IMO this is APARable. This is a security hole. Even if you have the function access in FM. The dataset access should also be checked.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Pommier, Rex Sent: Thursday, April 12, 2018 8:08 AM To: [email protected] Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: [email protected] Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://apac01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fsupport%2Fknowledgecenter%2Fen%2FSSXJAV_13.1.0%2Fcom.ibm.filemanager.doc_13.1%2Fcust%2Fsecracf.html&data=02%7C01%7Callan.staller%40HCL.COM%7C3488a1c2db514a82174908d5a07686b7%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C636591353314922855&sdata=xfElf8Yo%2FYooDUH%2F6mntTt3vOUSJnB7XQ7I80KEv3Ew%3D&reserved=0 Thanks, Kolusu IBM Mainframe Discussion List <[email protected]> wrote on 04/09/2018 12:10:19 PM: > From: "Pommier, Rex" <[email protected]> > To: [email protected] > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List <[email protected]> > > Hello list, > > I've been poring through the FileManager manuals and either am missing > something or it doesn't exist regarding security. We're running FM > 13.1 under ISPF so non-APF authorized. I needed to grant the > capability for browsing tape datasets to a developer. I did this > granting READ access to FILEM.FUNCTION.TB. This granted the access to > the tape browse function. However, it appears that FileManager > bypasses dataset name SAF checking if the user has access to the TB > function. To wit: a particular GDG has a mix of tape and disk > generations. I specifically denied access to this GDG to my ID. I > get a RACF violation when trying to browse the disk based generation, > but FileManager allows me to use TB to look at the tape generation. > Is this WAS or am I missing some setting that tells FM to do dataset > name SAF checking as well as FM function checking? > > TIA, > > Rex > > The information contained in this message is confidential, protected > from disclosure and may be legally privileged. If the reader of this > message is not the intended recipient or an employee or agent > responsible for delivering this message to the intended recipient, you > are hereby notified that any disclosure, distribution, copying, or any > action taken or action omitted in reliance on it, is strictly > prohibited and may be unlawful. If you have received this > communication in error, please notify us immediately by replying to > this message and destroy the material in its entirety, whether in > electronic or hard copy format. Thank you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ::DISCLAIMER:: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
