Hi Jon,
Thanks for your thoughts, but I'm not trying to
decide if I should use FACILITY. I'm trying to
decide how I should go about discontinuing using FACILITY.
Based on suggestions from others on this thread,
I've made the decision to switch to using a class named XFACILIT.
[Switching will be tricky though. I don't want to
leave existing customers high and dry, so I'll
have to "dual path" (soft of). But I don't want
to create security exposures by doing it wrong.]
Dave
At 11/13/2023 02:51 PM, Jon Perryman wrote:
On Mon, 13 Nov 2023 13:30:56 -0500, David Cole <[email protected]> wrote:
>so while creating a "$XDC" class perhaps might be "easy", to
>paraphrase Peter, why would I make a customer
do that when I don't have to...
>
>So thank you to those who tipped me off about the XFACILIT. It sounds
>perfect for my needs.
Dave, as food for thought:
RACF FACILITY is a special class which needs
special consideration in recommending it. For
instance, ask yourself why the resource name is restricted to 39 characters.
If you choose to recommend FACILITY, you might
need to document special considerations and
include sections for each of the security
products (e.g. RACF, ACF2 and Top-secret).
It's been a very long time for me, but I think
these are in storage rules. Probably not a big
deal if you only have a couple of rules but it's
something you should consider. Additionally, I
believe FACILITY requires a refresh in RACF. I
can't remember about ACF2 and Top-secret. These are customer considerations.
If I remember correctly, RACF uses class numbers
which has a limit. classes are associated to a
number and mutliple classes can use the same
number. It's not unusual for customers to
combine classes into a single class but they
must avoid resource name collisions. It's a good
practice to uniquely identify your product in the resource name.
 I can't recall how ACF2 and Top-secret handle
these situations. Maybe they have a facility to equate multiple RACF classes.
As an alternative to FACILITY, you might
consider a class that is not special but exists
at all. For example, I've had customers use the dataset class.
You may want to continue with class $XDC as your
recommendation with alternatives. Equating
classes can be useful. For instance, companies
acquire other companies which means staff is
dealing with multiple unique environments. It
easier to manage XDC rules when class $XDC is
specified although it has a different meaning in each environment.
I'm not suggesting you take this as advice but
simply to make you aware of these points.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
