Thanks Walt for the doc pointers. We missed references to activation profiles, which is the main target of my quest. Some digging is in order.
As for the need to check SAF: if HMC provided full granularity of access control, we wouldn't even need BCPii. We could just let all Tech Support folks get to HMC and let him enforce the rules: allow Tech Support staff (nearly!) full control over sandbox LPARs by name and pretty much no control over other LPARs. We can write our own BCPii code to achieve that goal provided that activation profiles are visible and settable. As an aside, we don't need to modify profiles, only to select the appropriate profile at IPL. . . JO.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile [email protected] From: Walt Farrell <[email protected]> To: [email protected], Date: 12/17/2012 08:09 AM Subject: Re: BCPII and activation profile Sent by: IBM Mainframe Discussion List <[email protected]> On Sun, 16 Dec 2012 11:30:24 -0800, Skip Robinson <[email protected]> wrote: >I never saw a reply to Lizette's post. We also have an interest in the >same topic. We want to encourage members of the technical staff to manage >our sandbox LPARs rather than pester--er, request--Operations to shut >down/IPL systems that 'we' own. The problem is how to allow these folks to >manage sandbox LPARs only. Using our fine automation product together with >the V XCF...REIPL command, they can reIPL a system on their own. Or we can >write our own IPL command that does a SAF check before calling BCPII to do >the deed. > >The difficulty occurs when a system is not currently running and/or when >the sysres volume needs to be switched from its last used value to a >different one. We have not found a way for BCPII to even query the current >IPL profile, let alone switch to an alternate profile. Without this >capability, we cannot insist that our folks do their own laundry. I'm not an expert in this, Skip, having never actually used BCPii, and upon leaving IBM I lost access to much of the info that would help me to provide a more definitive answer. But I had to do some research into it for purposes of the Common Criteria certification for z/OS, so I'll attempt an answer based on fading memories and the public doc that I have found. I'm not sure this is information you know already, but if not it might help. First, I'm curious why your IPL command would need to do a SAF check. There should be adequate SAF checking already built into the BCPii APIs, from what I remember. And the descriptions in MVS Callable Services for HLL indicate the SAF checks that are done. Next, it's critical to understand what books you need to be looking at. MVS Callable Services for HLL, http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/IEA2C170/CCONTENTS?DT=20110614133049 or http://preview.tinyurl.com/bu8epwb describes how to invoke the functions, but as far as I know it does not describe the data objects and their formats that you need to use. The data objects and their contents are really the critical pieces of information, as I understand it. For that, you'll need to read and understand System z Application Programming Interfaces, SB10-7030 (currently, I think, -15), http://www-01.ibm.com/support/docview.wss?uid=isg2b09e422f170ffc9c85257075004bde92&aid=1 or http://preview.tinyurl.com/cf4a93e which describes all the details. For example, from that latter manual I can see that there is a way to see what the last-used activation profile for an image was (as it is a field returned by -some- query), and there is a way to retrieve the contents of an activation profile, and (I think) to change the contents of an activation profile, and to specify which activation profile should be used for the image. I have not taken the time to try to understand all the relationships between the services and the data objects, but I -think- that everything you need is in those two manuals. It won't necessarily be easy to put all the info together to understand it, though. Searching SB10-7030 for the string "activation profile" should prove helpful. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
