My understanding of *BYPASS* is that it is used when there is no available ACEE for passing into RACF. The MVS/Planning Operations manual when discussing LOGON(OPTIONAL) for consoles states: Note: If an operator has not logged on to the console, commands are passed to the security product indicating an operator id of *BYPASS*. -- Artificial Intelligence is no match for Natural Stupidity - Unknown
On Mon, Apr 20, 2020 at 2:40 PM Lennie Dymoke-Bradshaw < [email protected]> wrote: > I also see that a userid of *BYPASS* is supported in some circumstances. > There are some notes under this in the RACROUTE manual under REQUEST=VERIFY. > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Lennie Dymoke-Bradshaw > Sent: 20 April 2020 20:37 > To: [email protected] > Subject: Re: [IBM-MAIN] JESSPOOL problem accessing SYSLOG > > Interesting. > > Seems to raise 2 questions. > 1. Why is the 2nd qualifier "*BYPASS*"? > 2. Why can you not find a profile that will match it? > > When I look at all the output on my system (z/OS 2.3) by setting no prefix > and using the O SDF primary command, I see that the SYSLOG task is using a > userid of +MASTER+. > What is yours using? > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On Behalf > Of Lou Losee > Sent: 20 April 2020 20:29 > To: [email protected] > Subject: [IBM-MAIN] JESSPOOL problem accessing SYSLOG > > I posted this to RACF-L earlier, but have not received a response to help > solve the problem so I have decided to cross-post here. > > I have a problem accessing the SYSLOG from SDSF on one LPAR. The problem > appears to be caused by the second qualifier in the RACHECK request being > *BYPASS* when it usually (on other systems/LPARs) is +MASTER+. Here is the > ICH408I message I receive: > > ICH408I USER(THEUSER) GROUP(THEGROUP ) NAME(JOHN SMITH ) > TST1JES.*BYPASS*.SYSLOG.SYSTEM.TST1 CL(JESSPOOL) > PROFILE NOT FOUND - REQUIRED FOR AUTHORITY CHECKING > ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) > > I have tried creating the following JESSPOOL profiles yet still get the > same error: > TST1JES.** > TST1JES.%BYPASS%.SYSLOG.SYSTEM.TST1 > TST1JES.*.SYSLOG.SYSTEM.TST1 > > Has anyone run into this before and have a solution? > > Right now the only ways I have found to get around it are: > 1) Deactivate JESSPOOL (i.e., SETR NOCLASSACT(JESSPOOL)) > 2) Setting the SDSF property SECURITY.SYSLOG.USESAFRECVR to TRUE. > > Lou > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
