Re: ACF2/RACF User Appliation Logical Access
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Henke, George tyvm, Seymour What we have since discovered is that the ACF2/NETMENU Session process has a side batch file non-SAF process that contains the applications specific to each user and the NETMENU session manager does a simple look up in the batch file in lieu of 100's of SAF calls for each user to validate a user's application access. The SAF call overhead of 100's of SAF calls for each user is prohibitive when there are 1000's of users logging in at the same time. There must be a way of mimicking this same process in RACF? Any ideas? Configure NETMENU to use that side file when building the individual users' menus, and make the SAF call when a user selects an application. I don't believe that kind of configuration is a RACF option. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
Are you sure that it is a side batch file? IIRC, ACF2 allows a multiple resource call where one acf2 call can validate access against multiple resources. On Thu, 12 Jan 2012 03:02:21 + Henke, George george.he...@hp.com wrote: :tyvm, Seymour : :What we have since discovered is that the ACF2/NETMENU Session process has a side batch file non-SAF process that contains the applications specific to each user and the NETMENU session manager does a simple look up in the batch file in lieu of 100's of SAF calls for each user to validate a user's application access. : :The SAF call overhead of 100's of SAF calls for each user is prohibitive when there are 1000's of users logging in at the same time. : :There must be a way of mimicking this same process in RACF? : :Any ideas? : :-Original Message- :From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) :Sent: Saturday, January 07, 2012 5:48 PM :To: IBM-MAIN@bama.ua.edu :Subject: Re: ACF2/RACF User Appliation Logical Access : :In :04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net, :on 01/06/2012 : at 07:34 PM, Henke, George george.he...@hp.com said: : :I suspect this may be generating a separate SAF call for each :application for each user and there are 1000's of users, whereas ACF2 :may be *wildcarding* it. : :Whether ACF2 is wildcarding it has nothing to do with the number of :calls from the application. This looks like an issue with your session :manager, so I'd start by looking at the security code in it. : -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
In 04b3da7b71b3ab408ca62ba6046bcf8f23d722c...@gvw0676exc.americas.hpqcorp.net, on 01/12/2012 at 03:02 AM, Henke, George george.he...@hp.com said: What we have since discovered is that the ACF2/NETMENU Session process has a side batch file non-SAF process that contains the applications specific to each user and the NETMENU session manager does a simple look up in the batch file in lieu of 100's of SAF calls for each user to validate a user's application access. Do you mean that NETMEMU only looks at the side file when using ACF2? If so, why? If not, what do you mean? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
It looks at it in addition, either before or after (still getting the facts) going through the normal ACF2 validation process. Evidently to avoid the huge SAF call overhead of 1000's of SAF calls when 1000's of users all try to sign on at the same time and each one needs to be verified access to 100's of applications. This would generate 1000's of SAF calls. The overhead would be prohibitive. So they created a workaround by putting the applications each user can access into a batch file which the NETMENU session manager will access once per user to validate the applications a particular user can access. It is a non-SAF ancillary not a substitute process wrt ACF2. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) Sent: Thursday, January 12, 2012 1:53 PM To: IBM-MAIN@bama.ua.edu Subject: Re: ACF2/RACF User Appliation Logical Access In 04b3da7b71b3ab408ca62ba6046bcf8f23d722c...@gvw0676exc.americas.hpqcorp.net, on 01/12/2012 at 03:02 AM, Henke, George george.he...@hp.com said: What we have since discovered is that the ACF2/NETMENU Session process has a side batch file non-SAF process that contains the applications specific to each user and the NETMENU session manager does a simple look up in the batch file in lieu of 100's of SAF calls for each user to validate a user's application access. Do you mean that NETMEMU only looks at the side file when using ACF2? If so, why? If not, what do you mean? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
On Thu, 12 Jan 2012 21:32:52 +, Henke, George george.he...@hp.com wrote: It looks at it in addition, either before or after (still getting the facts) going through the normal ACF2 validation process. Evidently to avoid the huge SAF call overhead of 1000's of SAF calls when 1000's of users all try to sign on at the same time and each one needs to be verified access to 100's of applications. This would generate 1000's of SAF calls. The overhead would be prohibitive. So they created a workaround by putting the applications each user can access into a batch file which the NETMENU session manager will access once per user to validate the applications a particular user can access. It is a non-SAF ancillary not a substitute process wrt ACF2. So maybe the ACF2 Pre-Validation exit is doing this? You can do similar things in RACF. If that is the case then the conversion to RACF missed considering the functionality in the ACF2 exit(s). What is your role / function in this? Security admin? It doesn't sound like you are the system programmer or one that has access to the source code and functions of this home grown session manager. Since it is home grown software, the answer probably will have to come from someone in-house who has access to the source code and understands what's being done working together with the sysprogs. Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
tyvm, Seymour What we have since discovered is that the ACF2/NETMENU Session process has a side batch file non-SAF process that contains the applications specific to each user and the NETMENU session manager does a simple look up in the batch file in lieu of 100's of SAF calls for each user to validate a user's application access. The SAF call overhead of 100's of SAF calls for each user is prohibitive when there are 1000's of users logging in at the same time. There must be a way of mimicking this same process in RACF? Any ideas? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Shmuel Metz (Seymour J.) Sent: Saturday, January 07, 2012 5:48 PM To: IBM-MAIN@bama.ua.edu Subject: Re: ACF2/RACF User Appliation Logical Access In 04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net, on 01/06/2012 at 07:34 PM, Henke, George george.he...@hp.com said: I suspect this may be generating a separate SAF call for each application for each user and there are 1000's of users, whereas ACF2 may be *wildcarding* it. Whether ACF2 is wildcarding it has nothing to do with the number of calls from the application. This looks like an issue with your session manager, so I'd start by looking at the security code in it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
Neither RACF nor ACF2 ... validates a users access to specific applications Rather, both respond to queries from applications. How the query is crafted and what is done with the results is up to the application. Therefore, the place I'd focus is in the application manager's code. HTH and good luck. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Henke, George Sent: Thursday, January 05, 2012 5:49 PM To: IBM-MAIN@bama.ua.edu Subject: ACF2/RACF User Appliation Logical Access Does anyone know how ACF2 validates a users access to specific applications? Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. The resulting overhead across 1000's of users exhausted memory leaving no room for LSQA and producing 878 abends. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
In of1e657c39.6b09d6a3-on8625797d.005ea97d-8625797d.005f1...@us.ibm.com, on 01/06/2012 at 11:18 AM, Wayne Driscoll wdri...@us.ibm.com said: Based on my past experiences with ACF2, I believe that ACF2 acts as if each rule line contains, in RACF terms, as asterisk after the last character. That doesn't explain what the OP meant by iterating through a list of applications, which makes no sense. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
In 04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net, on 01/06/2012 at 07:34 PM, Henke, George george.he...@hp.com said: I suspect this may be generating a separate SAF call for each application for each user and there are 1000's of users, whereas ACF2 may be *wildcarding* it. Whether ACF2 is wildcarding it has nothing to do with the number of calls from the application. This looks like an issue with your session manager, so I'd start by looking at the security code in it. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Henke, George Does anyone know how ACF2 validates a users access to specific applications? Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. ??? Did you have the APPL class RACLISTed? If you want to wildcard user access to applications in RACF, first ensure you have generics enabled for the APPL class (SETR GENERIC(APPL) GENCMD(APPL) ), then define an APPL profile of ** with UACC(READ) and delete the rest of the APPL profiles; then RACLIST REFRESH the APPL class. If you later want to limit access to some applications, simply define more specific profiles for them with UACC(NONE) and an appropriate access list. The resulting overhead across 1000's of users exhausted memory leaving no room for LSQA and producing 878 abends. I think you had something mis-configured. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
In 04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net, on 01/05/2012 at 11:49 PM, Henke, George george.he...@hp.com said: Does anyone know how ACF2 validates a users access to specific applications? Not without knowing how the installation has defined each. Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. What are you trying to say? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
Based on my past experiences with ACF2, I believe that ACF2 acts as if each rule line contains, in RACF terms, as asterisk after the last character. For example, if there are the following resources protected: APPL APPL1 APPL2 APPX Under RACF, access to APPL would only allow access to that resource. However (as I said this is based on old data, and may be incorrect) ACF2 would treat the resource as if it was specified as APPL*, so access to APPL would allow access to APPL1 and APPL2 as well as APPL. If this is incorrect I would welcome being corrected. === Wayne Driscoll OMEGAMON DB2 L3 Support/Development wdrisco(AT)us.ibm.com === From: Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net To: IBM-MAIN@bama.ua.edu Date: 01/06/2012 10:07 AM Subject: Re: ACF2/RACF User Appliation Logical Access Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu In 04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net, on 01/05/2012 at 11:49 PM, Henke, George george.he...@hp.com said: Does anyone know how ACF2 validates a users access to specific applications? Not without knowing how the installation has defined each. Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. What are you trying to say? -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
On 1/6/2012 at 12:18 PM, Wayne Driscoll wdri...@us.ibm.com wrote: Based on my past experiences with ACF2, I believe that ACF2 acts as if each rule line contains, in RACF terms, as asterisk after the last character. For example, if there are the following resources protected: APPL APPL1 APPL2 APPX Under RACF, access to APPL would only allow access to that resource. However (as I said this is based on old data, and may be incorrect) ACF2 would treat the resource as if it was specified as APPL*, so access to APPL would allow access to APPL1 and APPL2 as well as APPL. If this is incorrect I would welcome being corrected. That wasn't correct when I was working with ACF2. You could have resource rules written as APPL*, but that wasn't assumed by the software. (ACF2 was based on the principle of protect everything by default.) You could also have resource rule names that were _all_ asterisks to act as a catch-all. What was specified in that rule could deny, allow, etc., but that was up to the security team to decide. Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: ACF2/RACF User Appliation Logical Access
MIMS MQADMIN MQCHAN MQCMDS MQCONN MQNLIST MQPROC MQQUEUE MXADMIN MXNLIST MXPROC MXQUEUE MXTOPIC NCICSPPT NDSLINK NETCMDS NETSPAN NODES NODMBR NOTELINK NVASAPDT OIMS OPERCMDS PA@EL PCICSPSB PERFGRP PIMS PMBR PRINTSRV PROCACT PROCESS PROGRAM PROPCNTL PSFMPL PSISEC PTKTDATA PTKTVAL QCICSPSB QIMS RACFEVNT RACFHC RACFVARS RACGLIST RACHCMBR RAUDITX RCICSRES RDATALIB REALM RIMS RMTOPS RODMMGR ROLE RRSFDATA RVARSMBR SCDMBR SCICSTST SDBUPDTE SDSF SECDATA SECLABEL SECLMBR SERVAUTH SERVER SFSCMD SIMS SMESSAGE SOMDOBJS STARTED STORCLAS SU@MIT SUBSYSNM SUNRISE SURROGAT SYSMVIEW T$CMBSTR T$CPBSTR T$CTBSTR T$CTCHTR TAPEVOL TCCMSP0 TCCMST0 TCICSTRN TEMPDSN TERMINAL TIMS TMEADMIN TSOAUTH TSOPROC UCICSTST UIMS UNIXMAP UNIXPRIV VALIDLID VCICSCMD VMBATCH VMBR VMCMD VMEVENT VMLAN VMMAC VMMDISK VMNODE VMPOSIX VMRDR VMSEGMT VMXEVENT VTAMAPPL VXMBR VXP$ VXT$ WAMJ WAMK WCICSRES WIMS WRITER XCSFKEY XFACILIT AUTOMATIC DATASET PROTECTION IS NOT IN EFFECT ENHANCED GENERIC NAMING IS IN EFFECT REAL DATA SET NAMES OPTION IS ACTIVE JES-BATCHALLRACF OPTION IS ACTIVE JES-XBMALLRACF OPTION IS ACTIVE JES-EARLYVERIFY OPTION IS ACTIVE PROTECT-ALL IS ACTIVE, CURRENT OPTIONS: PROTECT-ALL FAIL OPTION IS IN EFFECT TAPE DATA SET PROTECTION IS ACTIVE SECURITY RETENTION PERIOD IN EFFECT IS DAYS. ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: ERASE-ON-SCRATCH BY SECURITY LEVEL IS INACTIVE SINGLE LEVEL NAME PREFIX IS SMPMCS LIST OF GROUPS ACCESS CHECKING IS ACTIVE. INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER 30 DAYS. DATA SET MODELLING IS BEING DONE FOR GDGS. USER DATA SET MODELLING IS BEING DONE. GROUP DATA SET MODELLING IS BEING DONE. PASSWORD PROCESSING OPTIONS: PASSWORD CHANGE INTERVAL IS 30 DAYS. PASSWORD MINIMUM CHANGE INTERVAL IS 1 DAYS. MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT 12 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED. AFTER 3 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS, A USERID WILL BE REVOKED. PASSWORD EXPIRATION WARNING LEVEL IS 10 DAYS. INSTALLATION PASSWORD SYNTAX RULES: RULE 1 LENGTH(8) LEGEND: A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION. INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION. SECLEVELAUDIT IS INACTIVE SECLABEL AUDIT IS NOT IN EFFECT SECLABEL CONTROL IS NOT IN EFFECT GENERIC OWNER ONLY IS IN EFFECT COMPATIBILITY MODE IS NOT IN EFFECT MULTI-LEVEL QUIET IS NOT IN EFFECT MULTI-LEVEL STABLE IS NOT IN EFFECT NO WRITE-DOWN IS NOT IN EFFECT MULTI-LEVEL ACTIVE IS NOT IN EFFECT CATALOGUED DATA SETS ONLY, IS NOT IN EFFECT USER-ID FOR JES NJEUSERID IS : USER-ID FOR JES UNDEFINEDUSER IS : PARTNER LU-VERIFICATION SESSIONKEY INTERVAL MAXIMUM/DEFAULT IS30 DAYS. APPLAUDIT IS NOT IN EFFECT ADDCREATOR IS NOT IN EFFECT KERBLVL = 0 MULTI-LEVEL FILE SYSTEM IS NOT IN EFFECT MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS NOT IN EFFECT MULTI-LEVEL NAME HIDING IS NOT IN EFFECT SECURITY LABEL BY SYSTEM IS NOT IN EFFECT PRIMARY LANGUAGE DEFAULT : ENU SECONDARY LANGUAGE DEFAULT : ENU READY END -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Chase, John Sent: Friday, January 06, 2012 7:48 AM To: IBM-MAIN@bama.ua.edu Subject: Re: ACF2/RACF User Appliation Logical Access -Original Message- From: IBM Mainframe Discussion List On Behalf Of Henke, George Does anyone know how ACF2 validates a users access to specific applications? Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. ??? Did you have the APPL class RACLISTed? If you want to wildcard user access to applications in RACF, first ensure you have generics enabled for the APPL class (SETR GENERIC(APPL) GENCMD(APPL) ), then define an APPL profile of ** with UACC(READ) and delete the rest of the APPL profiles; then RACLIST REFRESH the APPL class. If you later want to limit access to some applications, simply define
Re: ACF2/RACF User Appliation Logical Access
On Fri, 6 Jan 2012 19:34:33 +, Henke, George george.he...@hp.com wrote: Below is a list of all profiles under MENUAPPL class and our SETR list. As you will see there is a discrete profile for each application and 2 generic profiles one being **. The ** profile has a UACC(NONE) and no users on access. MENUAPPL is a *homegrown* EDS session manager. (I did not write it or hijack it) I suspect this may be generating a separate SAF call for each application for each user and there are 1000's of users, whereas ACF2 may be *wildcarding* it. APPL class calls are not automatic. Your app (session mgr) is probably making the calls to find out what applications are allowed on the menu when a user logs on. Other session managers can and do have options to do the same thing. Did you have to make any code changes to support RACF in MENUAPPL? Or were you already using SAF calls / RACROUTE? Did you note a performance issue, or just an 878 abends? You didn't say, but was the 878 just in the MENUAPPL application (STC?) ? If so, and changes were made, have you just considered that you have a storage leak or improper code in MENUAPPL? Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
ACF2/RACF User Appliation Logical Access
Does anyone know how ACF2 validates a users access to specific applications? Recently we tried to migrate from ACF2 to RACF and were forced to fallback because ACF2 was somehow *wildcarding* a user's access to applications whereas RACF was iterating through a list of applications. The resulting overhead across 1000's of users exhausted memory leaving no room for LSQA and producing 878 abends. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN