RSCS in the base VM
We are running z/VM Version 4.3. What functionality of RSCS was included in the base at that point? Where can I go to find this? Paul Nieman
Re: Hi everybody
I used to enjoy class A privs. I put SET PRIVCLASS -A in my PROFILE. - SET PRIVCLASS is an auditable event and I didn't want to explain to the Security staff why I used it so much. If you have the privilege to begin with, no audit record was cut. Start out with anything that you are entitled to, and trim it back with the means at your disposal. - I don't want to become the System Operator, which you become eligible for if you are Class A at the time the Sysoper gets logged off. (In olden days, we never had that problem since we ran OPERATOR disconnected running reliable PROP and Operators could not log on (AUTOONLY). But after outsourcing, that was changed so that OPERATOR ran a vendor product, Operators logged onto the OPERATOR id, and occasionally I have seen the OPERATOR id mysteriously not logged on.) Paul Nieman On Thu, 2010-02-04 at 12:53 -0800, Schuh, Richard wrote: For any user who doesn't have class C, Set priv is not a security concern at all. They cannot go outside their directory classes. All they can do is remove an existing class or restore it. the real security concern is the Directory Class C, not the user's ability to use SET PRIV. One must be very cautious about granting that privilege class. Regards, Richard Schuh __ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Scott Rohling Sent: Thursday, February 04, 2010 12:07 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Hi everybody Yes - as you parenthetically alluded to - allowing SET PRIVCLAS is a feature you have to enable.. some customers see a command like SET PRIVCLAS as a security breaker.. It depends on how strict and how much 'separation of duty' is built into their security policies. Anyone with class C and SET PRIVCLAS feature enabled is essentially an all-powerful user, period. Scott On Thu, Feb 4, 2010 at 12:12 PM, zMan zedgarhoo...@gmail.com wrote: On Thu, Feb 4, 2010 at 1:44 PM, Schuh, Richard rsc...@visa.com wrote: It isn't a matter of trust, it is a matter of minimizing the risk of an accidental SHUTDOWN. Here MAINT does not have class A; however it does have class C. That allows it to use the SET PRIV * +A in order to issue class A commands such as Q CPDISKS, CPRELEASE and CPACCESS. By requiring that extra step of the SET PRIV, it heightens the awareness of the person to the fact that they now have extraordinary capabilities and responsibilities. Exactly. I'd argue that best practices (a term I hate) has even MAINT doing a CP SET PRIVCLAS * =BEG (unless that's disabled, of course) in its PROFILE EXEC, and then using a CLASS EXEC for privileged commands: CLASS A SHUTDOWN
Re: Switching between Xedit screens.
Looking at the original stated problem, 'not enough text showing', I'm wondering if you can't see enough at one time, or is it just too slow moving through many lines. A few solutions come to mind, depending upon your need. Increase screen size: You can change the model of the screen to display more than the standard 24 x 80 screen size. I don't know if you've tried this, and it has been discussed in the past, so I won't pursue it. Show the lines of two screens a little differently, vertically: Instead of 'screen 2', try 'screen 2 v'. This displays the two files side by side, with a full set of lines showing, albeit only half of each line. Sometimes, that is a good way to see more of the files at the same time, sometimes better for comparing them. (This depends upon what you are trying to see or do, so as a solution, it might not fit for you, but it might for others reading this.) Work more efficiently with the keyboard - !: No, I'm not cursing. You can prefix x with an ampersand, thus 'x'. The command will be redisplayed in the command area when you return. If you do this on both screens, you can toggle back and forth between screens every time you hit enter. Now, combine using the ampersand with two screens, and although you may not see a lot of lines at the same time, you can page through two files simultaneously, rapidly, with little keystroke effort. Hence, after 'screen 2', type 'fo' (or maybe 'n5') on both command lines, and hitting enter will page down both files at the same pace. Of course, it can be used with 'screen 2 v' as well. And locally, we have a macro with which we can do 'compare' to find the next lines that aren't the same. 'locate /...' (or '/...') works well also. I like something like '/.../#-2' followed by inserting '+2#' after the ampersand, thus paging through the file with '+2#/.../#-2', finding '...' but showing a couple lines above it. (I know there are other ways to do this.) Paul Nieman - Original Message - From: Howard Rifkind To: IBMVM@LISTSERV.UARK.EDU Sent: Friday, November 21, 2008 12:48 PM Subject: Switching between Xedit screens. Hello all, I first Xedit one file then Xedit a second file, now there is one up front and one in the background. I don't want to do a 'screen 2' because it's to small, not enough text showing. How do I flip between the two screens? There has to be an easy way to do this. Thanks. _ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.
Re: X Disk in SFS
I agree with not using a maintenance id, MAINT, or even the canned SFS servers. But this depends a little upon how varied the site is from vanilla VM. But you sound like you want to get your feet wet also, so a little playing around is called for. Your original question does not tell what the tools are for or where they come from, but I'm supposing that they are local, not IBM or other vendor. Even if they are, I wouldn't put files available to production users into a directory owned by MAINT (I wouldn't put the production S-disk on a minidisk owned by MAINT either ;-). You can then separate what gets upgraded when system changes occur. Makes for a better test environment too. So, I would create a global filepool called 'MYCOMPNY' in a server id called VMSFS001, and create a filespace within that called 'PUB', and create a directory under that '.TOOLS'. Then I would 'GRANT AUTH MYCOMPANY:PUB.TOOLS TO PUBLIC (READ NEWREAD', and finally modify SYSPROF to 'ACCESS MYCOMPNY:PUB.TOOLS X'. I might be inclined to change the access filemode to something right before the S-disk, maybe O, or P. BTW, there is no need for the PUB filespace to exist as a user. In fact, I would avoid it. So, while I would create another VM, it would be to host a new SFS filepool for production. It would be global, though your site might not care. This should safely get your feet wet. That is, you can play with the SFS server to your hearts content, until you put it in SYSPROF. By then, you should have all your backup and recovery capabilities in place. You should probably create an SFS server called VMSFS002 for a filepool TSCOMPNY for testing. You get to pick better names. Others have posted about DIRCONTROL and XC and an exit in SYSPROF, all good points, so you can see there are issues to read up on before you put that ACCESS in SYSPROF. Another issue is where to put the startup of VMSFS001; early in the IPL process! Last, and maybe most important, be sure you know how you are doing your backups and recovery. There are different (vendor) solutions, and a thorough understanding is important because SFS is different than minidisks. Maybe practic recovering from VMSFS002 to VMSFS003 (named RECOMPNY). - Original Message - From: Gentry, Stephen [EMAIL PROTECTED] To: IBMVM@LISTSERV.UARK.EDU Sent: Friday, February 22, 2008 11:15 AM Subject: Re: X Disk in SFS You've got some catchin' up to do. 8-) I would not use MAINT as a file space. Reason being, when new releases of VM come out, you'll have to worry about backing your stuff up and reloading it. Taken literally, no need to set up another Virtual Machine (I take this to mean install VM again and run it 2nd level or perhaps in an LPAR) either. You can define another VM user, and define SFS space to it. Then grant access to that space, those users who need it. I've glossed over the details and can provide them if you like. Steve G. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Fox Blue Sent: Friday, February 22, 2008 11:04 AM To: IBMVM@LISTSERV.UARK.EDU Subject: X Disk in SFS Dear all, I am currently busy to understand the capabilities of SFS. Started in the late 80ies as system programmer we had VM/SP but there was no SFS. Since one year I am working on a z/VM installation and have to catch up with all th e new facilities in VM. I am wondering what would be best approach to define an X Disk in the SFS . I mean, normally one puts the files accessible to all users on a mini disk that everybody can access. How can you do that with SFS? Should it be a directory in the file space of MAINT or should I define an extra Virtual Machine for that? What would be the most common way of achieving this? Thanks very much in advance. Fox
Re: How comments treated by DIRMAINT
Re: How comments treated by DIRMAINTThere is actually a tool that does a fair job of recreating the source directory from the object directory. It actually won't put PROFILEs back in, or INCLUDEs, or comments, but can put all object parts back to their source equivalents. The DIRENT tool (in the VM download packages) does this, though when I last looked, it wasn't up to date. I maintained it locally to provide what was missing. Alas, I no longer have access... The nice thing about this tool for me was for viewing of several reference systems (and for disaster recovery and a few other cases). A frontend exec took a parameter for which system I was curious about, linked to the disk with the desired DRCT space, and displayed in XEDIT whatever source I wanted. DIRENT was most often used on a particular USER, but it had the option to view/rebuild the entire DRCT. Reading the object directory was fast and there was no need to wait for a maybe busy DIRMAINT to return a GET, no spool space taken up, no temporary clutter in my reader, especially, no need to even bring up the second level system; just show me what I want. It is possible to see the first level from the second level, given a RR link back upward. Or sideways. Security and outdatedness (though not sure where it stands now) aside, a nice tool. I agree about no purpose for comments in the object directory. The audience for querying the directory seems small, just system programmers, who can get to comment/informational references some other way. General users on our system never needed to see comments. Oh, well, we had an elaborate frontend to DIRMAINT that provided users the same thing, as part of billing information that they entered when they requested their own minidisks! But this data wasn't stored in the source directory, and querying was built into that frontend. And system disks were never considered or treated like user minidisks. Two tools for two audiences is OK. Now, if IBM were to add a versatile frontend to DIRMAINT, that could be useful. All kinds of metadata COULD be useful for different sites. But I imagine that SFS features and declining use of VM by end-users would reduce the market for such a tool. (Actually, the billing-oriented tool was built before the DIRM SAPI interface, which would have made it easier.) I imagine that an ESM could be a good place to store metadata (some is already). And maybe Accounting packages could be integrated with the ESM to use the metadata. So maybe a vendor could run with this, and IBM can develop what they see as more strategic to VM. On 2/11, RPN01 said... snip Second, someone mentioned comments taking space in the object directory... My impression / hope would be that comments would be stripped from the information before building the object directory, since there is no actual purpose for them there, and there isn't a convenient tool to take an object directory and turn it into a source directory. Are the comments actually left in the object directory? If so, MAINT is one of the worst offenders, leaving in the hundreds of links that it uses during the installation as comments. snip
Re: Time Change
snip individually. We have a wide variety of z/OS, Linux and CMS based apps and only a couple of ancient ones have an issue (PROP gets cranky). Springing /snip Why would PROP get cranky? PROP doesn't wake up on timed events, but on messages. If there is any problem with PROP, it would probably be with the coding of the action routines, or some handoff between the action routines if they kept GLOBALV variables with timestamps. But PROP itself should have no problem with the SET TZ change. Is it more accurately the PROP-based apps that are cranky? Towers Perrin has run PROP for years and, though Towers Perrin IPLs shortly after the new time is in effect, they do SET TZ before the IPL, and never saw any problem with several PROP machines (though they were recycled with the IPL and hence didn't stay up real long after). Thanks, Paul Nieman EDS 484 997-1080 (work) 888 389-6892 (pager) NOTICE: This communication may contain confidential, proprietary or legally privileged information. It is intended only for the person(s) to whom it is addressed. If you are not an intended recipient, you may not use, read, retransmit, disseminate or take any action in reliance upon it. Please notify the sender that you have received it in error and immediately delete the entire communication, including any attachments. Although EDS encrypts certain email where appropriate, EDS cannot ensure the confidentiality or integrity of all external e-mail communications and, therefore, cannot be responsible for any unauthorized access, disclosure, use or tampering that may occur during transmission. This communication is not intended to create or modify any obligation, contract or warranty of EDS, unless the firm clearly expresses such an intent.
