Just an information. RussD has answered me with a nice post! There might be
others in the future ( I hope not ) with similar doubts so I think It would
be nice to put here what I received for future archive reference ( somewhat
similar to Mark's post but in a different format ).
------ START-----------
"
Hi Avelino,
The health checker resources that need to be setup are all within the
XFACILIT resource class.
In CA ACF2 by default, the resource type is XFC.
The IBM Health Checker User guide shows the following...
*
Table 1. Access required for printing check output from the message buffer
using HZSPRINT
Check specification Access required for service
resource Resource name
*
CHECK*(*,**check_name**) *QUERY: Read access to all
checks * *HZS.*sysname*.QUERY
CHECK*(*,*) *MESSAGES: Read access to individual
check HZS.*sysname*.*check_owner*.MESSAGES
*or *
*
*HZS.*sysname*.*check_owner*.*check_name*.MESSAGES
CHECK*(**check_owner**,*) *QUERY: Read access to all checks for
a HZS.*sysname*.*check_owner*.QUERY
specific owner
MESSAGES: Read access to individual check
HZS.*sysname*.*check_owner*.MESSAGES
*or *
*
*HZS.*sysname*.*check_owner*.*check_name*.MESSAGES
CHECK*(**check_owner**,**check_name**) *QUERY: Read access to individual
check* *HZS.*sysname*.*check_owner*.QUERY * *
*
or
*
*
*HZS.*sysname*.*check_owner*.*check_name*.QUERY
MESSAGES: Read access to individual check
HZS.*sysname*.*check_owner*.*check_name*.MESSAGES
*or*
HZS.*sysname*.*check_owner*.*check_name*.MESSAGES
So, if you want to write a rule to allow "user01" to have access to
CHECK(check_owner,*) as a QUERY request you could write a rule as follows..
ACF
SET RESOURCE(XFC)
COMPILE *
$KEY(HZS) TYPE(XFC)
*sysname*.*check_owner*.QUERY UID(uid for user01) service(read) allow
END
STORE
You will also need to create a resource directory for this resource type if
it does not already exist
ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RXFC) ADD
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(XFC)
in addition you will need to setup a logonid for the HZSPROC started task.
this can be done with the following
ACF
SET LID
INSERT HZSPROC STC NAME(HZS procedure logonid) uid(0) home(/)
program(/bin/sh) group(omvsgrp)
F ACF2,REBUILD(USR),CLASS(P)
F ACF2,REBUILD(GRP),CLASS(P)
F ACF2,OMVS
you will also need to give the STC access to HZSPDATA dataset. This can be
done by updating the sys1 dataset rule
ACF
SET RULE
COMPILE *
$KEY(SYS1)
PRODSYS.HZSPDATA UID(uid for hzsproc) alloc(a) read(a) exec(a) write(a)
Please review chapter 2 in * **
IBM Health Checker for z/OS: User’s Guide, SA22-7994-07, which supports z/OS
Version 1 Release 10.
*
and let me know if there are any other resources that you need help in
setting up."
__________END____________
Thanks again,
Avelino.
On Wed, Oct 21, 2009 at 1:45 PM, Avelino Ferreira <afmf...@gmail.com> wrote:
> Thanks a lot Mark !!
>
> On Wed, Oct 21, 2009 at 1:33 PM, Mark Zelden <mark.zel...@zurichna.com>wrote:
>
>> On Wed, 21 Oct 2009 14:23:48 -0500, Mark Zelden <mark.zel...@zurichna.com
>> >
>> wrote:
>>
>>
>> >
>> >There is an ACF2 cookbook, but I doubt it has this. Many vendors
>> >(especially IBM) don't supply equivalent OEM security definitions for
>> RACF
>> >like CA does (not a surprise since they own TSS and ACF2). You just have
>> >to understand something about administering those products in order to
>> >translate.
>> >
>>
>> One final comment: Someone else suggested contacting CA about this.
>> I don't have a problem with "how to" questions on this list when things
>> aren't documented or documented well (heck, "how to" questions get
>> asked all the time on this list). But there is nothing wrong with that
>> suggestion either. ACF2 support is top notch and they are always more
>> than willing to help with problems or "how to" questions. They understand
>> that products that document RACF external security don't usually explain
>> how to do it under ACF2 or Top Secret.
>>
>> Mark
>> --
>> Mark Zelden
>> Sr. Software and Systems Architect - z/OS Team Lead
>> Zurich North America / Farmers Insurance Group - ZFUS G-ITO
>> mailto:mark.zel...@zurichna.com
>> z/OS Systems Programming expert at
>> http://expertanswercenter.techtarget.com/
>> Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html
>>
>> ----------------------------------------------------------------------
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
>> Search the archives at http://bama.ua.edu/archives/ibm-main.html
>>
>
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
