Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret).
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: [email protected] Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ReJ7GWolmeh4hc2MkFDbyahA0i5EVDrdN7qsfXgAKW4%3D&reserved=0 Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=U7odhzAml3JLOoHEPMB0H%2BugsJ0Rls0Z%2Fpk8Ht9KnPc%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E8kbU8IAtv56Y%2BoiaQn%2BRuFS0IfJ6YswSdVy12zWCUo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BF%2BtoZaedniGmSARZrgDspVsvtLk624fxaEllI4har0%3D&reserved=0 -----Original Message----- Date: Mon, 23 May 2022 20:55:48 +0000 From: "Steely.Mark" <[email protected]> Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID Owner C Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobID Owner Prty C ODisp Dest B100042B JOB09087 TS0242 144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000002.JESM> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000003.JESJ> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000004.JESY> TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ****** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
