Re: VLAN and GRANT

[Martin, Terry R. (CMS/CTR) (CTR)]

Hi Alan,

Thanks. One thing since I have never set up anything for the VMLAN RACF class 
from the get go I displayed what it looks like now and here is what I see. It 
looks like everything is allowed. Do I still need to add a specific profile or 
does this rule cover all. This is what it looks like now:



rac sr class(vmlan) 
* (G)               

rac rlist vmlan * all                                      
CLASS      NAME                                            
-----      ----                                            
VMLAN      * (G)                                           
                                                           
LEVEL  OWNER      UNIVERSAL ACCESS  YOUR ACCESS  WARNING   
-----  --------   ----------------  -----------  -------   
 00    S1V3           UPDATE            UPDATE    NO       
                                                           

Thank You,

Terry Martin
Lockheed Martin
CMS - CITIC
3300 Lord Baltimore Drive, Suite 200, 21244  
Engineering Computing
Mainframe Support
Cell - 443 632-4191



-----Original Message-----
From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf 
Of Alan Altmark
Sent: Monday, April 04, 2011 1:17 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VLAN and GRANT

On Monday, 04/04/2011 at 12:12 EDT, "Martin, Terry R. (CMS/CTR) (CTR)" 
<terry.mar...@cms.hhs.gov> wrote:

> This weekend we changed the SWITCH on the Data Comm side to tag a new 
VLAN 
> (581). Up to this point the switch was  only set up for ACCESS  switch 
not 
> TRUNK with a default VLAN of 472. Now the SWITCH PORT is changed to 
handle 
> TRUNKING. 
> 
> On my z/VM side I set up the VSWITCH to now handle VLAN tagging. 
Everything 
> looks good on the switch side but when I try testing a z/Linux guest in 
terms 
> of having it connect to the VSWITCH via VLAN 851 it still does not get 
to the 
> Subnet pointed to by VLAN 581. I did the GRANT for this guest:
> 
> SET VSWITCH VSE4DD11 GRANT E49L250D VLAN 851.
> 
> What am I missing? Now I did not do anything with RACF for this do I 
need to 
> allow something in RACF?

Please see "VLAN ID-qualified profiles" in the RACF Security 
Administrator's Guide.  If this VSWITCH is protected by RACF, then 
1) The user needs UPDATE access to SYSTEM.VSE4DD11
2) The user needs UPDATE access to SYSTEM.VSE4DD11.0851

If the user doesn't have access to a VLAN-qualified profile, then the user 
will be authorized for the default VLAN ID specified on DEFINE VSWITCH. 
This is why I like to see
     DEFINE VSWITCH VSE4DD11 VLAN 666 ....
where 666 is a VLAN ID that the vswitch is not now and never shall be 
authorized to use.  This ensures that you have an explicit authorization.

Alan Altmark

z/VM and Linux on System z Consultant
IBM System Lab Services and Training 
ibm.com/systems/services/labservices 
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott