Re: [External] Re: Filemanager and security
List, Just a follow-up on this to let those involved in responding to me that I didn't forget to reply back, but I got pulled onto more critical issues and haven't been able to get back to this. Once I get it resolved I'll actually post what the resolution was - most likely self-inflicted... Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Wednesday, April 18, 2018 10:01 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hey Russell, I think we're on a different wavelength. :-) As best I can tell, CA1 is doing exactly what it should do. My comments earlier on the 17 character limit was referring to the fact that without a TMS of some flavor, the only thing protecting a tape dataset is the DSN on the tape label which can only be 17 characters, so by necessity that's all the system can check. My test with shorter DSNs was simply taking my 35 (or so) character tape dataset, and trying to convince FileManager to let me look at the tape by removing the HLQ of the DSN within FM. CA1 did exactly what I hoped it would do, comparing the DSN the TMS said was supposed to be on that tape with what FM was telling CA1 was on the tape. CA1 rightly said the DSNs didn't match and it rejected the tape request. The DSN recorded in CA1 when the tape was created was HIGHQUAL.SECONDLQ.MORE.STUFF.G0005V00 (36 characters if I counted right), the tape label only has RE.STUFF.G0005V00 on it, so I tried to convince FM to allow me to read SECONDLQ.MORE.STUFF.G0005V00 and CA1 said "nope". My FM tests were all performed using ISPF so no batch jobs involved, but ISPF was displaying the correct DSNs. FUNC option is set to NO, but I was also telling FM to use SL tapes and not BLP. Thanks, Rex -Original Message- From: Russell Witt [mailto:res09...@verizon.net] Sent: Tuesday, April 17, 2018 8:45 PM To: 'IBM Mainframe Discussion List' Cc: Pommier, Rex Subject: RE: [External] Re: Filemanager and security Rex, If the DSN is less than 17-characters and CA 1 rejects it; I am wondering if Filemanager is dynamically adding an extra HLQ before doing the OPEN and has 98000 specified to bypass the tape management system. If you look at the job that ran successfully, what DSN was actually allocated? Was it the correct name? And when you say that CA 1 rejects the access when the DSN is less than 17-characters, what exactly is the rejection message? Lastly, is the FUNC option enabled (YES or EXT) within CA 1? This would allow you to control who can use 98000 to bypass CA 1. Russell Witt CA 1 Development -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Monday, April 16, 2018 1:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hi Bob, Sorry for the delay. RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" . CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change it to something other than what is recorded in TMS. ICHBLP is defined with UACC(NONE) and no users in the access list. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH) Sent: Friday, April 13, 2018 5:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 +0000 From: "Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on t
Re: [External] Re: Filemanager and security
Hey Russell, I think we're on a different wavelength. :-) As best I can tell, CA1 is doing exactly what it should do. My comments earlier on the 17 character limit was referring to the fact that without a TMS of some flavor, the only thing protecting a tape dataset is the DSN on the tape label which can only be 17 characters, so by necessity that's all the system can check. My test with shorter DSNs was simply taking my 35 (or so) character tape dataset, and trying to convince FileManager to let me look at the tape by removing the HLQ of the DSN within FM. CA1 did exactly what I hoped it would do, comparing the DSN the TMS said was supposed to be on that tape with what FM was telling CA1 was on the tape. CA1 rightly said the DSNs didn't match and it rejected the tape request. The DSN recorded in CA1 when the tape was created was HIGHQUAL.SECONDLQ.MORE.STUFF.G0005V00 (36 characters if I counted right), the tape label only has RE.STUFF.G0005V00 on it, so I tried to convince FM to allow me to read SECONDLQ.MORE.STUFF.G0005V00 and CA1 said "nope". My FM tests were all performed using ISPF so no batch jobs involved, but ISPF was displaying the correct DSNs. FUNC option is set to NO, but I was also telling FM to use SL tapes and not BLP. Thanks, Rex -Original Message- From: Russell Witt [mailto:res09...@verizon.net] Sent: Tuesday, April 17, 2018 8:45 PM To: 'IBM Mainframe Discussion List' Cc: Pommier, Rex Subject: RE: [External] Re: Filemanager and security Rex, If the DSN is less than 17-characters and CA 1 rejects it; I am wondering if Filemanager is dynamically adding an extra HLQ before doing the OPEN and has 98000 specified to bypass the tape management system. If you look at the job that ran successfully, what DSN was actually allocated? Was it the correct name? And when you say that CA 1 rejects the access when the DSN is less than 17-characters, what exactly is the rejection message? Lastly, is the FUNC option enabled (YES or EXT) within CA 1? This would allow you to control who can use 98000 to bypass CA 1. Russell Witt CA 1 Development -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Monday, April 16, 2018 1:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hi Bob, Sorry for the delay. RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" . CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change it to something other than what is recorded in TMS. ICHBLP is defined with UACC(NONE) and no users in the access list. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH) Sent: Friday, April 13, 2018 5:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 +0000 From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on t
Re: [External] Re: Filemanager and security
Rex, If the DSN is less than 17-characters and CA 1 rejects it; I am wondering if Filemanager is dynamically adding an extra HLQ before doing the OPEN and has 98000 specified to bypass the tape management system. If you look at the job that ran successfully, what DSN was actually allocated? Was it the correct name? And when you say that CA 1 rejects the access when the DSN is less than 17-characters, what exactly is the rejection message? Lastly, is the FUNC option enabled (YES or EXT) within CA 1? This would allow you to control who can use 98000 to bypass CA 1. Russell Witt CA 1 Development -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Monday, April 16, 2018 1:23 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hi Bob, Sorry for the delay. RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" . CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change it to something other than what is recorded in TMS. ICHBLP is defined with UACC(NONE) and no users in the access list. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH) Sent: Friday, April 13, 2018 5:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 + From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape
Re: [External] Re: Filemanager and security
Hi Bob, Sorry for the delay. RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" . CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change it to something other than what is recorded in TMS. ICHBLP is defined with UACC(NONE) and no users in the access list. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH) Sent: Friday, April 13, 2018 5:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 + From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://www.ibm.com/support/knowledgecenter/en/SSXJAV_13.1.0/com.ibm.filemanager.doc_13.1/cust/secracf.html Thanks, Kolusu IBM Mainframe Discussion List wrote on 04/09/2018 12:10:19 PM: > From: " SH19-8163-00, Rex" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List > > Hello list, > > I've been poring through the FileManager manuals and either am > missing something or it doesn't exist regarding security. We're > ru
Re: [External] Re: Filemanager and security
Granted only the last 17 characters of the DSN are on the tape, so if you know the volser, you could possibly bypass DSN checking, but if your tape management system has any smarts, it should stop that. I just tried to get at the dataset on tape dropping the HLQ to bypass DSN checking and the TMS did the check and failed the mount due to mismatched DSNs between my request and what it recorded as being on the tape. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Allan Staller Sent: Thursday, April 12, 2018 8:18 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security IMO this is APARable. This is a security hole. Even if you have the function access in FM. The dataset access should also be checked. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Thursday, April 12, 2018 8:08 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSSXJAV_13.1.0%2Fcom.ibm.filemanager.doc_13.1%2Fcust%2Fsecracf.html&data=02%7C01%7Callan.staller%40HCL.COM%7C3488a1c2db514a82174908d5a07686b7%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636591353314922855&sdata=xfElf8Yo%2FYooDUH%2F6mntTt3vOUSJnB7XQ7I80KEv3Ew%3D&reserved=0 Thanks, Kolusu IBM Mainframe Discussion List wrote on 04/09/2018 12:10:19 PM: > From: "Pommier, Rex" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List > > Hello list, > > I've been poring through the FileManager manuals and either am missing > something or it doesn't exist regarding security. We're running FM > 1
Re: [External] Re: Filemanager and security
IMO this is APARable. This is a security hole. Even if you have the function access in FM. The dataset access should also be checked. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Pommier, Rex Sent: Thursday, April 12, 2018 8:08 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSSXJAV_13.1.0%2Fcom.ibm.filemanager.doc_13.1%2Fcust%2Fsecracf.html&data=02%7C01%7Callan.staller%40HCL.COM%7C3488a1c2db514a82174908d5a07686b7%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636591353314922855&sdata=xfElf8Yo%2FYooDUH%2F6mntTt3vOUSJnB7XQ7I80KEv3Ew%3D&reserved=0 Thanks, Kolusu IBM Mainframe Discussion List wrote on 04/09/2018 12:10:19 PM: > From: "Pommier, Rex" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List > > Hello list, > > I've been poring through the FileManager manuals and either am missing > something or it doesn't exist regarding security. We're running FM > 13.1 under ISPF so non-APF authorized. I needed to grant the > capability for browsing tape datasets to a developer. I did this > granting READ access to FILEM.FUNCTION.TB. This granted the access to > the tape browse function. However, it appears that FileManager > bypasses dataset name SAF checking if the user has access to the TB > function. To wit: a particular GDG has a mix of tape and disk > generations. I specifically denied access to this GDG to my ID. I > get a RACF violation when trying to browse the disk based generation, > but FileManager allows me to use TB to look at the tape generation. > Is this WAS or am I missing s
Re: [External] Re: Filemanager and security
Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://www.ibm.com/support/knowledgecenter/en/SSXJAV_13.1.0/com.ibm.filemanager.doc_13.1/cust/secracf.html Thanks, Kolusu IBM Mainframe Discussion List wrote on 04/09/2018 12:10:19 PM: > From: "Pommier, Rex" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List > > Hello list, > > I've been poring through the FileManager manuals and either am > missing something or it doesn't exist regarding security. We're > running FM 13.1 under ISPF so non-APF authorized. I needed to grant > the capability for browsing tape datasets to a developer. I did > this granting READ access to FILEM.FUNCTION.TB. This granted the > access to the tape browse function. However, it appears that > FileManager bypasses dataset name SAF checking if the user has > access to the TB function. To wit: a particular GDG has a mix of > tape and disk generations. I specifically denied access to this GDG > to my ID. I get a RACF violation when trying to browse the disk > based generation, but FileManager allows me to use TB to look at the > tape generation. Is this WAS or am I missing some setting that > tells FM to do dataset name SAF checking as well as FM function checking? > > TIA, > > Rex > > The information contained in this message is confidential, protected > from disclosure and may be legally privileged. If the reader of > this message is not the intended recipient or an employee or agent > responsible for delivering this message to the intended recipient, > you are hereby notified that any disclosure, distribution, copying, > or any action taken or action omitted in reliance on it, is strictly > prohibited and may be unlawful. If you have received this > communic
