Another Generalized Resource question
I would like to be able to add profiles to the Facility class within racf such that the profile will be made up of three qualifiers. The 1st two qualifiers will always be the same, and the 3rd will change. I have created a profile that contained 3 qualifiers, with the last as DAD*. DAD is my userid on the mvs system I am working on. After defining the profile, and then executing the permit, and the setropts refresh, I still get non-zero return from the racroute request=fastauth for the entity when the 3rd qualifier in the entity is DADIVP. Shouldn't DADIVP match against DAD* ? --Dave Day -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Another Generalized Resource question(problem solved)
No need to respond to this, I have my problems solved. --Dave Day - Original Message - From: David Day [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Tuesday, May 20, 2008 4:47 PM Subject: Another Generalized Resource question I would like to be able to add profiles to the Facility class within racf such that the profile will be made up of three qualifiers. The 1st two qualifiers will always be the same, and the 3rd will change. I have created a profile that contained 3 qualifiers, with the last as DAD*. DAD is my userid on the mvs system I am working on. After defining the profile, and then executing the permit, and the setropts refresh, I still get non-zero return from the racroute request=fastauth for the entity when the 3rd qualifier in the entity is DADIVP. Shouldn't DADIVP match against DAD* ? --Dave Day -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Another Generalized Resource question
snip--- I would like to be able to add profiles to the Facility class within racf such that the profile will be made up of three qualifiers. The 1st two qualifiers will always be the same, and the 3rd will change. I have created a profile that contained 3 qualifiers, with the last as DAD*. DAD is my userid on the mvs system I am working on. After defining the profile, and then executing the permit, and the setropts refresh, I still get non-zero return from the racroute request=fastauth for the entity when the 3rd qualifier in the entity is DADIVP. Shouldn't DADIVP match against DAD* ? -unsnip--- Tell us the entire profile name and the name you're checking it against. Do you have Enhanced Generics turned on? Why are you requesting FASTAUTH? More detail is necessary. Also, have you checked this with the RACF-List folks? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Another Generalized Resource question
On Wed, 21 May 2008 10:55:11 -0500, Rick Fochtman [EMAIL PROTECTED] wrote: Tell us the entire profile name and the name you're checking it against. Do you have Enhanced Generics turned on? Why are you requesting FASTAUTH? More detail is necessary. Also, have you checked this with the RACF-List folks? One comment: Enhanced Generics are irrelevant here. That option applies only to DATASET profiles, and has no effect on the characters you can use in general resource profiles. For general resource you can always use either * or **, depending on what you want to match. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Another Generalized Resource question
---snip--- Tell us the entire profile name and the name you're checking it against. Do you have Enhanced Generics turned on? Why are you requesting FASTAUTH? More detail is necessary. Also, have you checked this with the RACF-List folks? One comment: Enhanced Generics are irrelevant here. That option applies only to DATASET profiles, and has no effect on the characters you can use in general resource profiles. For general resource you can always use either * or **, depending on what you want to match. --unsnip- Correct me if I'm wrong. I understood that a single trailing * meant exactly one qualifier, whereas a trailing ** meant any number of qualifiers. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
