> In what classes and profiles? You can perhaps consolidate those profiles in
> fewer and more generic profiles if you have time to do that.
>
> (I know you previously said that you are learning to work with RACF)
I did that. I have about 20 jobs that completely rearrange RACF to something
that is meaningful to me and allows better administration in my opinion.
Just a few examples of the RACF database that comes with ADCD:
CLASS(TSOAUTH): has permits for userids that don't exist in the database: LWH,
TESTER, TESTEG, DSN1SPAS. Not to mention that every userid has its own permit -
no group permits for groups of users. Anywhere, not just in this class.
CLASS(TSOPROC): still has the DB2 V8 logon proc defined (DBSPROC8) - DB2 V8 is
not delivered in this ADCD anymore.
Userid DB8GRFSH belongs to DB2 V8, which doesn't exist.
A lot of address spaces are missing in the STARTED class - the default profile
** allows very high access to all system resources. For instance, there is no
profile specifically for DB2 (no matter which release), they all start on the
** profile. There also are a ton of obsolete profiles in that class (lots of
DCE* asids that don't get started).
There are a lot of nongeneric DB2 dataset profiles from DB2 Version 7, which
don't exist anymore (neither DB2 V7 nor those datasets).
CLASS(DSNR): Again a lot of DB2 V7 and V8 related profiles in addition to V9
and V10.
Same for class(SERVER).
CLASS(PROGRAM):
RALTER PROGRAM * DELMEM('DSN810.SDSNLOD2')
RALTER PROGRAM * DELMEM('DSN810.SDSNLOAD')
RALTER PROGRAM * DELMEM('DSN810.SDSNEXIT')
RALTER PROGRAM * DELMEM('DSN710.SDSNLOD2')
RALTER PROGRAM * DELMEM('DSN710.SDSNLOAD')
RALTER PROGRAM * DELMEM('DSN710.SDSNEXIT')
RALTER PROGRAM * DELMEM('WAS401.SBBOLOAD')
RALTER PROGRAM * DELMEM('BBO401.SBBOLOAD')
None of those data sets exists anymore. There is neither DB2 V7 nor V8 (ups, I
already said that) nor WAS V4.
RDELETE PROGRAM BPXOV
RDELETE PROGRAM BPXBINIT
RDELETE PROGRAM BPXEV003
RDELETE PROGRAM BPXOLVD
RDELETE PROGRAM BPXPLPKA
RDELETE PROGRAM BPXUCSNM
RDELETE PROGRAM BPXUEYI1
RDELETE PROGRAM BPXUI1EY
RDELETE PROGRAM BPXZ24
RDELETE PROGRAM RLOGIND
I was unable to find these programs in the SMPE-defined libraries.
CLASS(FACILITY): The WLM policy as delivered can only be administered by
IBMUSER and a non-existent userid DPACK.
There are two very obsolete groups still defined named SYSCTLG and VSAMDSET.
At this point, I can almost rival a RACF admin. What I haven't touched are all
these certificate things that come in upper and lower case.
Barbara
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
