Leonardo- You may consider opening a Problem Ticket with CA with the ACF2 team. They have done this setup many times before. No need to re-invent the wheel.
zNorman -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lizette Koehler Sent: Tuesday, August 20, 2013 9:17 AM To: [email protected] Subject: Re: SDSF ISFPARMs to SAF security Leonardo, You might, if you have not done so, join the RACF newsgroup. Even though you will be doing this for ACF2, they have a good knowledge of the JESSPOOL process and might be able to provide some suggestions. Racf newsgroup http://www.listserv.uga.edu/archives/racf-l.html There is also an ACF2 newsgroup you might want to join as well if you have not done so It is on Yahoo groups [email protected] Lizette -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Leonardo Vaz Sent: Tuesday, August 20, 2013 9:09 AM To: [email protected] Subject: Re: SDSF ISFPARMs to SAF security Hello great Lizette, thanks for the reply :) We are using z/OS 1.12 and SDSF=HQX7770. We are also using ACF2. Operator authority is not a problem, team specific access is; The problem is that some prod jobs have a NOTIFY of, let's say, NOTIFY=ABCD001 and we have a GPLEN(4) on isfparms, so all users that start with ABCD would have access over that job. The jobname itself doesn’t start with ABCD. Also, users have access to all jobs that start with the 4 first characters of their userid, and I couldn't find an easy way to do that though JESSPOOL that would not include defining tons of SAF profiles (one for each prefix). Any insight? Thanks! Leo -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lizette Koehler Sent: Monday, August 19, 2013 10:30 PM To: [email protected] Subject: Re: SDSF ISFPARMs to SAF security What version of z/OS and/or SDSF? Which SAF are you going to? RACF, TSS, ACF2 The section on Security to SAF in SDSF manual SDSF Operation and Customization SA22-7670 should be helpful You can give operators access to jobs, output groups, or SYSIN/SYSOUT data sets for a particular destination, without authorizing the operators to those jobs, output groups, or SYSIN/SYSOUT data sets through the JESSPOOL class. This destination operator authority is the equivalent of specifying DEST for CMDAUTH and ADEST for DSPAUTH in ISFPARMS. This is also used for authorizing destinations as described in “Destination names” on page 182. To provide destination operator authority you: 1. Give the user READ authority to the ISFOPER.DEST.jesx profile in the SDSF class. This identifies a user as a destination operator for the SDSF session. 2. Give the user authorization for the profiles that protect destinations for jobs, Lizette -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Leonardo Vaz Sent: Monday, August 19, 2013 1:18 PM To: [email protected] Subject: SDSF ISFPARMs to SAF security Hello list, We are willing to migrate from ISFPARM to SAF for our SDSF security, the thing that is preventing us is that there is no direct replacement for NOTIFY or GROUP in the CMDAUTH and DSPAUTH parameters. Any of you had a problem with this and could manage a workaround? Regards, Leonardo Vaz ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
