RACF and access to minidisk
Dear all, Just a question regarding z/VM RACF protection of access to a minidisk. A LINUX guest tries to access another minidisk which is protected by a RACF profile. It is not authorized to link the minidisk and the link request fails. When I authorize that guest on the RACF profile the link still fails until I LOGOFF/LOGON the LINUX guest. It seems that the permission list of the profile remains in the storage. Maybe a stupid question but how can I refrsh the access authority without recycling the LINUX guest? Thank you very much in advance, Kind regards, Florian
Re: RACF and access to minidisk
Use: rac setropts raclist(vmmdisk) refresh On 04/12/2011 06:02 AM, Florian Bilek wrote: Dear all, Just a question regarding z/VM RACF protection of access to a minidisk. A LINUX guest tries to access another minidisk which is protected by a RACF profile. It is not authorized to link the minidisk and the link request fails. When I authorize that guest on the RACF profile the link still fails until I LOGOFF/LOGON the LINUX guest. It seems that the permission list of the profile remains in the storage. Maybe a stupid question but how can I refrsh the access authority without recycling the LINUX guest? Thank you very much in advance, Kind regards, Florian -- Rich Smrcina Velocity Software, Inc. http://www.velocitysoftware.com Catch the WAVV! http://www.wavv.org WAVV 2011 - April 15-19, 2011 Colorado Springs, CO
Re: RACF and access to minidisk
It depends on the setup of RACF. More in particular: if the VMMDISK class is RACLISTed or not. For RACLISTed classes, RACF keeps the permissions in storage, hence, if you issue a RAC PERMIT, you must explictely tell RACF to refresh the in-storage permissions (that's the setropts Rich mentions). Most installation will not RACLIST the VMMDISK class... Issue RAC SETROPTS LIST to see what is RACLISTed in your installation. Anyhow, I doubt that recycling a guest would solve a RACLIST refresh problem. 2011/4/12 Rich Smrcina r...@velocitysoftware.com Use: rac setropts raclist(vmmdisk) refresh On 04/12/2011 06:02 AM, Florian Bilek wrote: Dear all, Just a question regarding z/VM RACF protection of access to a minidisk. A LINUX guest tries to access another minidisk which is protected by a RACF profile. It is not authorized to link the minidisk and the link request fails. When I authorize that guest on the RACF profile the link still fails until I LOGOFF/LOGON the LINUX guest. It seems that the permission list of the profile remains in the storage. Maybe a stupid question but how can I refrsh the access authority without recycling the LINUX guest? Thank you very much in advance, Kind regards, Florian -- Rich Smrcina Velocity Software, Inc. http://www.velocitysoftware.com Catch the WAVV! http://www.wavv.org WAVV 2011 - April 15-19, 2011 Colorado Springs, CO -- Kris Buelens, IBM Belgium, VM customer support
Re: RACF and access to minidisk
On Tuesday, 04/12/2011 at 07:03 EDT, Florian Bilek florian.bi...@gmail.com wrote: Just a question regarding z/VM RACF protection of access to a minidisk. A LINUX guest tries to access another minidisk which is protected by a RACF profile. It is not authorized to link the minidisk and the link request fails. When I authorize that guest on the RACF profile the link still fails until I LOGOFF/LOGON the LINUX guest. It seems that the permission list of the profile remains in the storage. Maybe a stupid question but how can I refrsh the access authority without recycling the LINUX guest? RACF permissions may be in storage (RACLISTed) but they aren't in the storage of the affected guests; they are in the RACFVM virtual machine. Recycling some other guest has no effect on RACF permissions. You would have to post the command you issued, the error message, and an RLIST ALL of the relevant VMMDISK profile. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
Re: RACF and access to minidisk
Dear all, Thanks for the feedback. 1.) The VMMDISK class is NOT RACLISTED. 2.) The profile looks as stated below. 3.) I added LINADM to the permission list. 4.) Before LINADM was recycled, RACF told: ICH408I USER(LINADM ) GROUP(SYS1) NAME(## CLONSET4.201 CL(VMMDISK ) INSUFFICIENT ACCESS AUTHORITY FROM CLONSET4.* (G) ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ ) 5.) After I logged off LINADM and restarted everything was working fine. Kind regards, Florian rac rlist vmmdisk clonset4.* all CLASS NAME - VMMDISKCLONSET4.*(G) LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING - --- --- 00LINUX NONE ALTERNO INSTALLATION DATA - NONE APPLICATION DATA NONE SECLEVEL NO SECLEVEL CATEGORIES -- NO CATEGORIES SECLABEL NO SECLABEL AUDITING FAILURES(READ) NOTIFY -- NO USER TO BE NOTIFIED CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE (DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR) - --- 24109 24109 24109 ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT --- - -- NOT APPLICABLE FOR GENERIC PROFILE USER ACCESS -- MAINT ALTER SYSPROG ALTER LINUX READ LINADMALTER ID ACCESS CLASSENTITY NAME --- --- NO ENTRIES IN CONDITIONAL ACCESS LIST Ready; T=0.01/0.01 18:56:26
Re: RACF and access to minidisk
On Tuesday, 04/12/2011 at 01:02 EDT, Florian Bilek florian.bi...@gmail.com wrote: 1.) The VMMDISK class is NOT RACLISTED. 2.) The profile looks as stated below. 3.) I added LINADM to the permission list. 4.) Before LINADM was recycled, RACF told: ICH408I USER(LINADM ) GROUP(SYS1) NAME(## CLONSET4.201 CL(VMMDISK ) INSUFFICIENT ACCESS AUTHORITY FROM CLONSET4.* (G) ACCESS INTENT(ALTER ) ACCESS ALLOWED(READ ) 5.) After I logged off LINADM and restarted everything was working fine. Oh. Generics. Well. That's a horse of a different color. Do you have SETROPTS GENLIST(VMMDISK) in effect? Even if you don't, I think a user's access to a resource granted under is cached as a temporary quasi-discrete profile attached the user's ACEE. This includes their allowed access level. If you change permissions on the generic profile, the cached entry is not changed. You have two choices: 1. Logoff/Logon the user (recreates the ACEE) 2. SETROPTS GENERIC REFRESH I haven't verified this via testing. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott