On 8/11/2005 8:41 AM, Thomas Conley wrote:
Not really doable. Hundreds of automation execs broadcast commands
throughout the system, and the client can't afford not to route the
commands
(minor things like varying tape drives offline and online, no big deal ;-)
I would strongly suggest that you come up with a way to deal with the
FRACINT abends so that you can support ACF2 to RACF conversions (that is in
IBM's best interest, is it not?)
Unfortunately, the processing of operator commands requires that -no-
I/O take place during the authorization checking. If I/O can occur,
then there are cases during error recovery where the authorization check
will hang, leading to the command not functioning, which then leads to
error recovery being impossible.
Therefore, unless ACF2 could provide a complete ACEE, in the exact
format that RACF uses, we cannot satisfy that requirement. And they
cannot do that, due to the way they handle groups (for one) and due to
the fact that RACF has some proprietary data in an ACEE extension that
(a) we do not disclose to the other vendors and
(b) they probably could not support/duplicate even if we told them the
format.
At one point we did do some experiments where we said, OK, so we can't
do any I/O, but maybe we could take the ACEE that ACF2 sends us (or the
UTOKEN that should also come across the interface) and build a phony
ACEE without doing any I/O. It could have the user ID, and perhaps have
the "current" connect group, but it would lack any of the user's other
groups.
Lacking the complete group list, some commands might fail (for example,
if the administrator had used one of those alternate groups to grant
authority via the permissions in an OPERCMDS profile) but this would
avoid the abend, and perhaps the administrators would accept having to
administer things differently for this case.
Unfortunately, we discovered that the ACEE/UTOKEN we were receiving from
ACF2 did not even have sufficient information to do that, so the
experiment failed. And we are busy enough with other things that we
have not continued experimenting.
Thus, at this point (and for the foreseeable future) we have no solution
for your problem. In a sysplex with a mix of security products,
operator command security will fail, with an abend, if an ACF2 (or Top
Secret, probably) system sends a command to a RACF system.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
