFFSET(1) NTBLENT STRING(other_userid2),OFFSET(1) where your_userid is your userid. Add other userids as required or don't define them to that group. 5) Use the F SDSF,REFRESH operator command to refresh the parms. The authority will be the same from TSO and from batch based on the userids defined in idgroup1. HTH, Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
In [EMAIL PROTECTED], on 03/24/2008 at 03:30 PM, Rich Smrcina [EMAIL PROTECTED] said: I read sdsf. for the output. This essentially works, the problem is that when I run this in batch I only see myself. If I run this in TSO I can see all of the executing jobs on the system. Compare your SDSF filter options in background with your SDSF filter options in foreground. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Your TSO session is in group ISFOPER. Your batch job is in group ISFUSER. If the names are truly descriptive, one defines an operator who should be able to see almost everything and the other a user who is restricted to his own efforts. -Original Message- From: Rich Smrcina Sent: Tuesday, March 25, 2008 1:20 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions In TSO, I get this from the WHO command on the P390 user: USERID=P390,PROC=DBSPROC,TERMINAL=LCL701,GRPINDEX=2,GRPNAME=ISFOPER, MVS=z/OS 01.04.00,JES2=z/OS 1.4,SDSF=HQX7707,ISPF=5.2,RMF/DA=NOTACC, and from batch: USERID=P390,PROC=BATCH,TERMINAL=BATCH,GRPINDEX=3,GRPNAME=ISFUSER,MVS=z/O S 01.04 RMF/DA=NOTACC,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS1,SYSNAM E=P390, I tried a jobname of P390A and I still can only see the job that I'm running. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Mark Zelden wrote: But I see 2 problems: 1) That still won't get you to fall into the ISFOPER group since it has TSOAUTH(JCL,OPER) and batch only gets TSOAUTH(JCL). Did you read my post from yesterday on this? Yes, I didn't have the ability to respond to all of the emails yesterday and I was flying today and struggling with internet access at the hotel this afternoon... :( I posted my NTBL several posts ago. I saw your post, but the key was in the excellent description from your last post. 2) If you create a group with just TSOAUTH(JCL) and ILPROC(BATCH) and give it super user authority, anyone running SDSF in batch will have that authority. I will walk you though this: That all worked! My batch job can now see all of the JES jobs. Thanks for the careful guidance, it is greatly appreciated. Also, thanks to everyone else that responded with assistance. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Rick, I don't believe you have a security issue. It has been a while, but I tend to remember having to use OWNER with no operand in order to see all the jobs on the system (not just my own) when running SDSF in batch. Please feed that into ISFIN on in.1 with DA on in.2 and in.0 set to 2. Let me know if you still have issues, but I think this will correct your issue. Thanks, Hank On Mon, 24 Mar 2008 15:30:14 -0500, Rich Smrcina [EMAIL PROTECTED] wrote: With last weeks SDSF security questions, I have to chime in with my issue I'm submitting an SDSF DA command via REXX in batch: ALLOC F(ISFOUT) RECFM(F B A) LRECL(121) NEW UNIT(VIO) , DELETE CYLINDERS SPACE(1,1) REUSE DSORG(PS) ALLOC F(ISFIN) RECFM(F B) LRECL(80) NEW UNIT(VIO) , DELETE CYLINDERS SPACE(1,1) REUSE DSORG(PS) in.1 = DA in.0 = 1 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) I read sdsf. for the output. This essentially works, the problem is that when I run this in batch I only see myself. If I run this in TSO I can see all of the executing jobs on the system. I would like to be able to see all of the jobs when I run this in batch as well. Using the ISFPRM00 IUID, etc I've tried various combinations of the procname (BATCH), the jobname and username (based on the output of the SDSF WHO command). All with no joy. Does anyone have any other suggestions? -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? Hank Medler wrote: Rick, I don't believe you have a security issue. It has been a while, but I tend to remember having to use OWNER with no operand in order to see all the jobs on the system (not just my own) when running SDSF in batch. Please feed that into ISFIN on in.1 with DA on in.2 and in.0 set to 2. Let me know if you still have issues, but I think this will correct your issue. Thanks, Hank -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
1. Issue the OWNER command before the DA command 2. Issue the WHO command. This will tell you many settings, and might help explain the problem. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 1:44 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? Hank Medler wrote: Rick, I don't believe you have a security issue. It has been a while, but I tend to remember having to use OWNER with no operand in order to see all the jobs on the system (not just my own) when running SDSF in batch. Please feed that into ISFIN on in.1 with DA on in.2 and in.0 set to 2. Let me know if you still have issues, but I think this will correct your issue. Thanks, Hank -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
You should also add the PREFIX command before the DA command. Adding the SET DISPLAY command is also a good idea. It will show you the settings of the OWNER. PREFIX and SYSNAME parameters. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 1:44 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? Hank Medler wrote: Rick, I don't believe you have a security issue. It has been a while, but I tend to remember having to use OWNER with no operand in order to see all the jobs on the system (not just my own) when running SDSF in batch. Please feed that into ISFIN on in.1 with DA on in.2 and in.0 set to 2. Let me know if you still have issues, but I think this will correct your issue. Thanks, Hank -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
It is. in.1 is the first command issued 'OWNER', in.2 is the second command issued 'DA'. גדי בן אבי wrote: 1. Issue the OWNER command before the DA command 2. Issue the WHO command. This will tell you many settings, and might help explain the problem. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 1:44 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Your previous response also asked for the WHO output, here it is. USERID=P390,PROC=BATCH,TERMINAL=BATCH,GRPINDEX=3,GRPNAME=ISFUSER,MVS=z/OS 01.04 RMF/DA=NOTACC,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS1,SYSNAME=P390, Are PREFIX and SET DISPLAY commands entered by themselves (like OWNER)? גדי בן אבי wrote: You should also add the PREFIX command before the DA command. Adding the SET DISPLAY command is also a good idea. It will show you the settings of the OWNER. PREFIX and SYSNAME parameters. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Yes, The PREFIX and SET DISPLAY command are entered by themselves I thing the PREFIX command is the actual command your are missing. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 2:47 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Your previous response also asked for the WHO output, here it is. USERID=P390,PROC=BATCH,TERMINAL=BATCH,GRPINDEX=3,GRPNAME=ISFUSER,MVS=z/OS 01.04 RMF/DA=NOTACC,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS1,SYSNAME=P390, Are PREFIX and SET DISPLAY commands entered by themselves (like OWNER)? גדי בן אבי wrote: You should also add the PREFIX command before the DA command. Adding the SET DISPLAY command is also a good idea. It will show you the settings of the OWNER. PREFIX and SYSNAME parameters. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
I tried PREFIX and I get COMMAND NOT AUTHORIZED. גדי בן אבי wrote: Yes, The PREFIX and SET DISPLAY command are entered by themselves I thing the PREFIX command is the actual command your are missing. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
The you have to change your security settings either is ISFPARMS or RACF. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 3:35 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions I tried PREFIX and I get COMMAND NOT AUTHORIZED. גדי בן אבי wrote: Yes, The PREFIX and SET DISPLAY command are entered by themselves I thing the PREFIX command is the actual command your are missing. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
That was actually part of the original post. I added: ILPROC(BATCH), to: GROUP NAME(ISFSPROG), in ISFPRM00. I also have this entry below: NTBL NAME(BATCH) NTBLENT STRING(BATCH),OFFSET(1) To catch the PROC name BATCH when my job runs and authorize it as a ISFSPROG TSO User instead of ISFUSER. And I get one line of output, the job that I'm running. I've tried to vary the ISFPRM00 changes to IUID and the userid in the NTBL to no avail. גדי בן אבי wrote: The you have to change your security settings either is ISFPARMS or RACF. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
And see if the PREFIX is set to * for all names. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of ??? ?? ??? Sent: Tuesday, March 25, 2008 7:07 AM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions 1. Issue the OWNER command before the DA command 2. Issue the WHO command. This will tell you many settings, and might help explain the problem. Gadi -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 1:44 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? Hank Medler wrote: Rick, I don't believe you have a security issue. It has been a while, but I tend to remember having to use OWNER with no operand in order to see all the jobs on the system (not just my own) when running SDSF in batch. Please feed that into ISFIN on in.1 with DA on in.2 and in.0 set to 2. Let me know if you still have issues, but I think this will correct your issue. Thanks, Hank -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Evidently not, this appears to be the output from SET DISPLAY (it's hard to tell): PREFIX=P390* DEST=(ALL) OWNER=* SYSNAME= Dennis Trojak wrote: And see if the PREFIX is set to * for all names. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of ??? ?? ??? Sent: Tuesday, March 25, 2008 7:07 AM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions 1. Issue the OWNER command before the DA command 2. Issue the WHO command. This will tell you many settings, and might help explain the problem. Gadi -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
in.2 = DA OJOB perhaps? Regards, Ulrich Krueger -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 04:44 To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions Hank, I tried this... in.2 = DA in.1 = OWNER in.0 = 2 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) And got the same output. Thanks for the response. Any other ideas? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Now I don't even appear on the list (the list is empty). :( Ulrich Krueger wrote: in.2 = DA OJOB perhaps? Regards, Ulrich Krueger -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
On 25 Mar 2008 06:37:16 -0700, in bit.listserv.ibm-main (Message-ID:[EMAIL PROTECTED]) [EMAIL PROTECTED] (Rich Smrcina) wrote: I tried PREFIX and I get COMMAND NOT AUTHORIZED. You had given us the output of the WHO command in batch, but you never showed us the output from what you hope is the same userid in TSO. I suspect they're different. As I mentioned in a related thread some time ago: Many years back I found out that the userid used to search the SDSF tables is *not* the RACF userid when done from batch. Instead, it's the jobname-minus-last-character. I had opened a PMR; I forget details of the response, but they basically said WAD. So, give us the WHO from batch *and* TSO. If they're different, that explains a lot. Then try using a jobname of your userid plus one character and try again and let us know. I never did find out if IBM finally fixed this security problem. -- I cannot receive mail at the address this was sent from. To reply directly, send to ar23hur at intergate dot com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
On Tue, 25 Mar 2008 11:47:07 -0500, Arthur T. [EMAIL PROTECTED] wrote: Many years back I found out that the userid used to search the SDSF tables is *not* the RACF userid when done from batch. Instead, it's the jobname-minus-last-character. I had opened a PMR; I forget details of the response, but they basically said WAD. How many years back? This is certainly not true today and AFAIK has never been true. The biggest problem I have found with batch is that many shops have SDSF security set up (from the default/sample parms) based on TSO authorities (JCL, OPER, ACCT) and TSOAUTH is automatically set to JCL for a batch SDSF job (regardless of what authorities the USERID actually has). This is the documented behavior. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
On Tue, 25 Mar 2008 12:08:37 -0500, Mark Zelden [EMAIL PROTECTED] wrote: On Tue, 25 Mar 2008 11:47:07 -0500, Arthur T. [EMAIL PROTECTED] wrote: Many years back I found out that the userid used to search the SDSF tables is *not* the RACF userid when done from batch. Instead, it's the jobname-minus-last-character. I had opened a PMR; I forget details of the response, but they basically said WAD. How many years back? This is certainly not true today and AFAIK has never been true. The biggest problem I have found with batch is that many shops have SDSF security set up (from the default/sample parms) based on TSO authorities (JCL, OPER, ACCT) and TSOAUTH is automatically set to JCL for a batch SDSF job (regardless of what authorities the USERID actually has). This is the documented behavior. And to expand on what I just wrote. If you then want to add a group based on userid, you have to make sure the group is defined before the group based on TSOAUTH(JCL) otherwise you can't get there from here. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
In TSO, I get this from the WHO command on the P390 user: USERID=P390,PROC=DBSPROC,TERMINAL=LCL701,GRPINDEX=2,GRPNAME=ISFOPER, MVS=z/OS 01.04.00,JES2=z/OS 1.4,SDSF=HQX7707,ISPF=5.2,RMF/DA=NOTACC, and from batch: USERID=P390,PROC=BATCH,TERMINAL=BATCH,GRPINDEX=3,GRPNAME=ISFUSER,MVS=z/OS 01.04 RMF/DA=NOTACC,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS1,SYSNAME=P390, I tried a jobname of P390A and I still can only see the job that I'm running. Arthur T. wrote: On 25 Mar 2008 06:37:16 -0700, in bit.listserv.ibm-main (Message-ID:[EMAIL PROTECTED]) [EMAIL PROTECTED] (Rich Smrcina) wrote: I tried PREFIX and I get COMMAND NOT AUTHORIZED. You had given us the output of the WHO command in batch, but you never showed us the output from what you hope is the same userid in TSO. I suspect they're different. As I mentioned in a related thread some time ago: Many years back I found out that the userid used to search the SDSF tables is *not* the RACF userid when done from batch. Instead, it's the jobname-minus-last-character. I had opened a PMR; I forget details of the response, but they basically said WAD. So, give us the WHO from batch *and* TSO. If they're different, that explains a lot. Then try using a jobname of your userid plus one character and try again and let us know. I never did find out if IBM finally fixed this security problem. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
Add ILPROC=BATCH to your ISFOPER group name parameters in ISFGRP and it should let you run batch jobs with your ISFOPER definitions for userid=P390. Dennis -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rich Smrcina Sent: Tuesday, March 25, 2008 3:20 PM To: IBM-MAIN@bama.ua.edu Subject: Re: More SDSF security questions In TSO, I get this from the WHO command on the P390 user: USERID=P390,PROC=DBSPROC,TERMINAL=LCL701,GRPINDEX=2,GRPNAME=ISFOPER, MVS=z/OS 01.04.00,JES2=z/OS 1.4,SDSF=HQX7707,ISPF=5.2,RMF/DA=NOTACC, and from batch: USERID=P390,PROC=BATCH,TERMINAL=BATCH,GRPINDEX=3,GRPNAME=ISFUSER,MVS=z/O S 01.04 RMF/DA=NOTACC,SERVER=YES,SERVERNAME=SDSF,JESNAME=JES2,MEMBER=SYS1,SYSNAM E=P390, I tried a jobname of P390A and I still can only see the job that I'm running. Arthur T. wrote: On 25 Mar 2008 06:37:16 -0700, in bit.listserv.ibm-main (Message-ID:[EMAIL PROTECTED]) [EMAIL PROTECTED] (Rich Smrcina) wrote: I tried PREFIX and I get COMMAND NOT AUTHORIZED. You had given us the output of the WHO command in batch, but you never showed us the output from what you hope is the same userid in TSO. I suspect they're different. As I mentioned in a related thread some time ago: Many years back I found out that the userid used to search the SDSF tables is *not* the RACF userid when done from batch. Instead, it's the jobname-minus-last-character. I had opened a PMR; I forget details of the response, but they basically said WAD. So, give us the WHO from batch *and* TSO. If they're different, that explains a lot. Then try using a jobname of your userid plus one character and try again and let us know. I never did find out if IBM finally fixed this security problem. -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
I'm trying to override an existing definition. can I not do that? Do I need to create my own? Mark Zelden wrote: The biggest problem I have found with batch is that many shops have SDSF security set up (from the default/sample parms) based on TSO authorities (JCL, OPER, ACCT) and TSOAUTH is automatically set to JCL for a batch SDSF job (regardless of what authorities the USERID actually has). This is the documented behavior. And to expand on what I just wrote. If you then want to add a group based on userid, you have to make sure the group is defined before the group based on TSOAUTH(JCL) otherwise you can't get there from here. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: More SDSF security questions
I'm not sure I understand the question. If you are using parms similar to hlq.SISFJCL(ISFPRM00) and want to do something in batch based on userid, then you will have to add the group prior to the groups defined in those parms (or at least prior to the ISFUSER group) since the first match is what is used and any batch job will match on TSOAUTH(JCL). Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html On Tue, 25 Mar 2008 15:38:12 -0500, Rich Smrcina [EMAIL PROTECTED] wrote: I'm trying to override an existing definition. can I not do that? Do I need to create my own? Mark Zelden wrote: The biggest problem I have found with batch is that many shops have SDSF security set up (from the default/sample parms) based on TSO authorities (JCL, OPER, ACCT) and TSOAUTH is automatically set to JCL for a batch SDSF job (regardless of what authorities the USERID actually has). This is the documented behavior. And to expand on what I just wrote. If you then want to add a group based on userid, you have to make sure the group is defined before the group based on TSOAUTH(JCL) otherwise you can't get there from here. Mark -- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
More SDSF security questions
With last weeks SDSF security questions, I have to chime in with my issue I'm submitting an SDSF DA command via REXX in batch: ALLOC F(ISFOUT) RECFM(F B A) LRECL(121) NEW UNIT(VIO) , DELETE CYLINDERS SPACE(1,1) REUSE DSORG(PS) ALLOC F(ISFIN) RECFM(F B) LRECL(80) NEW UNIT(VIO) , DELETE CYLINDERS SPACE(1,1) REUSE DSORG(PS) in.1 = DA in.0 = 1 execio * diskw isfin (STEM IN. finis) address linkmvs SDSF execio * diskr isfout (STEM SDSF. finis) FREE F(ISFIN ISFOUT) I read sdsf. for the output. This essentially works, the problem is that when I run this in batch I only see myself. If I run this in TSO I can see all of the executing jobs on the system. I would like to be able to see all of the jobs when I run this in batch as well. Using the ISFPRM00 IUID, etc I've tried various combinations of the procname (BATCH), the jobname and username (based on the output of the SDSF WHO command). All with no joy. Does anyone have any other suggestions? -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com http://www.linkedin.com/in/richsmrcina Catch the WAVV! http://www.wavv.org WAVV 2008 - Chattanooga - April 18-22, 2008 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html