IDIDMAP
Whoever had the glorious idea to name a new RACF class IDIDMAP when the prefix IDI is IBM-defined as belonging to the IBM product Fault Analyzer Makes for some rough searching to find out why something with the prefix IDI is defined on one system in the plex sharing the RACF database but not the other when the Fault Analyzer product is identical and active on both systems! Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
On Thu, 6 Oct 2011 05:44:20 -0500, Barbara Nitz nitz-...@gmx.net wrote: Whoever had the glorious idea to name a new RACF class IDIDMAP when the prefix IDI is IBM-defined as belonging to the IBM product Fault Analyzer Makes for some rough searching to find out why something with the prefix IDI is defined on one system in the plex sharing the RACF database but not the other when the Fault Analyzer product is identical and active on both systems! What, and how, are you trying to search, Barbara? And what difficulty are you having? -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
What, and how, are you trying to search, Barbara? And what difficulty are you having? We are in the process of rolling out z/OS 1.12. One colleague had installed new maintenance and I wasn't happy that all necessary HOLDs were thouroughly checked. I asked our RACF guy to look at the RACF HOLD, and he told me to use consul (aka zSecure) to list all RACF classes (to find out myself so I don't have to ask again). Did that on z/OS 1.12 and noticed that all classes were doubled *except* IDIDMAP. I am responsible for Fault Analyzer and *knew* that there weren't any changes, it doesn't come with z/OS 1.12 etc. My RACF colleague couldn't explain, either, why IDIDMAP wasn't 'doubled' and said it had something to do with 'raclist required' (don't shoot me if I get this wrong - I have no clue about RACF). Then we started searching what the heck IDIDMAP is. No hit in the Fault Analyzer books. SIS had two hits, both for zSecure, both ptfs for not showing things correctly. So we assumed that that had something to do with us having the zSecure fix in the 1.12 system, but not in the 1.10 system. No 1.10 system (including the RACF database sharing other system) was even showing this Fault Analyzer class. Eventually both my RACF colleague and I found out that IDIDMAP has nothing whatsoever to do with Fault Analyzer (that has a number of RACF definitions that are *extremely* similar in naming), hence my/our confusion. This has nothing to do with FA at all - hence my question why IBM uses a prefix for an IBM product to name a RACF class that has nothing to do with that product. Don't tell me you're responsible! Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
Oh, my, the thoughts. Don't want any Off Topic questions about IDI do we? (IDI-OT). On Thu, 2011-10-06 at 05:44 -0500, Barbara Nitz wrote: Whoever had the glorious idea to name a new RACF class IDIDMAP when the prefix IDI is IBM-defined as belonging to the IBM product Fault Analyzer Makes for some rough searching to find out why something with the prefix IDI is defined on one system in the plex sharing the RACF database but not the other when the Fault Analyzer product is identical and active on both systems! Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
On Thu, 6 Oct 2011 07:10:56 -0500, Barbara Nitz nitz-...@gmx.net wrote: Then we started searching what the heck IDIDMAP is. No hit in the Fault Analyzer books. SIS had two hits, both for zSecure, both ptfs for not showing things correctly. So we assumed that that had something to do with us having the zSecure fix in the 1.12 system, but not in the 1.10 system. No 1.10 system (including the RACF database sharing other system) was even showing this Fault Analyzer class. Eventually both my RACF colleague and I found out that IDIDMAP has nothing whatsoever to do with Fault Analyzer (that has a number of RACF definitions that are *extremely* similar in naming), hence my/our confusion. This has nothing to do with FA at all - hence my question why IBM uses a prefix for an IBM product to name a RACF class that has nothing to do with that product. Don't tell me you're responsible! No, I'm not responsible, at least not directly, and only indirectly in the sense that if we named things as you think we do then I should have recognized such a problem and fixed it before you saw it. However, IBM component prefixes play no role in assigning class names in RACF. The class names derive from the objects being protected. The only usage of component prefixes in this area is for resource and/or profile names in the FACILITY and XFACILIT classes. So thats why we used that prefix: we do not consider the prefixes at all in the way that you think we do, and IDI is not a prefix in this usage. Thus, it's not an IDI-DMAP (some kind of DMAP thing related to FA), but an IDID-MAP, a mapping rule for IDIDs, which are distributed identity objects. But sorry for the confusion, in any case. -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
How about an (ID ten tee) error? ID10T -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John McKown Sent: Thursday, October 06, 2011 7:21 AM To: IBM-MAIN@bama.ua.edu Subject: Re: IDIDMAP Oh, my, the thoughts. Don't want any Off Topic questions about IDI do we? (IDI-OT). On Thu, 2011-10-06 at 05:44 -0500, Barbara Nitz wrote: Whoever had the glorious idea to name a new RACF class IDIDMAP when the prefix IDI is IBM-defined as belonging to the IBM product Fault Analyzer Makes for some rough searching to find out why something with the prefix IDI is defined on one system in the plex sharing the RACF database but not the other when the Fault Analyzer product is identical and active on both systems! Barbara Nitz -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html == This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: IDIDMAP
But sorry for the confusion, in any case. Walt, thanks for the explanation. I have forwarded it to my RACF colleague. In any case, I noticed later (after posting) that this is suspiciously like another USS discussion (no, please not again!). I apologize for that. Barbara -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html