I don't know about others, but I would love to see the slide deck. Ramsey
On Tue, Feb 7, 2023 at 2:53 PM Rob Scott <[email protected]> wrote: > Note that there is no jobname qualifier on the JES2.CANCEL.BAT profile. > This is why SDSF has the extra JESSPOOL profile check that goes beyond > vanilla JES2 cancel command security. > > This extra check is ONLY performed inside SDSF and is made before we build > the operator command text. > > Coincidentally I gave a presentation at virtual GSE today entitled "SDSF > Security - How does it work under z/OS 2.5?" and the sequence of SAF checks > is described with a few examples. > > If you want, I can forward you the slide deck. > > Rob Scott > Rocket Software > > Sent from Samsung Mobile on O2 > Sent from Outlook for Android<https://aka.ms/AAb9ysg> > ________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Shaffer, Terri <[email protected]> > Sent: Tuesday, February 7, 2023 6:10:11 PM > To: [email protected] <[email protected]> > Subject: Re: RACF - SDSF question > > EXTERNAL EMAIL > > > > > Okay, so not sure I reall understand the way this works? > > Under jesspool, checks nodeid.userid.jobname.jobid, so I could add my cics > jobname like C30TCI* here? Is this the SDSF command like C, P etc? > > Or under OPERCMDS I have > > JES2.CANCEL.BAT.C30TCI* (G) > JES2.CANCEL.BAT.** (G) > > And now. > > MVS.CANCEL.BAT.C30TCI*.* (G) > MVS.CANCEL.** (G) > > Where does the granularity take place, for certain jobs?? > > I want the users to be able to cancel some batch jobs and everything they > submitted, but not CICS, DB2 or other system things. > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide - Telecommuter > H(412-766-2697) C(412-519-2592) > [email protected] > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Rob Scott > Sent: Tuesday, February 7, 2023 9:54 AM > To: [email protected] > Subject: Re: RACF - SDSF question > > EXTERNAL EMAIL: Do not click links or open attachments unless you know the > content is safe. > > > Note that one of the "value add" functions of SDSF is that it can check > for ALTER access to the JESSPOOL profile for the owner and jobname for > destructive actions like "C" and "P". > > Does not stop them using freeform "slash" to issue the raw operator > command, but removes the convenience of the action character. > > Rob Scott > Rocket Software > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Roger W Suhr > Sent: 07 February 2023 14:22 > To: [email protected] > Subject: Re: RACF - SDSF question > > EXTERNAL EMAIL > > > > Hi Ms. Terri, > > The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel > command. > I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id > profile to protect the MVS CANCEL command. > > So in your case, that would be something like this: (if your running CICS > as an STC!) > MVS.CANCEL.STC.C30TCI* (G) > MVS.CANCEL.STC.** (G) > > > Roger W. Suhr > > [email protected]<mailto:[email protected]> > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]<mailto: > [email protected]>> On Behalf Of Shaffer, Terri > Sent: Tuesday, February 7, 2023 8:32 > To: [email protected]<mailto:[email protected]> > Subject: RACF - SDSF question > > Hi, > I know there is a RACF group, but hopefully this is simple and I am just > missing something I have done 100 times over with no issues. > > We run our CICS regions as batch jobs, and I just found out a user instead > of them issuing a CEMT PERF SHUT command, they are canceling it. > > Which then causing a 100 vsam messages on startup with all the verifies, > and if something goes wrong they call me... > > So I tried to stop this habit, I know they are putting a C beside the CICS > and a $CJ(xxxxx) command > > So I have 2 rules in RACF under OPERCMDS > > JES2.CANCEL.BAT.C30TCI* (G) > JES2.CANCEL.BAT.** (G) > > If I restrict the BAT.** then they cant cancel even their own batch jobs, > So I always thought more specific is looked at first? > > One of my previous co-workers implemented SDSF-RACF rules converted from > ISFPARMS. > > Lastly, I understand this doesn't stop them from canceling any other jobs, > but since this is a development shop we allow more access than most. > > But I don't want users canceling a CICS or DB2 etc. > > Any ideas how they are getting the access and not stopped with the more > specific rule?? > > > Ms Terri E Shaffer > Senior Systems Engineer, > z/OS Support: > ACIWorldwide - Telecommuter > H(412-766-2697) C(412-519-2592) > [email protected]<mailto:[email protected]> > > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg< > https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>< > https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg< > https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>>] < > http://www.aciworldwide.com<http://www.aciworldwide.com>< > http://www.aciworldwide.com<http://www.aciworldwide.com>>> This email > message and any attachments may contain confidential, proprietary or > non-public information. The information is intended solely for the > designated recipient(s). If an addressing or transmission error has > misdirected this email, please notify the sender immediately and destroy > this email. Any review, dissemination, use or reliance upon this > information by unintended recipients is prohibited. Any opinions expressed > in this email are those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected]<mailto:[email protected]> with the > message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected]<mailto:[email protected]> with the > message: INFO IBM-MAIN > > ================================ > Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA > 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer > Support: > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Bp4DThIA3Phe5n5jj0SBVtleY01wsX2%2BfS6vblJXID8%3D&reserved=0 > < > https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Bp4DThIA3Phe5n5jj0SBVtleY01wsX2%2BfS6vblJXID8%3D&reserved=0 > > > Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - > https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EnU4IcJDPU%2FXk9KNr%2F2dnh3kzeAwCSPOApvTfMGVRIo%3D&reserved=0 > < > https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EnU4IcJDPU%2FXk9KNr%2F2dnh3kzeAwCSPOApvTfMGVRIo%3D&reserved=0 > > > Privacy Policy - > https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f03cdJKxQkYL3QkLzeEvQfhN6XP2nLBJ%2F1O8nPpiLa4%3D&reserved=0 > < > https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C8c69385fe9c7455421e508db091b661a%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113785525741293%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=f03cdJKxQkYL3QkLzeEvQfhN6XP2nLBJ%2F1O8nPpiLa4%3D&reserved=0 > > > ================================ > > This communication and any attachments may contain confidential > information of Rocket Software, Inc. All unauthorized use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > notify Rocket Software immediately and destroy all copies of this > communication. Thank you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > ________________________________ > [https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg< > https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>] < > http://www.aciworldwide.com<http://www.aciworldwide.com>> > This email message and any attachments may contain confidential, > proprietary or non-public information. The information is intended solely > for the designated recipient(s). If an addressing or transmission error has > misdirected this email, please notify the sender immediately and destroy > this email. Any review, dissemination, use or reliance upon this > information by unintended recipients is prohibited. Any opinions expressed > in this email are those of the author personally. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ================================ > Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA > 02451 ■ Main Office Toll Free Number: +1 855.577.4323 > Contact Customer Support: > https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport > Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - > http://www.rocketsoftware.com/manage-your-email-preferences > Privacy Policy - > http://www.rocketsoftware.com/company/legal/privacy-policy > ================================ > > This communication and any attachments may contain confidential > information of Rocket Software, Inc. All unauthorized use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > notify Rocket Software immediately and destroy all copies of this > communication. Thank you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
