(Cross-posted to RACF-L and IBM-MAIN)
Greetings all,
The IBM Tivoli Output Manager (ITOM) User's Guide has the SAF resource name
for the administrator panel listed two different ways - one as MENU.ADMIN
and the other as MENU.ADMN. I'd like to know which of the two it really is.
If you can tell me
Greetings all, (cross-posted to IBM-MAIN & RACF-L)
I am once again updating my presentation on the FACILITY class and its many
resources. (If you are unfamiliar with my presentation, a copy is available
on our website via the RACF Center webpage.)
I've come across a set o
Our firm used to offer CA-Endevor consulting services, and the former lead of
our CA-Endevor practice implemented change control over system libraries at a
her former employer, an insurance firm as I recall. There was the expected
initial resistance by the systems staff, but once they got used t
Chris,
When IBM suggests UACC(NONE) for a system dataset, this is usually an indicator
the dataset contains security control information that should be kept secret.
In this particular case, it may have to do with options such as the ability to
specify clear text passwords with PRTCT= on VTAM AP
Richard,
DITTO.DISK.FULLPACK and DITTO.OTHER.ALL are the full names of these
resources. With the '.*' on the end of the two related profiles, the
profiles would only match a resource whose name had one or more additional
qualifiers, and so they would never match these two resources. Delete these
t
John,
Here is a note regarding these fields in the SDSF manual that may have a
bearing on this.
"SDSF uses the subsystem interface (SSI) when you overtype the C (JES output
class) or DEST (JES print destination name) on the JDS panel. You can change
the class or destination without releasing the
us Engelbrecht
Subject: Re: RACF Resource Classes
Shmuel Metz (Seymour J.) wrote:
>I believe that the point at issue is what happens if you define ICHBLP in
the
FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES.
Robert S. Hansel (RSH) wrote:
>>If you
& details
-
-Original Message-
Date:Tue, 22 Feb 2011 07:05:54 -0500
From:"Shmuel Metz (Seymour J.)"
Subject: Re: RACF Resource Classes
In , on
02/22/2011
at 05:56 AM, "Robert S. Hansel (RSH)"
said:
>If y
---Original Message-
Date:Mon, 21 Feb 2011 09:22:30 -0500
From:Pinnacle
Subject: Re: RACF Resource Classes
- Original Message -----
From: "Robert S. Hansel , RSH"
Newsgroups: bit.listserv.ibm-main
Sent: Monday, February 21, 2011 6:18 AM
Subject: Re: RACF Resource Classes
le within them.
Russell Witt
CA 1 L2 Support Manager
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Robert S. Hansel (RSH)
Sent: Saturday, February 19, 2011 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes
Dennis,
Add
Tom,
CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM
govern the use of DD statement parameter EXPDT=98000. Use of BLP is
controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
resources BLPRES and BLPNORES with CA-1.
Dennis,
Very few installations full
Dennis,
Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article "TEMPDSN and CA-Endevor" in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:
http://www.rshconsulting.com/racfres.htm
One r
Gadi,
Please tell us more about your environment and the jobs. Do you run JES2 or
JES3? If JES2, does each LPAR have its own spool and nodename or are all the
LPARs using a MAS shared spool with a single nodename? What security
software do you use (e.g., RACF)? Do all the LPARs share the same secu
John,
I believe RACF only uses single DES, not Triple DES.
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
-
2011 RACF Training
> Intro
Barry & Jorge,
Barry, CREATE authority to a group will allow a user to create a dataset
with an HLQ matching the group name even when the user is permitted less
than ALTER access to the group's dataset profiles. CONNECT and JOIN
authority will do the same since they include CREATE authority. OPERA
Jorge,
It is not clear you fully understood Walt's advice. Assuming PR002 is a
group, try connecting T99CTM to it with USE authority (the default) as shown
below. This should prevent Control-M from creating the dataset. Before
testing, remove WARNING from the profile.
CO T99CTM GROUP(PR00
Alan,
As you surmised, you cannot use aliases or symbolics in PROGRAM class
profile ADDMEM library entries. You'll have to specify the fully-qualified
actual name.
In setting up PROGRAM profiles in support of Unix and BPX.DAEMON, you
probably created a catchall profile of * or **. Just add the li
Moira,
You may find our presentation titled "DFSORT & ICETOOL" helpful. You can
obtain a copy of the slides from our website at the following url:
www.rshconsulting.com/racfres.htm
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
617-969-8211
www.linkedin.com/in/roberthansel
RSH Consulting, I
Ted,
In those banking environments, did you protect or monitor the use of the
LISTDSD, RLIST, or SEARCH commands and their aliases? As discussed in the
October 2009 issue of our RSH RACF Tips newsletter, these commands offer a
wealth of information to a would-be hacker, and their use is not logged
Ulrich,
I believe they can cover both 7 and 8 character alphanumeric passwords in a
single rule of:
SETR PASSWORD( RULE1( LENGTH(7:8) ALPHANUM(1:8)))
Regards, Bob
-
Robert S. Hansel | 2010 RACF Training (January - July)
L
Gil,
For datasets, the ICH408I message and associated SMF type 80 record will
show the Generic profile that was guarding the resource at the time of the
violation or warning. If they do not specify a profile, it is usually the
case that a Discrete profile (one exactly matching the name of the data
ebsite for registration & details
-
-Original Message-
Date:Wed, 10 Feb 2010 17:05:54 +0200
From:=?UTF-8?B?157XqtefINeb15TXnw==?=
Subject: Re: JES2 Rmt and Security Issue
no , but the database are quite the same.
2010/2/10 Robert S. Hansel (RSH)
> Does the LPAR whe
Does the LPAR where it is failing share its RACF database with the LPARs
where it is working?
Regards, Bob
-
Robert S. Hansel | 2010 RACF Training (January - July)
Lead RACF Specialist | > Audit for Results - Boston - M
Penny,
The following somewhat dated manual has sample code for JES Exit 6 that
should do what you want.
GG66-3218 - RACF Security Administrator's Quick Reference
Regards, Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211
-Original Message
Pat,
To prevent all access to ISMF, you can either (a) put UACC(NONE) on the ISMF
program libraries or (b) create a profile such as DGT* in the PROGRAM class
with UACC(NONE) and add the ISMF program libraries as members to the
profile. The libraries will probably be named SYS1.DGTLLIB and SYS1.DGT
Ray,
I don't have an explanation for the panel, but this event raises an
interesting question. Do you leave you work station logged on and unlocked
when you leave the office at night such that someone else could use it to
access the network and email system under your ID and authority and with you
John & Tony,
John, you could use JESJOBS to restrict the batch use of non-PROTECTED IDs.
If the user does not have READ access to a profile such as the one below,
the user would not be permitted to submit jobs having USER=OTHERID with
either the password or SURROGAT authority:
JESJOBS SUBMIT.*.*.
Mike,
If you have RACF as your z/OS security product, I suggest you investigate
the use of the SERVAUTH class.
Regards, Bob
-
Robert S. Hansel | 2009 RACF Training
Lead RACF Specialist | > Intro & Basic Admin - Boston -
Scott,
Is it possible that in the interim since you did the last process either
PROTECTALL was activated for the first time or a prior profile (e.g.
PAGE.**) existed that was deleted?
Regards - Bob
Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
www.rshconsulting.com
617-969-8211
--
Jennifer,
Unfortunately, it is WAD. The ISMF programs do not use the FACILITY class
STGADMIN profiles for governing user authority. To control ISMF, you either
have restrict access to the ISMF program library or restrict access to the
ISMF programs using PROGRAM class profiles. Some organizations
Jim,
If the new system has fewer profiles, one option might be to add the
profiles in the new database to the existing database, make an IRRUT200 copy
of the latter, and port the copy over to the new system. Regardless of how
and in what direction you copy the profiles, you'll need to consider the
Lucymarie,
Does this user have System-level AUDITOR authority or Group-level AUDITOR
authority? If you execute an LU command on her ID and "AUDITOR" appears in
the first couple of lines associated with ATTRIBUTES, she has System-level
AUDITOR and should be able to execute the command. If instead y
Mike Wood,
We have been taking a careful look at RACF protection for RMM resources,
specifically those protected by FACILITY class resources prefixed with
STGADMIN.EDG. Based on our review of the z/OS 1.10 manuals and limited
observed access activity, we've come to the following understanding as t
Dave
Does the new ID have an OMVS segment with a UID?
Regards, Bob
-
Robert S. Hansel | 2009 RACF Training (January - July)
Lead RACF Specialist | > Intro & Basic Admin - Boston - APR 28-30
RSH Consulting, Inc. | > Aud
Hal,
Is the problem that the users cannot get to the SR panel, or they can't act
on a message once they get there?
To get to the panel, they need READ access to SDSF class resource
ISFCMD.ODSP.SR.system. If they have access, SR System Requests should show
up on their SDSF Primary Option Menu when
Ron,
You may find the information on our website useful, particularly the RACF
newsletters, white papers, and presentations available via the RACF Center
page. You'll also find information about various RACF Users Group which
might be close by. Here is the url:
http://www.rshconsulting.com
Rega
Mark,
One of my former clients had a Courion product (don't know if it was
PasswordCourier) that would send Windows password changes to its software
agent running on the mainframe to sync passwords. I believe it would also
optionally take a password change entered on the mainframe and propagate it
Greetings all,
We are removing unnecessary ALTER access permissions to catalogs in a RACF
protected environment. In investigating why certain users were using ALTER
access, we noticed that the number of times these users accessed the
catalogs at ALTER corresponded exactly with the number of times
Ituriel,
You may want to include the processing of 0205 User Group Connect Detail
Records. By relying solely on 0102 records, you will miss any connections to
Global groups.
Perhaps what you could do is process the 0205 records first to create the
group connects followed by the 0102 records to mo
If you can find a copy of the IBM publication GG66-3218-01 "RACF Security
Administrator's Quick Reference", March 1992, there is a sample JES Exit 6
in Appendix G for controlling the use of JES input class. It uses profiles
in the FACILITY class of the format JOBCLASS.x, where 'x' is the class
desi
Greeting all,
I'm studying the Tivoli Output Manager User's Guide to determine how to
implement RACF security using the SAF interface and have the following
questions.
1) The guide only shows setting the SAF ID via what appear to be console
commands to be entered after product initialization. Is
Carlos,
Something like the following is all you should need in the way JCL.
//jobname JOB (account),'username',CLASS=x,MSGCLASS=x
//STEP0001 EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=*
//SYSUT2 DD SYSOUT=*
//SYSINDD *
FUNCTION option
/*
//
If the program ICHDSM00 is protected by a RACF
Aman,
If your intent is to allow these individuals to perform a limited set of
RACF administrative tasks without giving them RACF authority, you'll need
write an APF-authorized program they can execute to perform the tasks.
Alternatively, you can let them keep their RACF authority and write a RACF
Sridhar,
Theoretically, you could just apply the templates for the target z/OS
release to the old database and reIPL with it. This assumes the database in
the restructured format introduced with RACF 1.9 (MVS/ESA). However, there
are many other factors that would determine whether your system woul
Brad,
Using the APPL class would be an effective means of governing entry into
ViewDirect. Starting with the .SOURCE(RACF) member as Ken advised, you
simply need to modify the RACROUTE REQUEST=VERIFY macro therein to include
the APPL=applid parameter. The inclusion of this parameter prompts the AP
Marian,
After executing both RDEFINE commands, did you execute the following:
SETROPTS RACLIST(CDT) REFRESH
If you are sharing the RACF database between multiple LPARs and are not
using RACF Sysplex communications or data sharing, you will need to perform
the refresh on all LPARs individually.
Michael,
Your assumption is essentially correct. Depending on what you are attempting
to do within SDSF, RACF will make authorization calls to the SDSF, JESSPOOL,
WRITER, and/or OPERCMDS classes. It only makes these calls if the
corresponding class is active, and in the case of OPERCMDS also RACLI
(Cross-posted to IBM-MAIN and RACF-L)
Greetings all,
In a client environment, Started Task HSM has the RACF TRUSTED attribute.
Yet, when it is attempting to release empty tapes, it needs READ access
permission to RMM's FACILITY class resource STGADMIN.EDG.RELEASE in order to
perform this function
Debbie,
See if there is an entry in the RACF global access table like
&RACUID.**/ALTER that enables users to create and access datasets prefixed
with their own ID without the need for a profile. Executing the following
command will display this information.
RL GLOBAL DATASET
Regards, Bob
John,
If you change the UACC and Global Access Table entry for SYS1.BRODCAST to
READ, you will need to permit UPDATE access to SYS1.BRODCAST to whomever
administers TSO Segments on RACF IDs.
Regards, Bob
Robert S. Hansel
Crispin,
Run the following command to see what profile is protecting creation of
aliases and who has access to it.
RLIST FACILITY STGADMIN.IGG.DEFDEL.UALIAS ALL
This may answer your question.
Regards, Bob
Robert S
Jeff,
Here are a few more things to consider. Did you check SMF records for ALU
REVOKE commands and for all logon events related to the ID? There may be
records other than just passwords violations that could help explain this
event. Do you have any RACF exits that might effect it? Also, do you ha
y you should be able to use
generic DATASET profiles for full tape data set protection.
Mike Wood RMM Development
On Sat, 11 Mar 2006 15:57:12 -0500, Robert S. Hansel (RSH)
<[EMAIL PROTECTED]> wrote:
>Mike,
>
>Your comments about running without TAPEVOL and/or TVTOC raises the
>
Mike,
Your comments about running without TAPEVOL and/or TVTOC raises the
following issue. It is my understanding that with RMM the only way to
protect against unauthorized access to a tape dataset by taking
inappropriate advantage of tape label containing just the last 17 characters
of the dsname
54 matches
Mail list logo
