Re: STGADMIN.ADR.DUMP.TOLERATE.ENQF

[R.S.]

Pinnacle pisze:
----- Original Message ----- From: "R.S." <r.skoru...@bremultibank.com.pl>
Newsgroups: bit.listserv.ibm-main
Sent: Thursday, February 03, 2011 7:13 PM
Subject: Re: STGADMIN.ADR.DUMP.TOLERATE.ENQF

W dniu 2011-02-04 00:33, Frank Swarbrick pisze:
Interesting.
I'm not clear where this is documented, but I'll see what my RACF 
admin has to say.
Basically, I tried in our prod LPAR to backup (DUMP) a file that was 
currently open to CICS; thus the TOLERATE(ENQF).  But I could not 
perform it because...

ICH408I USER(DVFJS   ) GROUP(DEPT9971) NAME(FRANK SWARBRICK     )  928
   STGADMIN.ADR.DUMP.TOLERATE.ENQF CL(FACILITY)
   INSUFFICIENT ACCESS AUTHORITY
   FROM STGADMIN.ADR.** (G)
   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )

That's quite obvious.
Some basics: resource is a string STGADMIN.ADR.DUMP.TOLERATE.ENQF
RACF db holds the profiles. In your case your RACF db has no profile 
equal to resource name, but it holds *generic* profile STGADMIN.ADR.** 
which covers required resource.
In your case this profile is to wide in scope. Your RACF admin should 
consider definition of STGADMIN.ADR.STGADMIN.** - this profile is 
powerfule and dangerous. The old profile could be defined with 
UACC(READ) which means "available to anyone".

In other words, your RACF admin unnecessarily restricted some functions.


I would disagree with the last statement that the RACF admin 
unnecessarily restricted some functions. I've seen this construct at a 
number of sites, and it makes sense if for no other reason that it 
covers future additions to the STGADMIN.ADR FACILITY class profiles.  
IBM does add new function there from time to time, and having this rule 
in place ensures that no one can get unauthorized access to any new 
profiles in the future.

And I would disagree with the above. Yes, IBM sometimes adds some new 
functions and SAF (RACF) resources for them. Even those with completely 
new name (not prefixed with STGADMIN.ADR). Even new classes for the 
profiles. How do you protect against it? And WHY do want it?

Can you provide any example of *dangerous* function/resource covered by 
STGADMIN.ADR.**, but not STGADMIN.ADR.STGADMIN.** ?

As I wrote I consider STGADMIN.ADR profiles as example of good 
implementation. The most important reason for that is that "regular" 
functions are permitted by default and powerful functions are restricted 
by default.


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html