On Fri, 24 Oct 2008 07:59:09 +0200, Barbara Nitz <[EMAIL PROTECTED]> wrote:
>I was going to say: "I cannot. Well, I can do the route command, but it will not get executed on the system in the sysplex where my userid is not defined.". >Turns out that this must have changed with some sort of definition or release. I know that it didn't work because I wrote a pamphlet when we joined that sysplex with the two disparate RACF data bases. Back then I got from RACF: > >RO SYSB,D T >IEE421I RO SYSB,D T >SYSB RESPONSES --------------------------------------------------- >IEE345I DISPLAY AUTHORITY INVALID, FAILED BY SECURITY PRODUCT > ICH408I USER(NITZ ) GROUP(SYS ) NAME(??? ) > LOGON/JOB INITIATION - USER AT TERMINAL NVASxxxx NOT RACF-DEFINED > >Reverse command: >IEE421I RO SYSA,D T >SYSA RESPONSES --------------------------------------------------- >IEE345I DISPLAY AUTHORITY INVALID, FAILED BY SECURITY PRODUCT >ICH408I USER(BARBARA ) GROUP(SYSA ) NAME(??? ) >LOGON/JOB INITIATION - USER AT TERMINAL NVASyyyy NOT RACF-DEFINED > ICH408I USER(+CONSOLE) GROUP(* ) NAME(??? ) > MVS.DISPLAY.TIMEDATE CL(OPERCMDS) > INSUFFICIENT ACCESS AUTHORITY > ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) > >That was way back when (and the names are changed in the display above). Now the D T works from an EMCS console from all systems to all systems. Guess I need to go and find out why.... In the old days, Console processing sent a copy of the user's UTOKEN along with a routed command, and the security product would have to process that UTOKEN and build an ACEE. For RACF, that meant doing I/O, but I/O is not allowed during OPERCMDS security checking. We did the I/O anyway, having no other choice, until enough z/OS customers had hit the error recovery case that disallowed I/O in the first place and had their sysplexes hang. At that point, the Console processing started passing an ENVR object instead. That guarantees no system/sysplex hangs during error recovery command processing, at least when routing between systems with compatible security products, but at the cost of some command routing issues as we've discussed in this thread. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html

