On Wednesday, 08/21/2013 at 12:33 EDT, "Will, Chris" <[email protected]> wrote: > After looking at all the rac permits that need to be researched and entered > (see chapter 25, step 2 of the z/VM 6.3 installation guide), it seems like it > may be easier to just start from scratch. Why aren't these addressed in the > instupgr step? At the very least, the ESM considerations should be done before > the recycle of dirmaint (that is what I have spent the last day fixing).
There are a set of new IDs that will be created and they will need the same access rights as their predecessors. If you have a SYSPROG group, for example, you will need to connect MAINT630 to it. INSTUPGR has no idea whether you have done that. I think products like zSecure can replicate permissions quickly and easily. However, if you have the DIRMAINT-RACF connector turned on, then the creation of USER profiles will be automatic, as will their VMMDISK profiles and permissions. I.e. the moral equivalent of DIRM FOR DIRMAINT AMDISK will be generated automatically. So only things outside the realm of the DIRMAINT-RACF connector (e.g. group membership) need to be handled manually. That's wouldn't be all that much, but it includes LINKs! The privileged form of DIRM FOR <user> LINK should be driving a RACF connector, but it isn't. >From an ESM perspective, realize that changing the indirect LINKs in MAINT to point to MAINT630 *may* drive a lot of permission changes. E.g. People who LINK MAINT 490 today have authorization to MAINT620 490. Now they need MAINT630 490. How to get it? To give RACF examples: - VMMDISK class is inactive, so it's CP's problem. (Puh-leeze) - GLBLDSK entry in HCPRWA (cough) - Global Access Checking table entry in RACF (Good for this particular case) - Access via discrete VMMDISK profile (SOP) - Access via generic VMMDISK profile (I don't recommend this for mdisks) - Access via OPERATIONS authority (boo! hiss!) A DIRMAINT-RACF connector could be added to help with LINK processing, but that discussion needs to be had with the Support Center. Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
