Scott,
Yes, a userid can only have one ACIGROUP statement in the directory. MEMBER
rules can be used to allow userids to temporarily change group membership using
the VMSECURE GROUP command. The temporary membership controls what that userid
can do, but doesn't change what other userids can do to it.
Dennis O'Brien
"Houston, we've had a problem." -- Jack Swigert, Command Module pilot of
Apollo 13, 13 Apr 1970
-----Original Message-----
From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of Scott
Rohling
Sent: Thursday, May 05, 2016 09:59
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Security for z/VM
One limitation I found in VM:Secure is that a guest can only belong to one
'group' as groups are implemented with ACIGROUP directory statements.
And that's really the only place the directory management and security
management meet, outside of the use of password encryption which uses the
directory. I appreciate the integration and common interface -- and
'rules' are easy to understand unlike some others.. but the single group
concept makes some things harder (for me). (And if I've just misunderstood
how to use groups - someone please tell me! I don't want to continue my
ignorance).
Scott Rohling
On Thu, May 5, 2016 at 9:45 AM, O'Brien, Dennis L <
dennis.l.o'br...@bankofamerica.com> wrote:
> VM:Secure is also the only security product that was designed from the
> ground up for z/VM. All of the others are ports from z/OS. RACF tries to
> fit z/OS concepts such as "alter" and "control" onto z/VM link modes (W, M,
> MR, MW, etc). VM:Secure allows you to write rules specifying the link
> modes directly. I'm not too familiar with ACF2 or Top Secret, but I would
> guess that they are similar to RACF.
>
> If you choose a security product other than VM:Secure, you can implement
> VM:Director instead of Dirmaint for directory management. VM:Director is
> VM:Secure without the Rules component.
>
>
> Dennis
> O'Brien
>
> "Houston, we've had a problem." -- Jack Swigert, Command Module pilot of
> Apollo 13, 13 Apr 1970
>
> -----Original Message-----
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Marcy Cortes
> Sent: Thursday, May 05, 2016 09:23
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: Security for z/VM
>
> I will point out that VM:Secure is one product for your directory
> management and security.
> If you choose RACF, you also need to implement Dirmaint.
> I believe ACF2 is the same way. I know Top Secret on VM is.
>
>
>
> -----Original Message-----
> From: Linux on 390 Port [mailto:LINUX-390@VM.MARIST.EDU] On Behalf Of
> Alan Altmark
> Sent: Thursday, May 05, 2016 9:08 AM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: [LINUX-390] Security for z/VM
>
> On Wednesday, 05/04/2016 at 05:19 GMT, "Beard, Rick" <rick.be...@atos.net>
> wrote:
> > I would like to know if anyone has any preferences on using either
> CA:VMSECURE or CA:ACF2 for
> > securing z/VM systems?
> >
> > Is one more secure than the other?
>
> CA has not certified either product in the Common Criteria scheme ("claim"
> and "proof"), so you can't really answer "How secure is it?" You cannot,
> therefore, compare them in that respect. In fact, only RACF on z/VM has
> been part of a certification.
>
> That said, most people choose their external security manager (ESM) for
> reasons unrelated to its capabilities. The choice is instead based on
> 1. What's in your IBM or CA software catalog. I.e. if you've already
> bought one of them, then spending money to buy the other one may not be
> the right choice.
> 2. In-house knowledge. If you have RACF, ACF2, or TOP SECRET on z/OS,
> then adding it to z/VM is straightforward. VMSECURE has no z/OS
> equivalent, so you aren't going to get any help from your MVS team.
> 3. Easiest. All of the examples and discussion from IBM on z/VM security
> are RACF-centric.
>
> Alan Altmark
>
> Senior Managing z/VM and Linux Consultant
> Lab Services System z Delivery Practice
> IBM Systems & Technology Group
> ibm.com/systems/services/labservices
> office: 607.429.3323
> mobile; 607.321.7556
> alan_altm...@us.ibm.com
> IBM Endicott
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
> ----------------------------------------------------------------------
> This message, and any attachments, is for the intended recipient(s) only,
> may contain information that is privileged, confidential and/or proprietary
> and subject to important terms and conditions available at
> http://www.bankofamerica.com/emaildisclaimer. If you are not the
> intended recipient, please delete this message.
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
> visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may
contain information that is privileged, confidential and/or proprietary and
subject to important terms and conditions available at
http://www.bankofamerica.com/emaildisclaimer. If you are not the intended
recipient, please delete this message.
