David, Why don't you give the option to select the RACF class to the customer? You can give the instructions to create a new class in CDT or instruct them to use the XFACILIT class.
Best Regards Ituriel do Nascimento Neto z/OS System Programmer Em segunda-feira, 13 de novembro de 2023 às 18:27:18 BRT, David Cole <[email protected]> escreveu: Hi Jon, Thanks for your thoughts, but I'm not trying to decide if I should use FACILITY. I'm trying to decide how I should go about discontinuing using FACILITY. Based on suggestions from others on this thread, I've made the decision to switch to using a class named XFACILIT. [Switching will be tricky though. I don't want to leave existing customers high and dry, so I'll have to "dual path" (soft of). But I don't want to create security exposures by doing it wrong.] Dave At 11/13/2023 02:51 PM, Jon Perryman wrote: >On Mon, 13 Nov 2023 13:30:56 -0500, David Cole <[email protected]> wrote: > > >so while creating a "$XDC" class perhaps might be "easy", to > >paraphrase Peter, why would I make a customer > do that when I don't have to... > > > >So thank you to those who tipped me off about the XFACILIT. It sounds > >perfect for my needs. > >Dave, as food for thought: > >RACF FACILITY is a special class which needs >special consideration in recommending it. For >instance, ask yourself why the resource name is restricted to 39 characters. > >If you choose to recommend FACILITY, you might >need to document special considerations and >include sections for each of the security >products (e.g. RACF, ACF2 and Top-secret). > >It's been a very long time for me, but I think >these are in storage rules. Probably not a big >deal if you only have a couple of rules but it's >something you should consider. Additionally, I >believe FACILITY requires a refresh in RACF. I >can't remember about ACF2 and Top-secret. These are customer considerations. > >If I remember correctly, RACF uses class numbers >which has a limit. classes are associated to a >number and mutliple classes can use the same >number. It's not unusual for customers to >combine classes into a single class but they >must avoid resource name collisions. It's a good >practice to uniquely identify your product in the resource name. > >Â I can't recall how ACF2 and Top-secret handle >these situations. Maybe they have a facility to equate multiple RACF classes. > >As an alternative to FACILITY, you might >consider a class that is not special but exists >at all. For example, I've had customers use the dataset class. > >You may want to continue with class $XDC as your >recommendation with alternatives. Equating >classes can be useful. For instance, companies >acquire other companies which means staff is >dealing with multiple unique environments. It >easier to manage XDC rules when class $XDC is >specified although it has a different meaning in each environment. > >I'm not suggesting you take this as advice but >simply to make you aware of these points. > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
