Hi Rex,

How have you activated tape protection in your environment - SETROPTS, 
PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management 
product do you have?

Not that this may matter, but does your ID have READ access to FACILITY ICHBLP 
or your Tape Management product's equivalent? If it does, have you tried the 
function with an ID that does not have this access?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.                 *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date:    Thu, 12 Apr 2018 13:08:16 +0000
From:    "Pommier, Rex" <rpomm...@sfgmembers.com>
Subject: Re: [External] Re: Filemanager and security

Hi Kolusu,

Unfortunately that doesn't do it.  According to the FileManager documentation - 
which I verified on my system - granting any kind of access (read, update, 
alter, it doesn't matter) either grants you access to the function or denies it 
(access=none).  For example, if I grant READ access to FILEM.TAPE.OUTPUT, I 
have access to update tapes.  Likewise if I grant ALTER access to 
FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions 
like tape browse and tape label display.  These are just toggles to the 
function within FileManager.  The problem that I am running into is that for 
example, if I have 2 production datasets on tape, one with GL information and 
the other with the payroll information on it, and I need to grant an accountant 
access to the GL information but not the payroll, it appears that I can't.  It 
looks like FileManager doesn't check dataset level access.  Once I grant access 
to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, 
regardless of whether they have access at a dataset level or not.  

I'm hoping I just have something set wrong, but I can't seem to get FileManager 
to look at dataset level RACF protection on tapes.  As I mentioned earlier, I 
have a mixed GDG, with some generations on disk and others on tape.  If I grant 
an ID access to the TB function, whether through FILEM.FUNCTION.TB or through 
the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even 
though I can't look at the other generation that's on disk through FileManager. 
 

Test I just reran this morning.  GDG with 5 generations, 4 on disk, 1 on tape.  

ISPF edit on one of the disk based generations I got RACF security violation, 
ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Filemanager option 2 edit on the same generation as ISPF:  ACCESS INTENT(READ   
)  ACCESS ALLOWED(NONE   )
Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)    ACCESS 
INTENT(READ   )  ACCESS ALLOWED(NONE   )    
Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile
Filemanager option 4.1:  I got access to browse the data
Filemanager option 2 with the tape generation: I got access.

Looks like it's time for a question to IBM FM folks to see if this is WAD.  In 
my mind, this is a security hole.

Rex

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Sri h Kolusu
Sent: Monday, April 09, 2018 4:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: Filemanager and security

Pommier Rex,

I believe you need to update the following functions


FILEM.TAPE.INPUT
    Tape input functions
FILEM.TAPE.OUTPUT
    Tape output functions
FILEM.TAPE.DUPLICATE
    Tape copy functions
FILEM.TAPE.UPDATE
    Tape update functions

If you are only allowing browse function of the tape dataset then you need
to do something like this


PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ)

Check this link which explains in detail about the function

https://www.ibm.com/support/knowledgecenter/en/SSXJAV_13.1.0/com.ibm.filemanager.doc_13.1/cust/secracf.html

Thanks,
Kolusu

IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> wrote on
04/09/2018 12:10:19 PM:

> From: " SH19-8163-00, Rex" <rpomm...@sfgmembers.com>
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 04/09/2018 12:11 PM
> Subject: Filemanager and security
> Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU>
>
> Hello list,
>
> I've been poring through the FileManager manuals and either am
> missing something or it doesn't exist regarding security.  We're
> running FM 13.1 under ISPF so non-APF authorized.  I needed to grant
> the capability for browsing tape datasets to a developer.  I did
> this granting READ access to FILEM.FUNCTION.TB.  This granted the
> access to the tape browse function.  However, it appears that
> FileManager bypasses dataset name SAF checking if the user has
> access to the TB function.  To wit: a particular GDG has a mix of
> tape and disk generations.  I specifically denied access to this GDG
> to my ID.  I get a RACF violation when trying to browse the disk
> based generation, but FileManager allows me to use TB to look at the
> tape generation.  Is this WAS or am I missing some setting that
> tells FM to do dataset name SAF checking as well as FM function checking?
>
> TIA,
>
> Rex
>
> The information contained in this message is confidential, protected
> from disclosure and may be legally privileged.  If the reader of
> this message is not the intended recipient or an employee or agent
> responsible for delivering this message to the intended recipient,
> you are hereby notified that any disclosure, distribution, copying,
> or any action taken or action omitted in reliance on it, is strictly
> prohibited and may be unlawful.  If you have received this
> communication in error, please notify us immediately by replying to
> this message and destroy the material in its entirety, whether in
> electronic or hard copy format.  Thank you.
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to