Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

Bruce Hewson Wed, 14 Apr 2010 22:42:05 -0700

Hi Clark,

One way to give you volumes specific RACF protection!


Use an EXIT.

++SRC (ICHRCX01) DISTLIB(AOSBN).                                        
**********************************************************
************* 
ICHRCX01 TITLE 'ICHRCX01  -  RACF - RACHECK PRE-PROCESSING EXIT'        
         SPACE 3                                                        
**********************************************************
************* 
***                                                                 *** 
***      MODULE - ICHRCX01                                          *** 
***                                                                 *** 
***                                                                 *** 
***      For active SYSRES set (IPL volume set)                     *** 
***                                                                 *** 
***      Protect Any Sysres volume xxxxxx - Alter dataset           *** 
***      profile to $RES.dsname before calling RACF                 *** 
***                                                                 *** 
***      For active IPL Sysres volume xxxxxx in "SS" lpar only      *** 
***      Alter dataset profile to $RES.dsname before calling RACF   *** 
***                                                                 *** 
***      For nonactive IPL Sysres volume xxxxxx in "SS" lpar only   *** 
***      Alter dataset profile to $Rxxdd.dsname before calling RACF *** 
***                                                                 *** 
***                                                                 *** 
***      RETURN CODES: Register 15                                  *** 
***         0 - Exit routine processing is complete, normal         *** 
***             RACHECK SVC processing is to continue.              *** 
***                                                                 *** 
***      FUNCTION                                                   *** 
***         This exit prefixes dataset profiles with $RES if        *** 
***         the dataset resides on SYSRES volumes.                  *** 
***                                                                 *** 
***                                                                 *** 
**********************************************************
************* 


My version of the exit validates the dataset volumes serial with the active IPL 
volume name...if it "matches" (the match depends on some local standard) 
then the RACF dataset resource name is modified....the text '$RES.' is inserted 
as a prefix.

So now all IPL volume set datasets can be protected via $RES.**

In the SysMaint systems,  sysname=SSxx, the RACF resource gets modified 
with a prefix related the the volumes set name...  eg..   $RBXA.** for the 
SBXRA1,2,3 volume set.

So it is easy to protect active sysres volume sets...and to protect non-active 
target sysres volume sets separately.

On Wed, 14 Apr 2010 16:01:52 -0300, Clark Morris 
<[email protected]> wrote:

<snip>
>>
>>The discussion came down to this sample: If one only has READ authority
>>to SYS1.LPALIB [or pick one of your favorites for this example], why
>>should SMP/E allow a USERMOD (or one's own cobbled PTF) to that library?
>
>Can SYS1.LPALIB on volume 123456 have a different RACF profile than
>SYS1.LPALIB on volume 987654?  If not, this raises some interesting
>questions.
>
<snip>

Regards
Bruce Hewson

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use

Reply via email to