Re: ACF2/RACF User Appliation Logical Access

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Henke, George
 
 tyvm, Seymour
 
 What we have since discovered is that the ACF2/NETMENU Session process
has a side batch file non-SAF
 process that contains the applications specific to each user and the
NETMENU session manager does a
 simple look up in the batch file in lieu of 100's of SAF calls for
each user to validate a user's
 application access.
 
 The SAF call overhead of 100's of SAF calls for each user is
prohibitive when there are 1000's of
 users logging in at the same time.
 
 There must be a way of mimicking this same process in RACF?
 
 Any ideas?

Configure NETMENU to use that side file when building the individual
users' menus, and make the SAF call when a user selects an application.
I don't believe that kind of configuration is a RACF option.

   -jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Binyamin Dissen]

Are you sure that it is a side batch file?

IIRC, ACF2 allows a multiple resource call where one acf2 call can validate
access against multiple resources.

On Thu, 12 Jan 2012 03:02:21 + Henke, George george.he...@hp.com
wrote:

:tyvm, Seymour
:
:What we have since discovered is that the ACF2/NETMENU Session process has a 
side batch file non-SAF process that contains the applications specific to each 
user and the NETMENU session manager does a simple look up in the batch file in 
lieu of 100's of SAF calls for each user to validate a user's application 
access.
:
:The SAF call overhead of 100's of SAF calls for each user is prohibitive when 
there are 1000's of users logging in at the same time.
:
:There must be a way of mimicking this same process in RACF?
:
:Any ideas?
:
:-Original Message-
:From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf 
Of Shmuel Metz (Seymour J.)
:Sent: Saturday, January 07, 2012 5:48 PM
:To: IBM-MAIN@bama.ua.edu
:Subject: Re: ACF2/RACF User Appliation Logical Access
:
:In
:04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net,
:on 01/06/2012
:   at 07:34 PM, Henke, George george.he...@hp.com said:
:
:I suspect this may be generating a separate SAF call for each
:application for each user and there are 1000's of users, whereas ACF2
:may be *wildcarding* it.
:
:Whether ACF2 is wildcarding it has nothing to do with the number of
:calls from the application. This looks like an issue with your session
:manager, so I'd start by looking at the security code in it.
: 

--
Binyamin Dissen bdis...@dissensoftware.com
http://www.dissensoftware.com

Director, Dissen Software, Bar  Grill - Israel


Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Shmuel Metz (Seymour J.)]

In
04b3da7b71b3ab408ca62ba6046bcf8f23d722c...@gvw0676exc.americas.hpqcorp.net,
on 01/12/2012
   at 03:02 AM, Henke, George george.he...@hp.com said:

What we have since discovered is that the ACF2/NETMENU Session
process has a side batch file non-SAF process that contains the
applications specific to each user and the NETMENU session manager
does a simple look up in the batch file in lieu of 100's of SAF calls
for each user to validate a user's application access.

Do you mean that NETMEMU only looks at the side file when using ACF2?
If so, why? If not, what do you mean?

-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Henke, George]

It looks at it in addition, either before or after (still getting the facts) 
going through the normal ACF2 validation process.

Evidently to avoid the huge SAF call overhead of 1000's of SAF calls when 
1000's of users all try to sign on at the same time and each one needs to be 
verified access to 100's of applications.

This would generate 1000's of SAF calls.  The overhead would be prohibitive.

So they created a workaround by putting the applications each user can access 
into a batch file which the NETMENU session manager will access once per user 
to validate the applications a particular user can access.

It is a non-SAF ancillary not a substitute process wrt ACF2.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Shmuel Metz (Seymour J.)
Sent: Thursday, January 12, 2012 1:53 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ACF2/RACF User Appliation Logical Access

In
04b3da7b71b3ab408ca62ba6046bcf8f23d722c...@gvw0676exc.americas.hpqcorp.net,
on 01/12/2012
   at 03:02 AM, Henke, George george.he...@hp.com said:

What we have since discovered is that the ACF2/NETMENU Session
process has a side batch file non-SAF process that contains the
applications specific to each user and the NETMENU session manager
does a simple look up in the batch file in lieu of 100's of SAF calls
for each user to validate a user's application access.

Do you mean that NETMEMU only looks at the side file when using ACF2?
If so, why? If not, what do you mean?

-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Mark Zelden]

On Thu, 12 Jan 2012 21:32:52 +, Henke, George george.he...@hp.com wrote:

It looks at it in addition, either before or after (still getting the facts) 
going through the normal ACF2 validation process.

Evidently to avoid the huge SAF call overhead of 1000's of SAF calls when 
1000's of users all try to sign on at the same time and each one needs to be 
verified access to 100's of applications.

This would generate 1000's of SAF calls.  The overhead would be prohibitive.

So they created a workaround by putting the applications each user can access 
into a batch file which the NETMENU session manager will access once per user 
to validate the applications a particular user can access.

It is a non-SAF ancillary not a substitute process wrt ACF2.


So maybe the ACF2 Pre-Validation exit is doing this?   You can do similar
things in RACF.   If that is the case then the conversion to RACF 
missed considering the functionality in the ACF2 exit(s). 

What is your role /  function in this?  Security admin?  It doesn't 
sound like you are the system programmer or one that has access to
the source code and functions of this home grown session manager.

Since it is home grown software, the answer probably will have to come
from someone in-house who has access to the source code and
understands what's being done working together with the sysprogs.

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Henke, George]

tyvm, Seymour

What we have since discovered is that the ACF2/NETMENU Session process has a 
side batch file non-SAF process that contains the applications specific to each 
user and the NETMENU session manager does a simple look up in the batch file in 
lieu of 100's of SAF calls for each user to validate a user's application 
access.

The SAF call overhead of 100's of SAF calls for each user is prohibitive when 
there are 1000's of users logging in at the same time.

There must be a way of mimicking this same process in RACF?

Any ideas?

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Shmuel Metz (Seymour J.)
Sent: Saturday, January 07, 2012 5:48 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ACF2/RACF User Appliation Logical Access

In
04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net,
on 01/06/2012
   at 07:34 PM, Henke, George george.he...@hp.com said:

I suspect this may be generating a separate SAF call for each
application for each user and there are 1000's of users, whereas ACF2
may be *wildcarding* it.

Whether ACF2 is wildcarding it has nothing to do with the number of
calls from the application. This looks like an issue with your session
manager, so I'd start by looking at the security code in it.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Hal Merritt]

Neither RACF nor ACF2 ... validates a users access to specific 
applications  Rather, both respond to queries from applications. How the 
query is crafted and what is done with the results is up to the application.  
Therefore, the place I'd focus is in the application manager's code.  

HTH and good luck. 
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Henke, George
Sent: Thursday, January 05, 2012 5:49 PM
To: IBM-MAIN@bama.ua.edu
Subject: ACF2/RACF User Appliation Logical Access

Does anyone know how ACF2 validates a users access to specific applications?

Recently we tried to migrate from ACF2 to RACF and were forced to fallback 
because ACF2 was somehow *wildcarding* a user's access to applications whereas 
RACF was iterating through a list of applications.

The resulting overhead across 1000's of users exhausted memory leaving no room 
for LSQA and producing 878 abends.



--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@bama.ua.edu with the message: INFO IBM-MAIN
NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Shmuel Metz (Seymour J.)]

In
of1e657c39.6b09d6a3-on8625797d.005ea97d-8625797d.005f1...@us.ibm.com,
on 01/06/2012
   at 11:18 AM, Wayne Driscoll wdri...@us.ibm.com said:

Based on my past experiences with ACF2, I believe that ACF2 acts as
if  each rule line contains, in RACF terms, as asterisk after the
last character.

That doesn't explain what the OP meant by iterating through a list of
applications, which makes no sense.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Shmuel Metz (Seymour J.)]

In
04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net,
on 01/06/2012
   at 07:34 PM, Henke, George george.he...@hp.com said:

I suspect this may be generating a separate SAF call for each
application for each user and there are 1000's of users, whereas ACF2
may be *wildcarding* it.

Whether ACF2 is wildcarding it has nothing to do with the number of
calls from the application. This looks like an issue with your session
manager, so I'd start by looking at the security code in it.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Henke, George
 
 Does anyone know how ACF2 validates a users access to specific
applications?
 
 Recently we tried to migrate from ACF2 to RACF and were forced to
fallback because ACF2 was somehow
 *wildcarding* a user's access to applications whereas RACF was
iterating through a list of
 applications.

???  Did you have the APPL class RACLISTed?

If you want to wildcard user access to applications in RACF, first
ensure you have generics enabled for the APPL class (SETR GENERIC(APPL)
GENCMD(APPL) ), then define an APPL profile of ** with UACC(READ) and
delete the rest of the APPL profiles; then RACLIST REFRESH the APPL
class.  If you later want to limit access to some applications, simply
define more specific profiles for them with UACC(NONE) and an
appropriate access list.

 The resulting overhead across 1000's of users exhausted memory leaving
no room for LSQA and producing
 878 abends.

I think you had something mis-configured.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Shmuel Metz (Seymour J.)]

In
04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net,
on 01/05/2012
   at 11:49 PM, Henke, George george.he...@hp.com said:

Does anyone know how ACF2 validates a users access to specific
applications?

Not without knowing how the installation has defined each.

Recently we tried to migrate from ACF2 to RACF and were forced to
fallback because ACF2 was somehow *wildcarding* a user's access to
applications whereas RACF was iterating through a list of
applications.

What are you trying to say?
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Wayne Driscoll]

Based on my past experiences with ACF2, I believe that ACF2 acts as if 
each rule line contains, in RACF terms, as asterisk after the last 
character.  For example, if there are the following resources protected:

APPL
APPL1
APPL2
APPX

Under RACF, access to APPL would only allow access to that resource. 
However (as I said this is based on old data, and may be incorrect) ACF2 
would treat the resource as if it was specified as APPL*, so access to 
APPL would allow access to APPL1 and APPL2 as well as APPL. 
If this is incorrect I would welcome being corrected.
===
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===



From:
Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net
To:
IBM-MAIN@bama.ua.edu
Date:
01/06/2012 10:07 AM
Subject:
Re: ACF2/RACF User Appliation Logical Access
Sent by:
IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu



In
04b3da7b71b3ab408ca62ba6046bcf8f23d673a...@gvw0676exc.americas.hpqcorp.net,
on 01/05/2012
   at 11:49 PM, Henke, George george.he...@hp.com said:

Does anyone know how ACF2 validates a users access to specific
applications?

Not without knowing how the installation has defined each.

Recently we tried to migrate from ACF2 to RACF and were forced to
fallback because ACF2 was somehow *wildcarding* a user's access to
applications whereas RACF was iterating through a list of
applications.

What are you trying to say?
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Mark Post]

 On 1/6/2012 at 12:18 PM, Wayne Driscoll wdri...@us.ibm.com wrote: 
 Based on my past experiences with ACF2, I believe that ACF2 acts as if 
 each rule line contains, in RACF terms, as asterisk after the last 
 character.  For example, if there are the following resources protected:
 
 APPL
 APPL1
 APPL2
 APPX
 
 Under RACF, access to APPL would only allow access to that resource. 
 However (as I said this is based on old data, and may be incorrect) ACF2 
 would treat the resource as if it was specified as APPL*, so access to 
 APPL would allow access to APPL1 and APPL2 as well as APPL. 
 If this is incorrect I would welcome being corrected.

That wasn't correct when I was working with ACF2.  You could have resource 
rules written as APPL*, but that wasn't assumed by the software.  (ACF2 was 
based on the principle of protect everything by default.)

You could also have resource rule names that were _all_ asterisks to act as a 
catch-all.  What was specified in that rule could deny, allow, etc., but that 
was up to the security team to decide.


Mark Post

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: ACF2/RACF User Appliation Logical Access

[Henke, George]

 MIMS MQADMIN MQCHAN MQCMDS MQCONN MQNLIST
 MQPROC MQQUEUE MXADMIN MXNLIST MXPROC
 MXQUEUE MXTOPIC NCICSPPT NDSLINK NETCMDS
 NETSPAN NODES NODMBR NOTELINK NVASAPDT
 OIMS OPERCMDS PA@EL PCICSPSB PERFGRP PIMS
 PMBR PRINTSRV PROCACT PROCESS PROGRAM
 PROPCNTL PSFMPL PSISEC PTKTDATA PTKTVAL
 QCICSPSB QIMS RACFEVNT RACFHC RACFVARS
 RACGLIST RACHCMBR RAUDITX RCICSRES RDATALIB
 REALM RIMS RMTOPS RODMMGR ROLE RRSFDATA
 RVARSMBR SCDMBR SCICSTST SDBUPDTE SDSF
 SECDATA SECLABEL SECLMBR SERVAUTH SERVER
 SFSCMD SIMS SMESSAGE SOMDOBJS STARTED
 STORCLAS SU@MIT SUBSYSNM SUNRISE SURROGAT
 SYSMVIEW T$CMBSTR T$CPBSTR T$CTBSTR T$CTCHTR
 TAPEVOL TCCMSP0 TCCMST0 TCICSTRN TEMPDSN
 TERMINAL TIMS TMEADMIN TSOAUTH TSOPROC
 UCICSTST UIMS UNIXMAP UNIXPRIV VALIDLID
 VCICSCMD VMBATCH VMBR VMCMD VMEVENT VMLAN
 VMMAC VMMDISK VMNODE VMPOSIX VMRDR VMSEGMT
 VMXEVENT VTAMAPPL VXMBR VXP$ VXT$ WAMJ
 WAMK WCICSRES WIMS WRITER XCSFKEY XFACILIT
 AUTOMATIC DATASET PROTECTION IS NOT IN EFFECT
 ENHANCED GENERIC NAMING IS IN EFFECT
 REAL DATA SET NAMES OPTION IS ACTIVE
 JES-BATCHALLRACF OPTION IS ACTIVE
 JES-XBMALLRACF OPTION IS ACTIVE
 JES-EARLYVERIFY OPTION IS ACTIVE
 PROTECT-ALL IS ACTIVE, CURRENT OPTIONS:
PROTECT-ALL FAIL OPTION IS IN EFFECT
 TAPE DATA SET PROTECTION IS ACTIVE
 SECURITY RETENTION PERIOD IN EFFECT IS   DAYS.
 ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS:
ERASE-ON-SCRATCH BY SECURITY LEVEL IS INACTIVE
 SINGLE LEVEL NAME PREFIX IS SMPMCS
 LIST OF GROUPS ACCESS CHECKING IS ACTIVE.
 INACTIVE USERIDS ARE BEING AUTOMATICALLY REVOKED AFTER  30 DAYS.
 DATA SET MODELLING IS BEING DONE FOR GDGS.
 USER DATA SET MODELLING IS BEING DONE.
 GROUP DATA SET MODELLING IS BEING DONE.
 PASSWORD PROCESSING OPTIONS:
   PASSWORD CHANGE INTERVAL IS  30 DAYS.
   PASSWORD MINIMUM CHANGE INTERVAL IS   1 DAYS.
   MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT
   12 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.
   AFTER   3 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS,
   A USERID WILL BE REVOKED.
   PASSWORD EXPIRATION WARNING LEVEL IS  10 DAYS.
   INSTALLATION PASSWORD SYNTAX RULES:
 RULE 1  LENGTH(8) 
LEGEND:
 A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING
 c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL
 INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE SWITCH FUNCTION.
 INSTALLATION DEFINED RVARY PASSWORD IS IN EFFECT FOR THE STATUS FUNCTION.
 SECLEVELAUDIT IS INACTIVE
 SECLABEL AUDIT IS NOT IN EFFECT
 SECLABEL CONTROL IS NOT IN EFFECT
 GENERIC OWNER ONLY IS IN EFFECT
 COMPATIBILITY MODE IS NOT IN EFFECT
 MULTI-LEVEL QUIET IS NOT IN EFFECT
 MULTI-LEVEL STABLE IS NOT IN EFFECT
 NO WRITE-DOWN IS NOT IN EFFECT
 MULTI-LEVEL ACTIVE IS NOT IN EFFECT
 CATALOGUED DATA SETS ONLY, IS NOT IN EFFECT
 USER-ID FOR JES NJEUSERID IS : 
 USER-ID FOR JES UNDEFINEDUSER IS : 
 PARTNER LU-VERIFICATION SESSIONKEY INTERVAL MAXIMUM/DEFAULT IS30 DAYS.
 APPLAUDIT IS NOT IN EFFECT
 ADDCREATOR IS NOT IN EFFECT
 KERBLVL = 0
 MULTI-LEVEL FILE SYSTEM IS NOT IN EFFECT
 MULTI-LEVEL INTERPROCESS COMMUNICATIONS IS NOT IN EFFECT
 MULTI-LEVEL NAME HIDING IS NOT IN EFFECT
 SECURITY LABEL BY SYSTEM IS NOT IN EFFECT
 PRIMARY LANGUAGE DEFAULT : ENU
 SECONDARY LANGUAGE DEFAULT : ENU
 READY
 END


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Chase, John
Sent: Friday, January 06, 2012 7:48 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: ACF2/RACF User Appliation Logical Access

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Henke, George

 Does anyone know how ACF2 validates a users access to specific
applications?

 Recently we tried to migrate from ACF2 to RACF and were forced to
fallback because ACF2 was somehow
 *wildcarding* a user's access to applications whereas RACF was
iterating through a list of
 applications.

???  Did you have the APPL class RACLISTed?

If you want to wildcard user access to applications in RACF, first
ensure you have generics enabled for the APPL class (SETR GENERIC(APPL)
GENCMD(APPL) ), then define an APPL profile of ** with UACC(READ) and
delete the rest of the APPL profiles; then RACLIST REFRESH the APPL
class.  If you later want to limit access to some applications, simply
define

Re: ACF2/RACF User Appliation Logical Access

[Mark Zelden]

On Fri, 6 Jan 2012 19:34:33 +, Henke, George george.he...@hp.com wrote:

Below is a list of all profiles under MENUAPPL class and our SETR list. As you 
will see there is a discrete profile for each application and 2 generic 
profiles one being **. The ** profile has a UACC(NONE) and no users on access.

MENUAPPL is a *homegrown* EDS session manager.  (I did not write it or hijack 
it)

I suspect this may be generating a separate SAF call for each application for 
each user and there are 1000's of users, whereas ACF2 may be *wildcarding* it.


APPL class calls are not automatic.  Your app (session mgr) is probably
making the calls to find out what applications are allowed on the menu
when a user logs on.   Other session managers can and do have options
to do the same thing.

Did you have to make any code changes to support RACF in MENUAPPL?  Or were 
you already using SAF calls / RACROUTE?   Did you note a performance issue,
or just an 878 abends?   You didn't say, but was the 878 just in the MENUAPPL 
application (STC?) ?  If so, and changes were made, have you just considered 
that
you have a storage leak or improper code in MENUAPPL?

Mark
--
Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS   
mailto:m...@mzelden.com
Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html 
Systems Programming expert at http://expertanswercenter.techtarget.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

ACF2/RACF User Appliation Logical Access

[Henke, George]

Does anyone know how ACF2 validates a users access to specific applications?

Recently we tried to migrate from ACF2 to RACF and were forced to fallback 
because ACF2 was somehow *wildcarding* a user's access to applications whereas 
RACF was iterating through a list of applications.

The resulting overhead across 1000's of users exhausted memory leaving no room 
for LSQA and producing 878 abends.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN