On Sun, 12 Nov 2023 07:13:03 -0800 Ed Jaffe <[email protected]>
wrote:
:>On 11/12/2023 3:02 AM, Binyamin Dissen wrote:
:>> You should make your own class.
:>>
:>> Classes can be dynamically added by adding to the CDT class.
:>
:>This is extra hassle at client sites and IMHO should be avoided.
With the CDT class, it is just a few RACF commands.
RDEFINE CDT class +
CDTINFO(+
MAXLENGTH(100) +
RACLIST(ALLOWED) +
GENLIST(ALLOWED)+
FIRST(ALPHA,NATIONAL,NUMERIC) +
OTHER(ALPHA,NUMERIC,NATIONAL,SPECIAL) +
POSIT(posit) +
DEFAULTRC(rc) /* 8=fail w/o profile, 4=use OPER */ +
OPERATIONS(oper) /* YES=Operations always allowed */ +
)
SETROPTS RACLIST(CDT) REFRESH
No need for assemblies or anything. If they are going to write rules, they
need the RACF knowledge anyway.
:>Long ago, we suggested clients create an "EJES" class for our (E)JES
:>product. There are three popular security products: RACF, ACF2, and TSS.
:>Unless you are well-versed in all three of them, I recommend you steer
:>clear of recommending new classes be created. (These days we recommend
:>clients use the existing "SDSF" class for (E)JES resources.)
Yeah, if you have a mirror class, great.
:>I recommend you use the XFACILIT class instead of FACILITY. Its raison
:>d'ĂȘtre addresses exactly your issue: resources in FACILITY are too short.
To each their own. For a distributed product I would recommend defining your
own class. Much more flexibility and you don't have to worry about something
else screwing with you.
--
Binyamin Dissen <[email protected]>
http://www.dissensoftware.com
Director, Dissen Software, Bar & Grill - Israel
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
