I guess this bring up another question, which is probably why I am confused.
This is for MVS cancel
CANCEL jobname MVS.CANCEL.JOB.jobname MVS.CANCEL.** Update Medium
And
Table 1. RACF profiles and JES2 commands
JES2 Command Resource Name Generic Profile Access
Required1 Security Risk
$C J JES2.CANCEL.BAT JES2.CANCEL.BAT.**
Update Medium
$C 'jobname' JES2.CANCEL.JOB JES2.CANCEL.** Update
Medium
So is the ** a generic but is the only option?
Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Rob
Scott
Sent: Tuesday, February 7, 2023 3:52 PM
To: [email protected]
Subject: Re: RACF - SDSF question
EXTERNAL EMAIL: Do not click links or open attachments unless you know the
content is safe.
Note that there is no jobname qualifier on the JES2.CANCEL.BAT profile. This is
why SDSF has the extra JESSPOOL profile check that goes beyond vanilla JES2
cancel command security.
This extra check is ONLY performed inside SDSF and is made before we build the
operator command text.
Coincidentally I gave a presentation at virtual GSE today entitled "SDSF
Security - How does it work under z/OS 2.5?" and the sequence of SAF checks is
described with a few examples.
If you want, I can forward you the slide deck.
Rob Scott
Rocket Software
Sent from Samsung Mobile on O2
Sent from Outlook for
Android<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FAAb9ysg&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Sdtr7sGuH3Tkti7So%2B2D99AwPzFTNhAjPN8EuNPlHJI%3D&reserved=0>
________________________________
From: IBM Mainframe Discussion List <[email protected]> on behalf of
Shaffer, Terri <[email protected]>
Sent: Tuesday, February 7, 2023 6:10:11 PM
To: [email protected] <[email protected]>
Subject: Re: RACF - SDSF question
EXTERNAL EMAIL
Okay, so not sure I reall understand the way this works?
Under jesspool, checks nodeid.userid.jobname.jobid, so I could add my cics
jobname like C30TCI* here? Is this the SDSF command like C, P etc?
Or under OPERCMDS I have
JES2.CANCEL.BAT.C30TCI* (G)
JES2.CANCEL.BAT.** (G)
And now.
MVS.CANCEL.BAT.C30TCI*.* (G)
MVS.CANCEL.** (G)
Where does the granularity take place, for certain jobs??
I want the users to be able to cancel some batch jobs and everything they
submitted, but not CICS, DB2 or other system things.
Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Rob
Scott
Sent: Tuesday, February 7, 2023 9:54 AM
To: [email protected]
Subject: Re: RACF - SDSF question
EXTERNAL EMAIL: Do not click links or open attachments unless you know the
content is safe.
Note that one of the "value add" functions of SDSF is that it can check for
ALTER access to the JESSPOOL profile for the owner and jobname for destructive
actions like "C" and "P".
Does not stop them using freeform "slash" to issue the raw operator command,
but removes the convenience of the action character.
Rob Scott
Rocket Software
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Roger W Suhr
Sent: 07 February 2023 14:22
To: [email protected]
Subject: Re: RACF - SDSF question
EXTERNAL EMAIL
Hi Ms. Terri,
The OPERCMDS JES2.CANCEL.** profiles protect the JES2 ($C...) cancel command.
I believe you also need to use the OPERCMDS MVS.CANCEL.STC.mbrname.id profile
to protect the MVS CANCEL command.
So in your case, that would be something like this: (if your running CICS as an
STC!)
MVS.CANCEL.STC.C30TCI* (G)
MVS.CANCEL.STC.** (G)
Roger W. Suhr
[email protected]<mailto:[email protected]>
-----Original Message-----
From: IBM Mainframe Discussion List
<[email protected]<mailto:[email protected]>> On Behalf Of
Shaffer, Terri
Sent: Tuesday, February 7, 2023 8:32
To: [email protected]<mailto:[email protected]>
Subject: RACF - SDSF question
Hi,
I know there is a RACF group, but hopefully this is simple and I am just
missing something I have done 100 times over with no issues.
We run our CICS regions as batch jobs, and I just found out a user instead of
them issuing a CEMT PERF SHUT command, they are canceling it.
Which then causing a 100 vsam messages on startup with all the verifies, and if
something goes wrong they call me...
So I tried to stop this habit, I know they are putting a C beside the CICS and
a $CJ(xxxxx) command
So I have 2 rules in RACF under OPERCMDS
JES2.CANCEL.BAT.C30TCI* (G)
JES2.CANCEL.BAT.** (G)
If I restrict the BAT.** then they cant cancel even their own batch jobs, So I
always thought more specific is looked at first?
One of my previous co-workers implemented SDSF-RACF rules converted from
ISFPARMS.
Lastly, I understand this doesn't stop them from canceling any other jobs, but
since this is a development shop we allow more access than most.
But I don't want users canceling a CICS or DB2 etc.
Any ideas how they are getting the access and not stopped with the more
specific rule??
Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide - Telecommuter
H(412-766-2697) C(412-519-2592)
[email protected]<mailto:[email protected]>
________________________________
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg><https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>>]
<http://www.aciworldwide.com<http://www.aciworldwide.com><http://www.aciworldwide.com<http://www.aciworldwide.com>>>
This email message and any attachments may contain confidential, proprietary
or non-public information. The information is intended solely for the
designated recipient(s). If an addressing or transmission error has misdirected
this email, please notify the sender immediately and destroy this email. Any
review, dissemination, use or reliance upon this information by unintended
recipients is prohibited. Any opinions expressed in this email are those of the
author personally.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected]<mailto:[email protected]> with the message:
INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected]<mailto:[email protected]> with the message:
INFO IBM-MAIN
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■
Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=zqNxgLH6hUeXhNI1xvln%2BioVOJPeukmvBPkFLJ3aus8%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=zqNxgLH6hUeXhNI1xvln%2BioVOJPeukmvBPkFLJ3aus8%3D&reserved=0>
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences -
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=WD%2F9IwqfP8DZF%2FW3s%2F449DkYErPr3C0CH6KeSlXarFQ%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777492735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=WD%2F9IwqfP8DZF%2FW3s%2F449DkYErPr3C0CH6KeSlXarFQ%3D&reserved=0>
Privacy Policy -
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0<https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0>
================================
This communication and any attachments may contain confidential information of
Rocket Software, Inc. All unauthorized use, disclosure or distribution is
prohibited. If you are not the intended recipient, please notify Rocket
Software immediately and destroy all copies of this communication. Thank you.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
________________________________
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg<https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg>]
<http://www.aciworldwide.com<http://www.aciworldwide.com>>
This email message and any attachments may contain confidential, proprietary or
non-public information. The information is intended solely for the designated
recipient(s). If an addressing or transmission error has misdirected this
email, please notify the sender immediately and destroy this email. Any review,
dissemination, use or reliance upon this information by unintended recipients
is prohibited. Any opinions expressed in this email are those of the author
personally.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■
Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmy.rocketsoftware.com%2FRocketCommunity%2FRCEmailSupport&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=Tp1S0q%2FwZVB33%2B20jQpHxS2mJ6mlt64hC6PEkDXegMI%3D&reserved=0
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences -
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fmanage-your-email-preferences&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=3VWoY76grp2b2r8q2Dzcv32iNwNeWv90%2FEEbWVQ%2FnAU%3D&reserved=0
Privacy Policy -
https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rocketsoftware.com%2Fcompany%2Flegal%2Fprivacy-policy&data=05%7C01%7Cterri.shaffer%40ACIWORLDWIDE.COM%7C10ce6b661eb8413bb00b08db094d48cb%7Cd1b7f1185cb24d4e85a382e07efb07e9%7C1%7C0%7C638113999777648976%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=MwAblUh1SJNuu8OaZPPIUBKk3ZQpM6j%2BG1SO5ogMF04%3D&reserved=0
================================
This communication and any attachments may contain confidential information of
Rocket Software, Inc. All unauthorized use, disclosure or distribution is
prohibited. If you are not the intended recipient, please notify Rocket
Software immediately and destroy all copies of this communication. Thank you.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
________________________________
[https://go.aciworldwide.com/rs/030-ROK-804/images/aci-footer.jpg]
<http://www.aciworldwide.com>
This email message and any attachments may contain confidential, proprietary or
non-public information. The information is intended solely for the designated
recipient(s). If an addressing or transmission error has misdirected this
email, please notify the sender immediately and destroy this email. Any review,
dissemination, use or reliance upon this information by unintended recipients
is prohibited. Any opinions expressed in this email are those of the author
personally.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
