Mark When the user issues a browse request for the entire job, they may not be aware of the constituent output DDs and any security violations encountered may be out of their initial control (or expectation). It is not unreasonable in this case to tolerate the violations without penalty.
The selection of a specific output from the JDS (aka "?") action panel is deemed an deliberate action to browse a specific spool dataset and the custom property does not apply. I assume that TSS would act the same (ie suspend the ID) if the user received repeated violations for attempts to read normal DASD datasets. Rob Scott Rocket Software From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Steely.Mark Sent: 25 May 2022 17:04 To: [email protected] Subject: Re: SDSF & TSS (RACF) Importance: High EXTERNAL EMAIL Thanks for the update - yes I did forget the custom parameter. It may work for what I need. When I select the complete report it comes back as unauthorized. If I expand the report with a ? and select a report it still get the violation and after several attempt it suspend the ID. Is there anything for that ? Thank You -----Original Message----- From: IBM Mainframe Discussion List <[email protected]<mailto:[email protected]>> On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, May 25, 2022 5:53 AM To: [email protected]<mailto:[email protected]> Subject: FW: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Mark, I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in _all_ your GROUP statements that points to the PROPLIST NAME(proplist) statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all the SDSF servers? Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3D&reserved=0> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3D&reserved=0> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&reserved=0> -----Original Message----- Date: Tue, 24 May 2022 15:02:50 +0000 From: "Steely.Mark" <[email protected]<mailto:[email protected]>> Subject: Re: SDSF & TSS (RACF) Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret). -----Original Message----- From: IBM Mainframe Discussion List <[email protected]<mailto:[email protected]>> On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: [email protected]<mailto:[email protected]> Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3D&reserved=0> Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssIwHQysYGDRo%3D&reserved=0> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgnsek0%3D&reserved=0> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&reserved=0> -----Original Message----- Date: Mon, 23 May 2022 20:55:48 +0000 From: "Steely.Mark" <[email protected]<mailto:[email protected]>> Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID Owner C Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobID Owner Prty C ODisp Dest B100042B JOB09087 TS0242 144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000002.JESM> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000003.JESJ> TSS7257E Unauthorized Access Level for JESSPOOL <ACSCM.TS0242.A200042B.JOB09143.D0000004.JESY> TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ****** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected]<mailto:[email protected]> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected]<mailto:[email protected]> with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
