Re: LE options

[Imbriale, Donald]

I prefer the PARMLIB method, but use the assembled module as a backup.
With the PARMLIB method, displaying options is easier and making dynamic
changes is easier.  Also, as you pointed out, it allows you to have
different options on different systems that share the LE libraries.

Don Imbriale

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Frank Swarbrick
Sent: Friday, July 17, 2009 5:25 PM
To: IBM-MAIN@bama.ua.edu
Subject: LE options

There appears to be (at least) two ways to change LE runtime options
system wide.
There's the assember macro table way (CEEDOPT for batch and CEECOPT for
CICS) and there's the PARMLIB(CEEPRM00) way.
Is one preferred over the other?  Does one offer something the other
does not?  I am thinking that the PARMLIB way allows for multiple
systems to share the same LE libraries and still have different LE
options, if desired.  Is this the reason for is its existence?  If we
use the PARMLIB way is there anything that has to be done with the
macros and can't be done with the PARMLIB?

Honestly, there are so many ways to change LE options that it's hard to
keep them all straight!

Thanks,

This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Mark Zelden]

On Fri, 17 Jul 2009 19:25:28 -0400, Lizette Koehler
stars...@mindspring.com wrote:

Don't forget that there is also a JCL over ride now at z/OS V1.9 (IIRC) that
allows your programmers to put in the LE Parms there was well.


Actually 2 releases earlier, z/OS 1.7 - via CEEOPTS DD.

Not all options can be overridden at run time.  For example RTEREUS=(ON),
which has to do with how the run time environment is built, so specifying
it at run time is too late.

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group - ZFUS G-ITO
mailto:mark.zel...@zurichna.com
z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Frank Swarbrick]

Thanks for all of the thoughts.  We are already using the PARMLIB member, and 
it looks like we'll continue to do so.  Just wanted to make sure that was the 
right choice.

Frank

-- 

Frank Swarbrick
Applications Architect - Mainframe Applications Development
FirstBank Data Corporation
Lakewood, CO  USA
P: 303-235-1403
F: 303-235-2075




The information contained in this electronic communication and any document 
attached hereto or transmitted herewith is confidential and intended for the 
exclusive use of the individual or entity named above.  If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering it to the intended recipient, you are hereby notified that any 
examination, use, dissemination, distribution or copying of this communication 
or any part thereof is strictly prohibited.  If you have received this 
communication in error, please immediately notify the sender by reply e-mail 
and destroy this communication.  Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Ted MacNEIL]

Thanks for all of the thoughts.
We are already using the PARMLIB member, and it looks like we'll continue to 
do so.
Just wanted to make sure that was the right choice.

When I started in this business, almost everything was assembled tables and 
required huge unnatural acts to get things changed.
But, we IPL'd every morning, so it wasn't an issue (much -- if it failed[?]).

But, now (almost 30 years later), IPLs are not something we do, even with 
SYSPLEX.

So, I'm a big proponent of as much 'clear text' dynamic parms as possible.

But, change control is STILL required!
IMO, even more so!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[R.S.]

Frank Swarbrick pisze:

I have read the manuals and understand there are many ways to set them.  I'm 
interested in more fully understand, however, the pros and cons of CEEDOPT 
versus CEEPRMxx.  Manuals too often tell you *how* to do things but not *why*.


I think, its quite obvious. There is general trend to code parameters in 
text files instead of load modules. It's easier to code  understand, 
less error-prone, usually dynamic (can be changed online).
IMHO mainframe OSes are last systems which need assmbler for 
configuration and parametrization.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

LE options

[Frank Swarbrick]

There appears to be (at least) two ways to change LE runtime options system 
wide.
There's the assember macro table way (CEEDOPT for batch and CEECOPT for CICS) 
and there's the PARMLIB(CEEPRM00) way.
Is one preferred over the other?  Does one offer something the other does not?  
I am thinking that the PARMLIB way allows for multiple systems to share the 
same LE libraries and still have different LE options, if desired.  Is this the 
reason for is its existence?  If we use the PARMLIB way is there anything that 
has to be done with the macros and can't be done with the PARMLIB?

Honestly, there are so many ways to change LE options that it's hard to keep 
them all straight!

Thanks,
Frank

-- 

Frank Swarbrick
Applications Architect - Mainframe Applications Development
FirstBank Data Corporation
Lakewood, CO  USA
P: 303-235-1403
F: 303-235-2075


 

The information contained in this electronic communication and any document 
attached hereto or transmitted herewith is confidential and intended for the 
exclusive use of the individual or entity named above.  If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering it to the intended recipient, you are hereby notified that any 
examination, use, dissemination, distribution or copying of this communication 
or any part thereof is strictly prohibited.  If you have received this 
communication in error, please immediately notify the sender by reply e-mail 
and destroy this communication.  Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Roland Schiradin]

On Fri, 17 Jul 2009 15:25:26 -0600, Frank Swarbrick 
frank.swarbr...@efirstbank.com wrote:

There are more ways (CEEROPT, CEEUOPT and more). Check the manuals 
for more details about the order of settings. Also understand the term 
LE enclave and how the LE options takes effect for some application especially 
under CICS. 

BTW: SHOWzOS shows the CEEDOPT and CEEPRMxx settings

Roland


There appears to be (at least) two ways to change LE runtime options 
system wide.
There's the assember macro table way (CEEDOPT for batch and CEECOPT for 
CICS) and there's the PARMLIB(CEEPRM00) way.
Is one preferred over the other?  Does one offer something the other does 
not?  I am thinking that the PARMLIB way allows for multiple systems to share 
the same LE libraries and still have different LE options, if desired.  Is this 
the 
reason for is its existence?  If we use the PARMLIB way is there anything that 
has to be done with the macros and can't be done with the PARMLIB?

Honestly, there are so many ways to change LE options that it's hard to 
keep them all straight!


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Thompson, Steve]

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Frank Swarbrick
Sent: Friday, July 17, 2009 4:25 PM
To: IBM-MAIN@bama.ua.edu
Subject: LE options

There appears to be (at least) two ways to change LE runtime options
system wide.
There's the assember macro table way (CEEDOPT for batch and CEECOPT for
CICS) and there's the PARMLIB(CEEPRM00) way.
Is one preferred over the other?  Does one offer something the other
does not?  I am thinking that the PARMLIB way allows for multiple
systems to share the same LE libraries and still have different LE
options, if desired.  Is this the reason for is its existence?  If we
use the PARMLIB way is there anything that has to be done with the
macros and can't be done with the PARMLIB?

SNIP

Be aware of the differences in the defaults from release to release. You
may find that behaviors change for not so obvious reasons, all because
of depending on a default setting that changes.

Regards,
Steve Thompson

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

LE options

[Bill Klein]

Frank,
  As others have pointed out, there are still other ways to do set LE
options.

One difference between the old ways (e.g. CEEDCOPT) and the new ways
(PARMLIB) is that the old ways allowed for fixed options, i.e. system
defaults that could NOT be overridden by the programmer or later methods
of setting options.

For some people, this is/was a good thing and for others it was not.
Certainly the IBM direction (as seen with more recent options) is AWAY from
fixed options.

OBVIOUSLY, get used to how the RPTOPTS shows options in effect and where
they were/are sent. See, for example
 
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ceea1190/1.1.2.1 


Frank Swarbrick frank.swarbr...@efirstbank.com wrote in message
news:4a6097e6.6f0f.008...@efirstbank.com...
 There appears to be (at least) two ways to change LE runtime options
system wide.
 There's the assember macro table way (CEEDOPT for batch and CEECOPT for
CICS) and there's the PARMLIB(CEEPRM00) way.
 Is one preferred over the other?  Does one offer something the other does
not?  I am thinking that the PARMLIB way allows for multiple systems to
share the same LE libraries and still have different LE options, if desired.
Is this the reason for is its existence?  If we use the PARMLIB way is there
anything that has to be done with the macros and can't be done with the
PARMLIB?
 
 Honestly, there are so many ways to change LE options that it's hard to
keep them all straight!
 
 Thanks,
 Frank
 
 -- 
 
 Frank Swarbrick
 Applications Architect - Mainframe Applications Development
 FirstBank Data Corporation
 Lakewood, CO  USA
 P: 303-235-1403
 F: 303-235-2075
 
 
  
 
 The information contained in this electronic communication and any
document attached hereto or transmitted herewith is confidential and
intended for the exclusive use of the individual or entity named above.  If
the reader of this message is not the intended recipient or the employee or
agent responsible for delivering it to the intended recipient, you are
hereby notified that any examination, use, dissemination, distribution or
copying of this communication or any part thereof is strictly prohibited.
If you have received this communication in error, please immediately notify
the sender by reply e-mail and destroy this communication.  Thank you.
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Lizette Koehler]

Don't forget that there is also a JCL over ride now at z/OS V1.9 (IIRC) that
allows your programmers to put in the LE Parms there was well.

So many choices, so little time.

Lizette


 
 There appears to be (at least) two ways to change LE runtime options
system wide.
 There's the assember macro table way (CEEDOPT for batch and CEECOPT for
CICS)
 and there's the PARMLIB(CEEPRM00) way.
 Is one preferred over the other?  Does one offer something the other does
not?  I am
 thinking that the PARMLIB way allows for multiple systems to share the
same LE
 libraries and still have different LE options, if desired.  Is this the
reason for is its
 existence?  If we use the PARMLIB way is there anything that has to be
done with
 the macros and can't be done with the PARMLIB?
 
 Honestly, there are so many ways to change LE options that it's hard to
keep them all
 straight!
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Frank Swarbrick]

I have read the manuals and understand there are many ways to set them.  I'm 
interested in more fully understand, however, the pros and cons of CEEDOPT 
versus CEEPRMxx.  Manuals too often tell you *how* to do things but not *why*.
-- 

Frank Swarbrick
Applications Architect - Mainframe Applications Development
FirstBank Data Corporation
Lakewood, CO  USA
P: 303-235-1403
F: 303-235-2075


On 7/17/2009 at 3:34 PM, in message
listserv%200907171634126241.0...@bama.ua.edu, Roland Schiradin
rol...@schiradin.de wrote:
 On Fri, 17 Jul 2009 15:25:26 -0600, Frank Swarbrick 
 frank.swarbr...@efirstbank.com wrote:
 
 There are more ways (CEEROPT, CEEUOPT and more). Check the manuals 
 for more details about the order of settings. Also understand the term 
 LE enclave and how the LE options takes effect for some application 
 especially 
 under CICS. 
 
 BTW: SHOWzOS shows the CEEDOPT and CEEPRMxx settings
 
 Roland
 
 
There appears to be (at least) two ways to change LE runtime options 
 system wide.
There's the assember macro table way (CEEDOPT for batch and CEECOPT for 
 CICS) and there's the PARMLIB(CEEPRM00) way.
Is one preferred over the other?  Does one offer something the other does 
 not?  I am thinking that the PARMLIB way allows for multiple systems to 
 share 
 the same LE libraries and still have different LE options, if desired.  Is 
 this the 
 reason for is its existence?  If we use the PARMLIB way is there anything 
 that 
 has to be done with the macros and can't be done with the PARMLIB?

Honestly, there are so many ways to change LE options that it's hard to 
 keep them all straight!

 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

 

The information contained in this electronic communication and any document 
attached hereto or transmitted herewith is confidential and intended for the 
exclusive use of the individual or entity named above.  If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering it to the intended recipient, you are hereby notified that any 
examination, use, dissemination, distribution or copying of this communication 
or any part thereof is strictly prohibited.  If you have received this 
communication in error, please immediately notify the sender by reply e-mail 
and destroy this communication.  Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Ted MacNEIL]

Don't forget that there is also a JCL over ride now at z/OS V1.9 (IIRC) that 
allows your programmers to put in the LE Parms there was well.

That's been around a lot longer than 1.9!

IIRC, it was around during OS/390.

The option(s) are specified by:

//STEP EXEC PGM=appl,PARM='appl/LE'

Or vice versa:

//STEP EXEC PGM=appl,PARM='LE/appl'

I don't remember which way it's specified, but I also think that's an 
installation option.

And, it was way back!
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Ted MacNEIL]

anuals too often tell you *how* to do things but not *why*.

I guess, in my case, it's because it's dynamic and more flexible. So, I prefer 
PARMLIB.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: LE options

[Lizette Koehler]

Actually I was talking about the //CEEOPT DD statement that can be added to
JCL rather than the PARM.



Lizette


 
 Don't forget that there is also a JCL over ride now at z/OS V1.9 (IIRC)
that allows
 your programmers to put in the LE Parms there was well.
 
 That's been around a lot longer than 1.9!
 
 IIRC, it was around during OS/390.
 
 The option(s) are specified by:
 
 //STEP EXEC PGM=appl,PARM='appl/LE'
 
 Or vice versa:
 
 //STEP EXEC PGM=appl,PARM='LE/appl'
 
 I don't remember which way it's specified, but I also think that's an
installation
 option.
 
 And, it was way back!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Utility for LE Options?

[Roland Schiradin]

SHOWzOS and COBANAL display the CEExOPT settings but not for CEEROPT. 
However the code should also work for CEEROPT unless you modify it and load 
the CEEROPT entry. Starting with z/OS R9 (?) IBM deliver a macro (CEEOCB?) 
to map the CEExOPT. 

Regards 
Roland

Is there some utility out there where you supply as input the CEEROPT load
module, and the utility reports on what options it specifies?

   I'd hate to write one only to find out that I re-invented the wheel...

   Thanks.

Adam Johanson
IMS Systems Programming
USAA


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Utility for LE Options?

[Adam Johanson]

Is there some utility out there where you supply as input the CEEROPT load 
module, and the utility reports on what options it specifies? 

   I'd hate to write one only to find out that I re-invented the wheel...

   Thanks.

Adam Johanson
IMS Systems Programming
USAA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Utility for LE Options?

[Lizette Koehler]

Is this for IMS, CICS, Batch or other environment?  What level of z/OS would 
you be running this on?

Cics has CLER for seeing the options, and I think IMS may also have one for the 
online side.

If you are at z/OS V1.9 then the parms might be maintained in CEEPRMxx in 
SYS1.PARMLIB or a CEEOPT DD statement in the JCL.

What are you looking for specifically?

Lizette




Is there some utility out there where you supply as input the CEEROPT load 
module, and the utility reports on what options it specifies? 

   I'd hate to write one only to find out that I re-invented the wheel...

   Thanks.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Utility for LE Options?

[Adam Johanson]

It's for an IMS MPR. We're at z/OS 1.9.

   What I'd really like is for the utility to take the load module, and output 
the 
CEEXOPT macro, complete with options contained in the CEEROPT module.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Utility for LE Options?

[Bill Klein]

OOPS,  my idea won't work.  It is the CEEROPT module itself that you are
trying to find what options are set.

I do not know of a dis-assembler for a CEEROPT load module. 

 -Original Message-
 From: Bill Klein [mailto:wmkl...@ix.netcom.com] 
 Sent: Monday, January 19, 2009 6:44 PM
 To: IBM-MAIN (IBM-MAIN@BAMA.UA.EDU)
 Subject: Fw: Utility for LE Options?
 
 I don't know if this is what you are looking for, but at LE 
 1.9, you can
 
 A) create a CEEROPT stand-alone module with
   RPTOPTS(ON)
 (You may or may not want to modify MSGFILE as well)
 
 See:

 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/cee
 a2180/1.9.2 
 
 
 B) place the resuliting load module in in you IMS JCL and run the MPR
 
 C) check your output.  It will show you what options are set 
 in that region and where they are set.  See for example,
   
 http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/cee
 a1180/1.1.2.1 
 
 This will NOT tell you what the options are in sources that 
 were overriden nor will it provide output that is already in 
 macro format - but I think it should (might?) give you want 
 you want.
 
 Adam Johanson adam.johan...@usaa.com wrote in message 
 news:listserv%200901191506445185.0...@bama.ua.edu...
  It's for an IMS MPR. We're at z/OS 1.9.
  
 What I'd really like is for the utility to take the load 
 module, and output the 
  CEEXOPT macro, complete with options contained in the 
 CEEROPT module.
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Utility for LE Options?

[Bill Klein]

Final thought (replying to myself, replying to myself G)

Code a small program that CALLs CEE3DMP, that program's output will show you
the run-time options in effect.

 -Original Message-
 From: Bill Klein [mailto:wmkl...@ix.netcom.com] 
 Sent: Monday, January 19, 2009 6:53 PM
 To: IBM-MAIN (IBM-MAIN@BAMA.UA.EDU)
 Subject: Utility for LE Options?
 
 OOPS,  my idea won't work.  It is the CEEROPT module itself 
 that you are trying to find what options are set.
 
 I do not know of a dis-assembler for a CEEROPT load module. 
 
  -Original Message-
  From: Bill Klein [mailto:wmkl...@ix.netcom.com] 
  Sent: Monday, January 19, 2009 6:44 PM
  To: IBM-MAIN (IBM-MAIN@BAMA.UA.EDU)
  Subject: Fw: Utility for LE Options?
  
  I don't know if this is what you are looking for, but at LE 
  1.9, you can
  
  A) create a CEEROPT stand-alone module with
RPTOPTS(ON)
  (You may or may not want to modify MSGFILE as well)
  
  See:
 
  http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/cee
  a2180/1.9.2 
  
  
  B) place the resuliting load module in in you IMS JCL and 
 run the MPR
  
  C) check your output.  It will show you what options are set 
  in that region and where they are set.  See for example,

  http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/cee
  a1180/1.1.2.1 
  
  This will NOT tell you what the options are in sources that 
  were overriden nor will it provide output that is already in 
  macro format - but I think it should (might?) give you want 
  you want.
  
  Adam Johanson adam.johan...@usaa.com wrote in message 
  news:listserv%200901191506445185.0...@bama.ua.edu...
   It's for an IMS MPR. We're at z/OS 1.9.
   
  What I'd really like is for the utility to take the load 
  module, and output the 
   CEEXOPT macro, complete with options contained in the 
  CEEROPT module.
  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Fw: Utility for LE Options?

[Bill Klein]

I don't know if this is what you are looking for, but at LE 1.9, you can

A) create a CEEROPT stand-alone module with
  RPTOPTS(ON)
(You may or may not want to modify MSGFILE as well)

See:
   http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ceea2180/1.9.2



B) place the resuliting load module in in you IMS JCL and run the MPR

C) check your output.  It will show you what options are set in that region
and where they are set.  See for example,
 
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ceea1180/1.1.2.1 

This will NOT tell you what the options are in sources that were overriden
nor will it provide output that is already in macro format - but I think
it should (might?) give you want you want.

Adam Johanson adam.johan...@usaa.com wrote in message
news:listserv%200901191506445185.0...@bama.ua.edu...
 It's for an IMS MPR. We're at z/OS 1.9.
 
What I'd really like is for the utility to take the load module, and
output the 
 CEEXOPT macro, complete with options contained in the CEEROPT module.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Paul Gilmartin]

On Mon, 7 Jan 2008 20:30:53 -0600, Ed Gould wrote:

 //STEP1   EXEC  PGM=BPXBATCH,PARM='PGM /bin/sleep '
 //STEP2   EXEC  PGM=IEFBR14,COND=(0,LE)
 //SYSUT99  DD   DISP=OLD,DSN=SYS1.PARMLIB

 ... but RACF won't help you there.

But the initiator might stop you as RMF has (assuming you are running
RMF) the disp=shr in its JCL.

But the damage is done; the job is tying up an initiator and requesting
an exclusive ENQ which prevents any further allocations of PARMLIB.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Tom Marchant]

On Mon, 7 Jan 2008 20:30:53 -0600, Ed Gould wrote:

On Jan 7, 2008, at 12:32 PM, Paul Gilmartin wrote:

 Take my remark as largely rhetorical.  IIRC, I was rebutting a prior
 post expressing a phobic delusion that if PARMLIB had UACC=READ, an
 incompetently or maliciously crafted job might ABEND leaving an
 unreleased restrictive ENQ on PARMLIB.  I never considered it a
 realistic concern.  (more likely means some larger multiple of 0.)

 Of course, there's always:

 //STEP1   EXEC  PGM=BPXBATCH,PARM='PGM /bin/sleep '
 //STEP2   EXEC  PGM=IEFBR14,COND=(0,LE)
 //SYSUT99  DD   DISP=OLD,DSN=SYS1.PARMLIB

 ... but RACF won't help you there.

 Gil:

But the initiator might stop you as RMF has (assuming you are running
RMF) the disp=shr in its JCL.

And you will be waiting for your exclusive enq on parmlib.  Meanwhile, if I'm 
not 
mistaken, anyone else who tries to enq it will queue behind your exclusive 
request.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Ed Gould]

On Jan 8, 2008, at 7:21 AM, Paul Gilmartin wrote:


On Mon, 7 Jan 2008 20:30:53 -0600, Ed Gould wrote:



//STEP1   EXEC  PGM=BPXBATCH,PARM='PGM /bin/sleep '
//STEP2   EXEC  PGM=IEFBR14,COND=(0,LE)
//SYSUT99  DD   DISP=OLD,DSN=SYS1.PARMLIB

... but RACF won't help you there.


But the initiator might stop you as RMF has (assuming you are running
RMF) the disp=shr in its JCL.

But the damage is done; the job is tying up an initiator and  
requesting

an exclusive ENQ which prevents any further allocations of PARMLIB.


Well yes but the address space will gets swapped out and either the  
operator gets awoken by the aiutomation product or the automation  
product cancels the job. It depends.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Shmuel Metz (Seymour J.)]

In [EMAIL PROTECTED], on 06/27/2007
   at 02:19 PM, Paul Gilmartin [EMAIL PROTECTED] said:

But, as discussed here recently, prohibiting read access doesn't prevent
the allocation, and it might be more likely that a program that ABENDs on
OPEN will exit abnormally without doing the FREE.

Depending on how he is looking at the data set, the free might be
automatic.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Paul Gilmartin]

On Mon, 7 Jan 2008 12:46:34 -0500, Shmuel Metz (Seymour J.) wrote:

In [EMAIL PROTECTED], on 06/27/2007

Time warp?

   at 02:19 PM, Paul Gilmartin said:

But, as discussed here recently, prohibiting read access doesn't prevent
the allocation, and it might be more likely that a program that ABENDs on
OPEN will exit abnormally without doing the FREE.

Depending on how he is looking at the data set, the free might be
automatic.

Take my remark as largely rhetorical.  IIRC, I was rebutting a prior
post expressing a phobic delusion that if PARMLIB had UACC=READ, an
incompetently or maliciously crafted job might ABEND leaving an
unreleased restrictive ENQ on PARMLIB.  I never considered it a
realistic concern.  (more likely means some larger multiple of 0.)

Of course, there's always:

//STEP1   EXEC  PGM=BPXBATCH,PARM='PGM /bin/sleep '
//STEP2   EXEC  PGM=IEFBR14,COND=(0,LE)
//SYSUT99  DD   DISP=OLD,DSN=SYS1.PARMLIB

... but RACF won't help you there.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Ed Gould]

On Jan 7, 2008, at 12:32 PM, Paul Gilmartin wrote:


On Mon, 7 Jan 2008 12:46:34 -0500, Shmuel Metz (Seymour J.) wrote:


In [EMAIL PROTECTED], on 06/27/2007


Time warp?


  at 02:19 PM, Paul Gilmartin said:

But, as discussed here recently, prohibiting read access doesn't  
prevent
the allocation, and it might be more likely that a program that  
ABENDs on

OPEN will exit abnormally without doing the FREE.


Depending on how he is looking at the data set, the free might be
automatic.


Take my remark as largely rhetorical.  IIRC, I was rebutting a prior
post expressing a phobic delusion that if PARMLIB had UACC=READ, an
incompetently or maliciously crafted job might ABEND leaving an
unreleased restrictive ENQ on PARMLIB.  I never considered it a
realistic concern.  (more likely means some larger multiple of 0.)

Of course, there's always:

//STEP1   EXEC  PGM=BPXBATCH,PARM='PGM /bin/sleep '
//STEP2   EXEC  PGM=IEFBR14,COND=(0,LE)
//SYSUT99  DD   DISP=OLD,DSN=SYS1.PARMLIB

... but RACF won't help you there.

Gil:


But the initiator might stop you as RMF has (assuming you are running  
RMF) the disp=shr in its JCL.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Shmuel Metz (Seymour J.)]

In
[EMAIL PROTECTED],
on 06/21/2007
   at 02:58 PM, Tom Savor [EMAIL PROTECTED] said:

Funny how it's ok for SYSPROGs to cruise Applications and tell us
what needs to be changed or how to tune our application (when we
didn't ask for their opinion), but it's not ok for us to cruise your
PARMLIB settings   Never heard of a PARMLIB setting getting
screwed-up by looking at it.  Unbelieveable !!!

But never forget that the original Dilbert strips were nature
studies.

IMHO there should be transparency in both directions, subject to
security issues. However, don't keep long ENQ's on the datasets that
you want to view. Similarly, don't waste people's time suggesting
improvements that aren't; learn what it actually does, and why,
before suggesting changes.

Another pet-peave, why do companies buy tools, then SYSPROG decides
that only they get to use it.

Sometimes it's an ego trip, sometimes it's due to management decree.
I've been at shops where I was allowed to build my own tools and to
install tools from, e.g., the CBT tape, but I was *not* allowed to
make them available to the users, on the grounds that anything we made
available had to be supported and that we weren't authorized to commit
to the support.

I asked them why can't we both use it ??, answer...because none of 
the applications asked for it.

ROTF,LMAO! The correct answer was Whoops! It was an oversight. It
was their job to determine who needed access and to convince people to
use it when it was to the company's benefit. Of course, given that
they were your customer you needed to be diplomatic.

More and more SYSPROGs like to hide their stuff, even from
viewing.

My guess is that either they are not sysprogs or the decision was
imposed from above.

If your system security is setup properly, I can see no harm in
browsing anything on the system.

One problem, which has been discussed here before, is users who
allocate systems data sets and don't free them when they're done
browsing. In a shop where you're not allowed to cancel their sessions,
the easiest fix is to remove the read access.

-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Paul Gilmartin]

On Wed, 27 Jun 2007 09:13:09 -0300, Shmuel Metz (Seymour J.) wrote:

If your system security is setup properly, I can see no harm in
browsing anything on the system.

One problem, which has been discussed here before, is users who
allocate systems data sets and don't free them when they're done
browsing. In a shop where you're not allowed to cancel their sessions,
the easiest fix is to remove the read access.

But, as discussed here recently, prohibiting read access doesn't
prevent the allocation, and it might be more likely that a program
that ABENDs on OPEN will exit abnormally without doing the FREE.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Ed Gould
 
 On Jun 22, 2007, at 7:05 AM, Thomas Berg wrote:
 
  ==  Ed Gould  ==  wrote2007-06-21 21:58:
  On Jun 21, 2007, at 4:44 AM, Thomas Berg wrote:
  --SNIP--
 
  The consultants
  howled as
  they could no longer assemble programs (no access to sys1.maclib)
 
  ???
 
  Our official language was COBOL nothing else was permitted into 
  production. The consultants had a habit of doing the other work on 
  our system, those contained assembler.
  Ed
 
  Still don't understand why they wasn't allowed to assemble their 
  programs.
  Were they doing private programming or what ?
 
  Thomas Berg
 ---SNIP
 
 The standard company wide language was COBOL. None of the 
 programmers knew assembler. As I explained in a previous post 
 none of the programmers could debug assembler code.
 
 The consultants were using our resources to compile programs 
 for the consultants essentially stealing resources from our 
 company. The two steps we made to stop the process was taking 
 away access to sys1.maclib and also not allowing assembler to 
 be invoked.

Oh  Sort of like, None of the folks knew how to use a lawn mower,
so they banned lawns.  Must have been a gummint shop.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ted MacNEIL]

 The consultants were using our resources to compile programs 
 for the consultants essentially stealing resources from our 
 company. The two steps we made to stop the process was taking 
 away access to sys1.maclib and also not allowing assembler to 
 be invoked.

You let them off easy!
I would have dismissed them, right away.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Ted MacNEIL
 
  The consultants were using our resources to compile programs for the

  consultants essentially stealing resources from our company. ... 
 
 You let them off easy!
 I would have dismissed them, right away.

Along with giving them some free room and board at the local Crossbar
Hotel.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ed Gould]

On Jun 25, 2007, at 7:50 AM, Chase, John wrote:
--SNIP-


The consultants were using our resources to compile programs
for the consultants essentially stealing resources from our
company. The two steps we made to stop the process was taking
away access to sys1.maclib and also not allowing assembler to
be invoked.


Oh  Sort of like, None of the folks knew how to use a lawn mower,
so they banned lawns.  Must have been a gummint shop.


John,
The programmers were the one to initiate this process. They were the  
ones who only knew COBOL and could not figure out assembler. They  
were far from dumb just not trained in assembler. I guess I couldn't  
blame them. It would be like getting called in on APL2 and not having  
a clue what it was. I certainly wasn't conversant  in it. I was able  
to call IBM and report the problem and get a resolution to it. But  
did not know anything but how to spell it.  In the case of assembler  
they had no one to call. One could argue they could learn it  but not  
at 2AM. There was no sense in trying to hire programmers who already  
knew it as 100 percent (or 99.9) of the programs was written in  
COBOL. Would you hire (at more $$) a person that might never use his  
(or her) expertise? Do you think a programmer would even consider  
such a position? My feeling and talking with hiring managers then the  
answer is no. This was back in the early 80's and finding experience  
programmers was just difficult.


Ed




-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Thomas Berg]

==  Ed Gould  ==  wrote2007-06-23 13:09:

On Jun 23, 2007, at 4:15 AM, Thomas Berg wrote:

-SNIP



That explains it.  But what were they expected to do, btw ?

Thomas Berg

--


I am not sure I understand the question. They were expected to work on 
any work that was assigned to them by our company. Not use their time 
there for some other use. 


snip

Of course.  Was just curious.
Seems to me that they were ineffectively used.  (As they have time to do 
private work.)

Thomas Berg


--

__

Mundus Vult Decipi
__

 They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety.
 - Benjamin Franklin

 Military justice is to justice what military music is to music.
 - Groucho Marx

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Thomas Berg]

==  Ed Gould  ==  wrote2007-06-23 01:49:

On Jun 22, 2007, at 7:05 AM, Thomas Berg wrote:


Still don't understand why they wasn't allowed to assemble their 
programs.

Were they doing private programming or what ?

Thomas Berg

---SNIP

The standard company wide language was COBOL. None of the programmers 
knew assembler. As I explained in a previous post none of the 
programmers could debug assembler code.


The consultants were using our resources to compile programs for the 
consultants essentially stealing resources from our company. The two 
steps we made to stop the process was taking away access to sys1.maclib 
and also not allowing assembler to be invoked.


Ed


That explains it.  But what were they expected to do, btw ?

Thomas Berg

--

__

Mundus Vult Decipi
__

 They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety.
 - Benjamin Franklin

 Military justice is to justice what military music is to music.
 - Groucho Marx

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ed Gould]

On Jun 23, 2007, at 4:15 AM, Thomas Berg wrote:

-SNIP



That explains it.  But what were they expected to do, btw ?

Thomas Berg

--  





I am not sure I understand the question. They were expected to work  
on any work that was assigned to them by our company. Not use their  
time there for some other use. We had one consultant that was an ISV  
and was using our system to do development work on his product. THEN  
he tried to sell the work to us at the retail price. What a rip off.


Yes it was a management issue but our management (and I use the term  
loosely) did not require time sheets and the like. Nor did management  
stay much after 5PM to see what was going on. When most of the  
goofing off was occurring.


*IF* we would have had had a single programmer trying to do a  
homework assignment I probably would never had done this.  I would  
have probably run through SMF and sent the report over to the  
application people for them to decide.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Gerhard Postpischil]

Ed Gould wrote:
I am not sure I understand the question. They were expected to work on 
any work that was assigned to them by our company. Not use their time 
there for some other use. We had one consultant that was an ISV and was 
using our system to do development work on his product. THEN he tried to 
sell the work to us at the retail price. What a rip off.


I've been on both sides of this issue. When doing consulting 
work, it's a lot quicker (selling point) to use software you're 
comfortable with, instead of trying to learn non-standard 
software or options the client has. I had a standard agreement 
that they retained the right to use the software, in exchange 
for my installing it, and if necessary, modifying it to adapt to 
their environment. In twenty years, only two installations 
declined the offer; one was a government site with security 
concerns, the other insisted on 100% ownership of anything 
developed at their facility - so they got 100% of nothing, instead.


Yes it was a management issue but our management (and I use the term 
loosely) did not require time sheets and the like. Nor did management 
stay much after 5PM to see what was going on. When most of the goofing 
off was occurring.


That's poor practice. I have never worked on a consulting 
contract that didn't require time sheets.


*IF* we would have had had a single programmer trying to do a homework 
assignment I probably would never had done this.  I would have probably 
run through SMF and sent the report over to the application people for 
them to decide.


To me that seems backwards. As systems manager, I had the chance 
to get other employees interested in programming; learning makes 
jobs easier to understand and carry out. One of our operators 
wrote a very nice football game, with suggestions and feedback 
from other operators and programmers, and it spoiled him G. 
Last time I ran into him at Share he was an IBM manager, 
complete with three piece suit and pocket watch with fob.




Gerhard Postpischil
Bradford, VT

new e-mail address: gerhardp (at) charter (dot) net

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ed Gould]

On Jun 23, 2007, at 12:57 PM, Gerhard Postpischil wrote:



Ed Gould wrote:


I am not sure I understand the question. They were expected to
work on any work that was assigned to them by our company. Not use
their time there for some other use. We had one consultant that
was an ISV and was using our system to do development work on his
product. THEN he tried to sell the work to us at the retail price.
What a rip off.



I've been on both sides of this issue. When doing consulting work,
it's a lot quicker (selling point) to use software you're
comfortable with, instead of trying to learn non-standard software
or options the client has. I had a standard agreement that they
retained the right to use the software, in exchange for my
installing it, and if necessary, modifying it to adapt to their
environment. In twenty years, only two installations declined the
offer; one was a government site with security concerns, the other
insisted on 100% ownership of anything developed at their facility
- so they got 100% of nothing, instead.



When I got feelers to install the product so everyone could use it. I
wanted to make sure there was a signed contract and also some
assurance it didn't need any APF or SVC's type requirements or any
operating system dependencies. I also had a few other simple requests
like who was going to maintain it and who was going to call in
problems and to where. The individual thought those questions were
way to much and wouldn't answer them. I suggested to management that
if they needed a product to right up their requirements and we could
do a joint search and go through the proper channels. I wanted to
make sure that everyone had input. They didn't want to go through the
process so I just sent back the request with a note to defer any
payment to the vendor until the applications manager put things in
writing.





Yes it was a management issue but our management (and I use the
term loosely) did not require time sheets and the like. Nor did
management stay much after 5PM to see what was going on. When most
of the goofing off was occurring.



That's poor practice. I have never worked on a consulting contract
that didn't require time sheets.



What can I say our managers seemed to be the trusting kind. I did not
agree but it wasn't my place to say so.




zzsnip---

To me that seems backwards. As systems manager, I had the chance to
get other employees interested in programming; learning makes jobs
easier to understand and carry out. One of our operators wrote a
very nice football game, with suggestions and feedback from other
operators and programmers, and it spoiled him G. Last time I ran
into him at Share he was an IBM manager, complete with three piece
suit and pocket watch with fob.



I have worked with such a person (in fact he is now a billionaire)
from the money he made from the company he started and then sold to
CA. Good for him I hope he enjoys the $$. He swore he would never
sell the company but the big bucks was just too much temptation.

On the other hand I can also tell you about another consulting
company that was fairly dishonest. Yes they paid their people the BIG
$$, but they were nothing but crooks when they came down to it. I had
utter contempt for all its employees and the work they did.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: HR policy (was: how to list LE options)

[R.S.]

Chase, John wrote:
[...]
 ITYM dumb rather than stupid (dumb is curable via education;
 stupid is as stupid does).


That was actually a stated policy in a university (!!) where I worked
previously.  In that boss's own words, If we allow you more training,
your marketability will be enhanced and you'll leave us for more money
somewhere else.


It is quite common HR policy. It is usually kept 'in secret' (in silence 
at least), becasue it nothing to be proud of, but it is in quite common 
use. From the other hand I know companies in Poland where people work 
for two reasons:

a) to get some experience, take some classes and go away with better CV.
b) because they don't want to learn, they don't want to work to hard, 
usually they rather stupid than dumb.


Since I part of my job is teaching on mainframe courses, I often meet 
them (only mainframe staff in fact) and observe their careers. Sometimes 
one can distinguish a and b -types during first lab.


--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Ken Brick]

This thread was originally entitled How to list LE Options.

One of the responses was to browse the LE options member of PARMLIB. I
see this as a valid requirement for an application programmer. Hence
they need READ access to PARMLIB.

However I, from a system programmers perspective, know that there is
information,  members, in PARMLIB that people other than the system
programmers should know. Hence the UACC(NONE) argument.

All valid many years ago but today with the ability to concatenate
PARMLIB we, the system programmers, just need to put a little effort
into segregating members into READ/NOREAD areas.  This will still not
satisfy every one especially people like Peter Farley who reading
between the lines of many of this posts his probably involved in
applications tuning and probably has a real argument for a higher degree
of read access to many members

Ken Brick

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Rob van der Heij]

On 6/22/07, J R [EMAIL PROTECTED] wrote:


In the JES2 Init deck, you can specify clear text passwords for RJE lines.
That is a great reason for specifying UACC(NONE).

That sounds like a great reason for not keeping the JES2
Init deck in PARMLIB.


Yes, indeed. Otherwise someone with an approved need to see the LE
options (or something else) would automatically be able to see your
passwords.

A popular response to my why do you need that is people dreaming up
some possible emergency situation that never happened but might occur
some day (when everyone else is sick and there is a sev 1, so I need
write access on production libraries all the time).

Where technically feasible, I like an approach where exceptional
access can be granted but is audited properly and requires
justification afterwards. If needed a separate RACF userid can be used
(because it is not something you need for your normal work). We found
logonby useful to implement this. If needed you could even have a
duty-manager involved in the process to grant accesss to the call-out
person (rather than share this week's operator password on the phone).

Rob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Thomas Berg
 
  -Ursprungligt meddelande-
  Från: IBM Mainframe Discussion List För Ed Gould
 
  The consultants howled as
  they could no longer assemble programs (no access to sys1.maclib)
 
 ???

If you hire consultants to (among other things) assemble programs, then 
configure security to prevent them from doing so, why are you not in breach of 
contract?

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Thomas Berg]

==  Ed Gould  ==  wrote2007-06-21 21:58:

On Jun 21, 2007, at 4:44 AM, Thomas Berg wrote:
--SNIP--



The consultants
howled as
they could no longer assemble programs (no access to sys1.maclib)


???

Our official language was COBOL nothing else was permitted into 
production. The consultants had a habit of doing the other work on our 
system, those contained assembler.


Ed


Still don't understand why they wasn't allowed to assemble their programs.
Were they doing private programming or what ?

Thomas Berg


--

__

Mundus Vult Decipi
__

 They that can give up essential liberty to obtain a little temporary safety 
deserve neither liberty nor safety.
 - Benjamin Franklin

 Military justice is to justice what military music is to music.
 - Groucho Marx

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Barkow, Eileen
 
   that in most medium to large organizations, lines do need 
 to be drawn 
  in order to keep people focused on the jobs they are hired to do
 
 I take this to mean keep them stupid so that they cannot get 
 a job anywhere else.

ITYM dumb rather than stupid (dumb is curable via education;
stupid is as stupid does).

That was actually a stated policy in a university (!!) where I worked
previously.  In that boss's own words, If we allow you more training,
your marketability will be enhanced and you'll leave us for more money
somewhere else.

Well, No $h1t, Sherlock!

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Mark Zelden]

On Fri, 22 Jun 2007 16:27:40 +1000, Ken Brick [EMAIL PROTECTED] wrote:


All valid many years ago but today with the ability to concatenate
PARMLIB we, the system programmers, just need to put a little effort
into segregating members into READ/NOREAD areas.  This will still not
satisfy every one especially people like Peter Farley who reading
between the lines of many of this posts his probably involved in
applications tuning and probably has a real argument for a higher degree
of read access to many members


That will work, but if he has a valid need the security product rules can
also be changed to allow him access.   UACC is just a default.  It doesn't mean
it's right for all or everyone in a particular group with similar job functions.
There can be exceptions. I myself have the AUDITOR attribute in RACF
to help diagnose problems that may be security related that aren't obvious.
But not all the MVS sysprogs have it.All AUDITOR does is give me READ
access to profiles and doesn't let me circumvent security in any way, but
every year during audit my manager and the security manager have to sign off 
on the access and explain it.  


Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Ted MacNEIL]

All AUDITOR does is give me READ access to profiles and doesn't let me 
circumvent security in any way, but every year during audit my manager and the 
security manager have to sign off on the access and explain it.

Doesn't it also allow you to make changes using SETROPTS?


-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Ed Gould]

O 
SNIP

ITYM dumb rather than stupid (dumb is curable via education;
stupid is as stupid does).

That was actually a stated policy in a university (!!) where I worked
previously.  In that boss's own words, If we allow you more training,
your marketability will be enhanced and you'll leave us for more money
somewhere else.

Well, No $h1t, Sherlock!




John,

Thanks for reminding me of this. I had put this out of my memory.  
(wish it had never happened ).


The senior VP of a company that I worked for had this belief. He  
would never send anyone for training no matter what. At the time the  
way they scheduled jobs was to read all the jobs into the input Q  
with typrun=hold, and then depended on the operator to release them  
in the right sequence.
The number of jobs that were read in grew to be over 1000 and the  
poor operator had a hell of a time keeping track of them. AFter a few  
mistakes and the time lost from the mistakes the market didn't open  
on time (we were fined big time). They finally decided to get a job  
scheduler. The went out and found one and purchased it. They thought  
they had worked out how to use it. The first night was almost  
catastrophic. They just didn't understand how to schedule for it.  
Instead of training their people the decided to hire consultants  
the next attempt was a little better (at least the market opened on  
time). This went one for several weeks finally a news system was to  
be turned over to production and the proverbial hell arose . The  
market did not open on time either. The VP was called on the carpet  
for a dressing down like he had never gotten before. The next day we  
had a 5 people appear out of nowhere from the vendor to give classes  
for the scheduler   and the production control people were given an  
intensive 2 day class. Even the night shift people were brought in.  
The results were self evident they rewrote the nights schedule with  
some help from the trainers and the next night the production ran  
rather well. Yes there were some rough edges but the jobs did get  
done in the right sequence. From then on the VP always made it part  
of the job for training. It took him getting raked over the coals to  
get it to happen.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Dave Kopischke]

On Fri, 22 Jun 2007 16:27:40 +1000, Ken Brick wrote:

This thread was originally entitled How to list LE Options.

One of the responses was to browse the LE options member of PARMLIB. I
see this as a valid requirement for an application programmer. Hence
they need READ access to PARMLIB.


Since this thread has been taken over by another religious war, it's impossible 
to tell if the original poster actually got something useful out of the 
reponses. 
Remember the stories written about ServiceLink outages quoting mostly from 
this list  Give it a rest or the Windows folks will start to appear 
reasonable 
every time they ask a user to reboot.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Rick Fochtman]

---snip--
Funny how it's ok for SYSPROGs to cruise Applications and tell us what 
needs to be changed or how to tune our application

--unsnip-
In our shop, it was called Quality Assurance Review and we caught some 
real howlers.


Like OPEN and CLOSE within the loop that actually wrote the records.

Or IDMS PREPARE, fetch and update and IDMS FINISH within a database 
update loop.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Steve Comstock]

Chase, John wrote:

-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Barkow, Eileen

 that in most medium to large organizations, lines do need 
to be drawn 


in order to keep people focused on the jobs they are hired to do


I take this to mean keep them stupid so that they cannot get 
a job anywhere else.



ITYM dumb rather than stupid (dumb is curable via education;
stupid is as stupid does).

That was actually a stated policy in a university (!!) where I worked
previously.  In that boss's own words, If we allow you more training,
your marketability will be enhanced and you'll leave us for more money
somewhere else.



Not just univeristies. There was a period of time when many businesses
also adopted that policy. sarcasmThank goodness those days
are past./sarcasm


Kind regards,

-Steve Comstock
The Trainer's Friend, Inc.

303-393-8716
http://www.trainersfriend.com

  z/OS Application development made easier
* Our classes include
   + How things work
   + Programming examples with realistic applications
   + Starter / skeleton code
   + Complete working programs
   + Useful utilities and subroutines
   + Tips and techniques

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Ed Gould]

On Jun 22, 2007, at 6:48 AM, Chase, John wrote:


-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Thomas Berg


-Ursprungligt meddelande-
Från: IBM Mainframe Discussion List För Ed Gould



The consultants howled as
they could no longer assemble programs (no access to sys1.maclib)


???


If you hire consultants to (among other things) assemble programs,  
then configure security to prevent them from doing so, why are you  
not in breach of contract?


I thought I made it clear, perhaps not. The only language company  
wide that was to be used was COBOL. None of the applications types  
knew any assembler. If they were called in in the middle of the night  
and they found out the program was assembler. They bumped the problem  
to the one lone programmer that vaguely understood assembler. Most of  
the time he would say its a systems issue and then we were called.  
Only to point the finger back at the applications people and the fun  
began.


Ed



-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ed Gould]

On Jun 22, 2007, at 7:05 AM, Thomas Berg wrote:


==  Ed Gould  ==  wrote2007-06-21 21:58:

On Jun 21, 2007, at 4:44 AM, Thomas Berg wrote:
--SNIP--



The consultants
howled as
they could no longer assemble programs (no access to sys1.maclib)


???

Our official language was COBOL nothing else was permitted into  
production. The consultants had a habit of doing the other work on  
our system, those contained assembler.

Ed


Still don't understand why they wasn't allowed to assemble their  
programs.

Were they doing private programming or what ?

Thomas Berg

---SNIP

The standard company wide language was COBOL. None of the programmers  
knew assembler. As I explained in a previous post none of the  
programmers could debug assembler code.


The consultants were using our resources to compile programs for the  
consultants essentially stealing resources from our company. The two  
steps we made to stop the process was taking away access to  
sys1.maclib and also not allowing assembler to be invoked.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Don Leahy]

- Original Message - 
From: Rick Fochtman [EMAIL PROTECTED]

Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@BAMA.UA.EDU
Sent: Friday, June 22, 2007 12:44 PM
Subject: Re: PARMLIB(s) (Was: how to list LE options)



---snip--
Funny how it's ok for SYSPROGs to cruise Applications and tell us what 
needs to be changed or how to tune our application

--unsnip-
In our shop, it was called Quality Assurance Review and we caught some 
real howlers.


Like OPEN and CLOSE within the loop that actually wrote the records.

Or IDMS PREPARE, fetch and update and IDMS FINISH within a database 
update loop.


LOL!  Or like installing ISPF-based products without renaming the default 
library names!   Oh wait, that was a sysprog screwupnever mind...  :-)


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

SV: how to list LE options

[Thomas Berg]

 -Ursprungligt meddelande-
 Från: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] För Ed Gould
 Skickat: den 21 juni 2007 04:49
 Till: IBM-MAIN@BAMA.UA.EDU
 Ämne: Re: how to list LE options

 The consultants 
 howled as  
 they could no longer assemble programs (no access to sys1.maclib) 

???


Thomas Berg   IT Utveckling   Swedbank AB (Publ)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Farley, Peter x23353]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
 Behalf Of Phil Knight
 Sent: Wednesday, June 20, 2007 9:24 PM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: how to list LE options
 
 Dittoever have users cruise your parmlib and then tell you how to
 tune the system? Solution: UACC(NONE).

Oh really?  And did you then publish elsewhere the contents of LNKLST, the
APF list, and other important system info stored in PARMLIB that is NOT
performance related?

Ever consider that your better application people (the ones who still know
how to use assembler effectively and with sophistication, for the benefit of
the business's bottom line) might need that information you just closed off?

Agreed, outsiders telling you how to bake your bread when it's your oven and
your dinner is annoying at the least -- but to cut off access to everyone
but the privileged sysprog is closet-think of the worst sort.  If the
consultants are bothering you, fire them, or limit *their* access (I can see
that as a reasonable security precaution, actually) but not the entire shop.

The attitude I don't understand seems to be If I hide it they won't find
out how I do my job, or bother me about it, or try to show me a better way
to get this business done than I know about.

Good relations between sysprogs and application programmers are crucial to
business success.  Locking yourself and your data in a closet does not help.

Peter
(Assembler Applications Programmer and Proud Of It)

This message and any attachments are intended only for the use of the addressee 
and
may contain information that is privileged and confidential. If the reader of 
the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Mark Zelden]

On Thu, 21 Jun 2007 10:10:31 -0400, Farley, Peter x23353
[EMAIL PROTECTED] wrote:


 Dittoever have users cruise your parmlib and then tell you how to
 tune the system? Solution: UACC(NONE).

Oh really?  And did you then publish elsewhere the contents of LNKLST, the
APF list, and other important system info stored in PARMLIB that is NOT
performance related?

Ever consider that your better application people (the ones who still know
how to use assembler effectively and with sophistication, for the benefit of
the business's bottom line) might need that information you just closed off?


There are pros and cons like everything else.  If you want or need tight
security controls, then on a need to know basis is a good approach.  

You picked a bad example.  I don't want to handcuff anyone to keep them
from doing their jobs, but PARMLIB should definitely be UACC(NONE) 
except to the sysprogs who need to update it.  The exception is other
sysprogs who request updates when only a select number of sysprogs
do the updates.  In our shop, only the MVS guys are allowed to update 
PARMLIB(s), the CICS,DB2,MQ, WAS, etc. teams have read access 
and need to request updates through the MVS group.   If you don't
think that is proper... just ask any auditor. ;-)  Do you really think the
APF list should be published?!Seriously... have you ever been involved 
with a SAS70 audit?


The attitude I don't understand seems to be If I hide it they won't find
out how I do my job, or bother me about it, or try to show me a better way
to get this business done than I know about.


Unfortunately, that is probably the attitude many application programmers
have.  Hiding things is more likely due to security / audit concerns.  Don't 
take it personally, it isn't a conspiracy to keep you from doing your job (at
least at the shops I've worked at).

Good relations between sysprogs and application programmers are crucial to
business success.  Locking yourself and your data in a closet does not help.

Agree.  But having tight security doesn't preclude that.  I am a phone call,
email or instant message away.Bad relations are more likely due to the
stereotypical grouchy sysprog who just shoves someone away without
helping or answers questions with a response of RTFM all the time.

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Phil Knight]

Peter,
Calm down.
Nobody is picking on anyone, crush working relationships, or trying to 
over step authority. Yes, good relations are crucial and I doubt that very 
many sysprogs are out there undermining that. The simple fact is that in 
most medium to large organizations, lines do need to be drawn in order to 
keep people focused on the jobs they are hired to do. Yes, it can instill 
some frustration, especially if you came from a smaller environment and 
are used to diving in where ever you wish.
Believe it or not, even sysprogs have limitations placed on their 
activities. In some cases, so strict that they can't get trivial tasks 
completed without major approvals.
Today, I would think that Parmlib security is pretty much a standard in 
most large shops. Any information that you think you may be lacking due to 
your inability to browse at-will, should be adequately documented. My quip 
actually dates back to experiences back in the 80's. I wouldn't really 
expect much of that happening today. Please note that I do make a 
distinction on organizational size. This makes a very big difference as to 
how you run things. And, as to the job titles, many of us have worn many 
different hats over the years and have been on different sides of the 
fence. I don't think this is an argument as much as a criticism on certain 
individuals bent on being somewhat disruptive or worse.


sage - 
From: Farley, Peter x23353 [EMAIL PROTECTED]

Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@BAMA.UA.EDU
Sent: Thursday, June 21, 2007 10:10 AM
Subject: Re: how to list LE options



-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Phil Knight
Sent: Wednesday, June 20, 2007 9:24 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: how to list LE options

Dittoever have users cruise your parmlib and then tell you how to
tune the system? Solution: UACC(NONE).


Oh really?  And did you then publish elsewhere the contents of LNKLST, 
the

APF list, and other important system info stored in PARMLIB that is NOT
performance related?



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Rick Fochtman]

--snip---
Dittoever have users cruise your parmlib and then tell you how to 
tune the system? Solution: UACC(NONE).

-unsnip-
I always figured it was b ecause that user had too much spare time. 
Solution: notify his manager. Politics disallowed UACC(NONE).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Ted MacNEIL]

ever have users cruise your parmlib and then tell you how to tune the 
system? Solution: UACC(NONE).

I have yet to see a single member of PARMLIB that is any business of anybody 
outside SYSPROGs.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Phil Knight]

In this case politics led to security. Management decision (as it should 
be).


- Original Message - 
From: Rick Fochtman [EMAIL PROTECTED]

Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@BAMA.UA.EDU
Sent: Thursday, June 21, 2007 11:46 AM
Subject: Re: how to list LE options



--snip---
Dittoever have users cruise your parmlib and then tell you how to 
tune the system? Solution: UACC(NONE).

-unsnip-
I always figured it was b ecause that user had too much spare time. 
Solution: notify his manager. Politics disallowed UACC(NONE).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Mike Hill - Saffron Services]

Good relations between sysprogs and application programmers are crucial to
business success.  Locking yourself and your data in a closet does not
help.

I'm with Peter on this one. His comment above, says it all.

Mike Hill
Saffron Services
tel: +44(0)1-322-337338
e-mail: [EMAIL PROTECTED]

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Barkow, Eileen]

  that in most medium to large organizations, lines do need to be drawn 
 in order to keep people focused on the jobs they are hired to do

I take this to mean keep them stupid so that they cannot get a job
anywhere else.

And just why is it a security breach to allow someone to look at a
dataset they cannot update?
Certain applications programmers  can also utilize things like linklists
and apf datasets as well as LE options so they should have
the right to at least look at how they are defined to the system.

a long time ago the MVS group here would not even allow the CICS and
other groups to browse their SMP datasets.
Well we saw how long that lasted! A good portion of the systems problems
I encounter in CICS are due to bugs in other 
components like LE, DFSMS, VTAM, etc.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Phil Knight
Sent: Thursday, June 21, 2007 11:03 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: how to list LE options

 Peter,
 Calm down.
 Nobody is picking on anyone, crush working relationships, or trying to

 over step authority. Yes, good relations are crucial and I doubt that 
 very many sysprogs are out there undermining that. The simple fact is 
 that in most medium to large organizations, lines do need to be drawn 
 in order to keep people focused on the jobs they are hired to do. Yes,

 it can instill some frustration, especially if you came from a smaller

 environment and are used to diving in where ever you wish.
 Believe it or not, even sysprogs have limitations placed on their 
 activities. In some cases, so strict that they can't get trivial tasks

 completed without major approvals.
 Today, I would think that Parmlib security is pretty much a standard 
 in most large shops. Any information that you think you may be lacking

 due to your inability to browse at-will, should be adequately 
 documented. My quip actually dates back to experiences back in the 
 80's. I wouldn't really expect much of that happening today. Please 
 note that I do make a distinction on organizational size. This makes a

 very big difference as to how you run things. And, as to the job 
 titles, many of us have worn many different hats over the years and 
 have been on different sides of the fence. I don't think this is an 
 argument as much as a criticism on certain individuals bent on being
somewhat disruptive or worse.

 sage -
 From: Farley, Peter x23353 [EMAIL PROTECTED]
 Newsgroups: bit.listserv.ibm-main
 To: IBM-MAIN@BAMA.UA.EDU
 Sent: Thursday, June 21, 2007 10:10 AM
 Subject: Re: how to list LE options


 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On

 Behalf Of Phil Knight
 Sent: Wednesday, June 20, 2007 9:24 PM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: how to list LE options

 Dittoever have users cruise your parmlib and then tell you how

 to tune the system? Solution: UACC(NONE).

 Oh really?  And did you then publish elsewhere the contents of 
 LNKLST, the APF list, and other important system info stored in 
 PARMLIB that is NOT performance related?


--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Kelman, Tom]

Ditto here.  I've worked in three banks in my career and in each one
update access to any system library was allowed only to the MVS
sysprogs, and their update access was logged and reported.  Other
sysprogs and the performance analyst/capacity planner(me) had read
access and sent requests to the MVS sysprogs for updates.  Any of the
bank auditing groups (internal, independent, and/or governmental) would
have had a hissy-fit if it had been set up any other way.

Tom Kelman
Commerce Bank of Kansas City
(816) 760-7632

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Mark Zelden
Sent: Thursday, June 21, 2007 9:44 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: how to list LE options


There are pros and cons like everything else.  If you want or need tight
security controls, then on a need to know basis is a good approach.  

You picked a bad example.  I don't want to handcuff anyone to keep them
from doing their jobs, but PARMLIB should definitely be UACC(NONE) 
except to the sysprogs who need to update it.  The exception is other
sysprogs who request updates when only a select number of sysprogs
do the updates.  In our shop, only the MVS guys are allowed to update 
PARMLIB(s), the CICS,DB2,MQ, WAS, etc. teams have read access 
and need to request updates through the MVS group.   If you don't
think that is proper... just ask any auditor. ;-)  Do you really think
the
APF list should be published?!Seriously... have you ever been
involved 
with a SAS70 audit?




*
If you wish to communicate securely with Commerce Bank and its
affiliates, you must log into your account under Online Services at 
http://www.commercebank.com or use the Commerce Bank Secure
Email Message Center at https://securemail.commercebank.com

NOTICE: This electronic mail message and any attached files are
confidential. The information is exclusively for the use of the
individual or entity intended as the recipient. If you are not
the intended recipient, any use, copying, printing, reviewing,
retention, disclosure, distribution or forwarding of the message
or any attached file is not authorized and is strictly prohibited.
If you have received this electronic mail message in error, please
advise the sender by reply electronic mail immediately and
permanently delete the original transmission, any attachments
and any copies of this message from your computer system.
*

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Rick Fochtman]

I disagree. The boss may not always be right, but he's still the 
boss.  :-(


Our COBOL-only staff has/had no reason to be diving into PARMLIB. In the 
old days of IPS/ICS tuning, I got far too many complaints: My 
database shouldn't be pageable, My TSO session should have a storage 
fence., etc. Tuning is for the business needs, NOT the individuals' 
(perceived) needs


The overall business needs MUST be the first consideration.

Rick

Phil Knight wrote:

In this case politics led to security. Management decision (as it 
should be).


- Original Message - From: Rick Fochtman [EMAIL PROTECTED]
Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@BAMA.UA.EDU
Sent: Thursday, June 21, 2007 11:46 AM
Subject: Re: how to list LE options



--snip---
Dittoever have users cruise your parmlib and then tell you how 
to tune the system? Solution: UACC(NONE).

-unsnip-
I always figured it was b ecause that user had too much spare time. 
Solution: notify his manager. Politics disallowed UACC(NONE).


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Security vs knowledge [was: RE: how to list LE options]

[Farley, Peter x23353]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
 Behalf Of Mark Zelden
 Sent: Thursday, June 21, 2007 10:44 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: how to list LE options
Snipped 
 There are pros and cons like everything else.  If you want or need tight
 security controls, then on a need to know basis is a good approach.

See, that's the attitude I am talking about.  Hide the data and make people
ask for it and justify asking for it.  Why?  Because some fool of an auditor
doesn't understand mainframes?  That's just BS IMHO.  Fire the auditor for
incompetence.

 You picked a bad example.  I don't want to handcuff anyone to keep them
 from doing their jobs, but PARMLIB should definitely be UACC(NONE)
 except to the sysprogs who need to update it.

Again, why?  What possible security exposure could result from application
programmers browsing PARMLIB?  AFAIK there aren't any passwords or any
secrets stored there that would give any programmer the ability to bypass
RACF or any other active security protocol.  If that's true, why UACC(NONE)?
Even if (to take an old and probably obsolete example) there are user SVC
numbers listed in PARMLIB which when used would provide supervisor state and
key zero, RACF and/or other active security in the SVC code itself should
already prevent said programmer from actually using that SVC unless
authorized to do so, so where is the harm is letting the SVC number be
known?

And if there is NOT security software protecting that privileged resource,
why not?  THAT would be the security exposure, not the availability of the
information that it exists.

 If you don't think that is proper... just ask any auditor. ;-)  Do you
 really think the APF list should be published?!

Yes I do.  Where is the harm?  What is the exposure?  If I am not authorized
to write into any of the libraries in that list, what harm can I do knowing
their names?

Seriously... have you ever been involved with a SAS70 audit?

No, nor ever hope to be.  But if I was, I would strenuously argue against
hiding any non-security-exposure information.  Knowing there IS a secured
facility and being able to USE it are NOT the same thing.  Knowing is not a
security exposure, only the ability to use it is.

 The attitude I don't understand seems to be If I hide it they won't find
 out how I do my job, or bother me about it, or try to show me a better
 way to get this business done than I know about.
 
 Unfortunately, that is probably the attitude many application programmers
 have.  Hiding things is more likely due to security / audit concerns.
 Don't take it personally, it isn't a conspiracy to keep you from doing
 your job (at least at the shops I've worked at).

Well it certainly looks that way most of the time, because no one gives a
good reason for hiding anything -- just security and need to know.
 
 Good relations between sysprogs and application programmers are crucial
 to business success.  Locking yourself and your data in a closet does
 not help.
 
 Agree.  But having tight security doesn't preclude that.  I am a phone
 call, email or instant message away.Bad relations are more likely due
 to the stereotypical grouchy sysprog who just shoves someone away without
 helping or answers questions with a response of RTFM all the time.

Possibly, or also possibly management that tells sysprogs to keep everyone
else ignorant because they like it that way.  I can only go by what I see.

I do have and have had excellent relations with sysprogs, but still there
are stupidities foisted on them and us as security requirements.  That's
my real beef.

Thanks for listening.

Peter

This message and any attachments are intended only for the use of the addressee 
and
may contain information that is privileged and confidential. If the reader of 
the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Rick Fochtman]

-snip---

 that in most medium to large organizations, lines do need to be drawn 
 


in order to keep people focused on the jobs they are hired to do
   



I take this to mean keep them stupid so that they cannot get a job
anywhere else.
 


---unsnip
Not necessarily. But how often do these same people look at the whole 
picture, instead of just their piece of it?


snip--


And just why is it a security breach to allow someone to look at a
dataset they cannot update?
 


---unsnip-
Just ask your auditors. Would you want your users browsing the RACF 
database? Or payroll information in the accounting department's files? 
NOT ME!!!


---snip-


Certain applications programmers  can also utilize things like linklists
and apf datasets as well as LE options so they should have
the right to at least look at how they are defined to the system.
 


unsnip-
Each shop has its own needs and viewpoint. In our shop, all applications 
were run from a NON-APF, NON-LINKLIST library set. Language-related 
libraries were sometimes in LINKLIST, but we made this known and allowed 
browsing. LE options were copied to an application parmlib, as were 
COBOL Compiler defaults, SORT options, etc. We found alternative 
mechanisms to give applications programmers the information they had 
legitimate need for, then we locked the PARMLIB, with (finally) 
management approval.


snip--


a long time ago the MVS group here would not even allow the CICS and
other groups to browse their SMP datasets.
Well we saw how long that lasted! A good portion of the systems problems
I encounter in CICS are due to bugs in other 
components like LE, DFSMS, VTAM, etc.
 


--unsnip-
There's no reason that Database, CICS and other groups can't maintain 
their own SMP/E datasets, though I found that some guidance always made 
for happier relations between systems and other groups in this area. Not 
edicts, but suggestions and the benefit of experience for new users of 
SMP/e. Cooperation is a key aspect of dealing with SMP/E in all the 
different environments.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Binyamin Dissen]

On Thu, 21 Jun 2007 15:54:09 + Ted MacNEIL [EMAIL PROTECTED] wrote:

:ever have users cruise your parmlib and then tell you how to tune the 
system? Solution: UACC(NONE).

:I have yet to see a single member of PARMLIB that is any business of anybody 
outside SYSPROGs.

How much of PARMLIB cannot be detected by examining storage in a live system -
not using APF or anything special?

Security by obscurity is useless.

-- 
Binyamin Dissen [EMAIL PROTECTED]
http://www.dissensoftware.com

Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Barkow, Eileen]

we are just referring to parmlib and other systems settings here -not
RACF databases or sensitive application data.
for whatever reason an applications programmer has to look at this
stuff, be it a real buisness need or just their own 
curiousity and desire to expand their knowledge, there is no real reason
not to let them do so, including the say-so of some
clueless auditor.

as for SMPE datasets, I was only referring to being able to look at
other compoenents SMPE datasets for which there is a real 
need for in debugging a product using a different SMPE environment.
Which SMPE datasets a product uses is a function of the 
vendors installation requirements, not some management security policy.
 Fortuneatly, this issue was resolved here a long time ago.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Rick Fochtman
Sent: Thursday, June 21, 2007 1:43 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: how to list LE options

-snip---

  that in most medium to large organizations, lines do need to be drawn
  

in order to keep people focused on the jobs they are hired to do



I take this to mean keep them stupid so that they cannot get a job 
anywhere else.
  

---unsnip
Not necessarily. But how often do these same people look at the whole
picture, instead of just their piece of it?

snip--

And just why is it a security breach to allow someone to look at a 
dataset they cannot update?
  

---unsnip-
Just ask your auditors. Would you want your users browsing the RACF
database? Or payroll information in the accounting department's files? 
NOT ME!!!

---snip-

Certain applications programmers  can also utilize things like 
linklists and apf datasets as well as LE options so they should have 
the right to at least look at how they are defined to the system.
  

unsnip-
Each shop has its own needs and viewpoint. In our shop, all applications
were run from a NON-APF, NON-LINKLIST library set. Language-related
libraries were sometimes in LINKLIST, but we made this known and allowed
browsing. LE options were copied to an application parmlib, as were
COBOL Compiler defaults, SORT options, etc. We found alternative
mechanisms to give applications programmers the information they had
legitimate need for, then we locked the PARMLIB, with (finally)
management approval.

snip--

a long time ago the MVS group here would not even allow the CICS and 
other groups to browse their SMP datasets.
Well we saw how long that lasted! A good portion of the systems 
problems I encounter in CICS are due to bugs in other components like 
LE, DFSMS, VTAM, etc.
  

--unsnip-
There's no reason that Database, CICS and other groups can't maintain
their own SMP/E datasets, though I found that some guidance always made
for happier relations between systems and other groups in this area. Not
edicts, but suggestions and the benefit of experience for new users of
SMP/e. Cooperation is a key aspect of dealing with SMP/E in all the
different environments.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Ted MacNEIL]

Because some fool of an auditor doesn't understand mainframes?  That's just BS 
IMHO.  Fire the auditor for incompetence

An auditor doesn't set the rules.
They just report on compliance.

I still see no reason for a non-SYSPROG to have access to PARMLIB!

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Ted MacNEIL]

How much of PARMLIB cannot be detected by examining storage in a live system - 
not using APF or anything special?

Security by obscurity is useless.

I (honestly) do not understand your point.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Tom Marchant]

On Thu, 21 Jun 2007 09:44:21 -0500, Mark Zelden wrote:

  ...   Do you really think the
APF list should be published?! 

Yes.  Why not?  It is readily available.  Using the APF list as the excuse for 
preventing read access to PARMLIB is a red herring.

The APF command in ISRDDN is one of the easiest ways to get it.  Please don't 
tell me that you would advocate disabling that.  But if you do, anyone can 
obtain SHOWMVS and run it to get the APF list and LNKLST, as well as a lot of 
other information that is specified in PARMLIB.

It is my belief that knowledge is always a good thing.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[R.S.]

Binyamin Dissen wrote:

On Thu, 21 Jun 2007 15:54:09 + Ted MacNEIL [EMAIL PROTECTED] wrote:

:ever have users cruise your parmlib and then tell you how to tune the 
system? Solution: UACC(NONE).

:I have yet to see a single member of PARMLIB that is any business of anybody 
outside SYSPROGs.

How much of PARMLIB cannot be detected by examining storage in a live system -
not using APF or anything special?

Security by obscurity is useless.


100% agreed. However in this case UACC(N) not for security, it is for 
shutting up folks commenting PARMLIB settings. Just to stop discussions 
and complaints. IMHO, if I have nothing to be ashamed, I don't have to 
hide it.
From the other hand it is not bad to hide PARMLIB, *but not for the 
purpose above*.




--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Binyamin Dissen]

On Thu, 21 Jun 2007 18:29:05 + Ted MacNEIL [EMAIL PROTECTED] wrote:

:How much of PARMLIB cannot be detected by examining storage in a live system 
- not using APF or anything special?

:Security by obscurity is useless.

:I (honestly) do not understand your point.

That by securing parmlib you are securing nothing.

You are pulling down the shade on one side, while there is a clear view on the
other side.

That anyone who attempts to use obscurity as security has holes in their
security.

-- 
Binyamin Dissen [EMAIL PROTECTED]
http://www.dissensoftware.com

Should you use the mailblocks package and expect a response from me,
you should preauthorize the dissensoftware.com domain.

I very rarely bother responding to challenge/response systems,
especially those from irresponsible companies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[R.S.]

Ted MacNEIL wrote:

Because some fool of an auditor doesn't understand mainframes?  That's just BS 
IMHO.  Fire the auditor for incompetence


An auditor doesn't set the rules.
They just report on compliance.

I still see no reason for a non-SYSPROG to have access to PARMLIB!


Assuiming there is a reason, including curiosity and willingness to 
learn. What would you do if non-SYSPROG would ask you about some member 
in the PARMLIB ?  Deny the knowledge, just beacuse you are the God ?


IMHO the poorer tuned parmlib the higher will to hide the parmlib.

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy 
XII Wydział Gospodarczy Krajowego Rejestru Sądowego, 
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 01.01.2007 r. kapitał zakładowy BRE Banku SA (w całości 
opłacony) wynosi 118.064.140 zł. W związku z realizacją warunkowego 
podwyższenia kapitału zakładowego, na podstawie uchwał XVI WZ z dnia 21.05.2003 
r., kapitał zakładowy BRE Banku SA może ulec podwyższeniu do kwoty 118.760.528 
zł. Akcje w podwyższonym kapitale zakładowym będą w całości opłacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Mark Zelden]

On Thu, 21 Jun 2007 12:55:58 -0400, Barkow, Eileen [EMAIL PROTECTED]
wrote:

And just why is it a security breach to allow someone to look at a
dataset they cannot update?

Please give me read access to the data set that has your SS# and
credit card information.   I promise not to update it.  


On Thu, 21 Jun 2007 13:32:36 -0400, Farley, Peter x23353
[EMAIL PROTECTED] wrote:


Again, why?  What possible security exposure could result from application
programmers browsing PARMLIB?  AFAIK there aren't any passwords or any
secrets stored there that would give any programmer the ability to bypass
RACF or any other active security protocol.  If that's true, why UACC(NONE)?
Even if (to take an old and probably obsolete example) there are user SVC
numbers listed in PARMLIB which when used would provide supervisor state and
key zero, RACF and/or other active security in the SVC code itself should
already prevent said programmer from actually using that SVC unless
authorized to do so, so where is the harm is letting the SVC number be
known?


Because it is an additional layer of security.  Some of the information in
there could help lead someone to a security circumvention.  Yes, it is
security by ignorance - but there is nothing wrong with that in addition
to other controls. 

Why revoke a userid after n number of wrong password attempts.Why 
are there firewalls? Why require VPN to access your systems over the
internet when there are other authentications once you get there?   

If it was your company and your ay ess ess on the line, you might think
differently.   

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Tom Savor]

Binyamin Dissen wrote:
 On Thu, 21 Jun 2007 15:54:09 + Ted MacNEIL [EMAIL PROTECTED]
wrote:

 :ever have users cruise your parmlib and then tell you how to tune
the system? Solution: UACC(NONE).

 :I have yet to see a single member of PARMLIB that is any business of
anybody outside SYSPROGs.

 How much of PARMLIB cannot be detected by examining storage in a live
system -
 not using APF or anything special?

 Security by obscurity is useless.

100% agreed. However in this case UACC(N) not for security, it is for
shutting up folks commenting PARMLIB settings. Just to stop discussions
and complaints. IMHO, if I have nothing to be ashamed, I don't have to
hide it.
 From the other hand it is not bad to hide PARMLIB, *but not for the
purpose above*.

Funny how it's ok for SYSPROGs to cruise Applications and tell us what
needs to be changed or how to tune our application (when we didn't ask
for their opinion), but it's not ok for us to cruise your PARMLIB
settings   Never heard of a PARMLIB setting getting screwed-up by
looking at it.  Unbelieveable !!!

Another pet-peave, why do companies buy tools, then SYSPROG decides that
only they get to use it.  Example:  My customer has purchased
CICS/Abend-Aid, but has only configured it for CICS dumps.
None of the applicatioin dumps can access it.  I asked them why can't
we both use it ??, answer...because none of the applications asked for it.

More and more SYSPROGs like to hide their stuff, even from viewing.
Now the ability to insure that CICS definitions are setup properly is being
hidden from view.  This makes some problems VERY difficult to solve or
eliminate possible causes when all you want to do is view the definition.

If your system security is setup properly, I can see no harm in browsing
anything on the system.  After all, isn't that how you learn ??


Tom Savor
Fidelity National Information Services
11720 Amber Park Drive
Suite 500
Alpharetta, GA  30004

Phone: 678-867-8431
cell:  404-660-6898
E-Mail: [EMAIL PROTECTED]




--
This message contains information from Certegy, Inc which may be confidential 
and privileged.  If you are not an intended recipient, please refrain from any 
disclosure, copying, distribution or use of this information and note that such 
actions are prohibited.  If you have received this transmission in error, 
please notify by e:mail [EMAIL PROTECTED]
==

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Ted MacNEIL]

Funny how it's ok for SYSPROGs to cruise Applications and tell us what needs 
to be changed or how to tune our application

Funny how I haven't worked at a shop (for over 20 years) that allowed me to 
cruise applications.
Record layouts also need to be protected.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Wayne Driscoll]

In the JES2 Init deck, you can specify clear text passwords for RJE
lines.  That is a great reason for specifying UACC(NONE).  
Wayne Driscoll
Product Developer
JME Software LLC
NOTE: All opinions are strictly my own.
  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Farley, Peter x23353
Sent: Thursday, June 21, 2007 12:33 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Security vs knowledge [was: RE: how to list LE options]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On 
 Behalf Of Mark Zelden
 Sent: Thursday, June 21, 2007 10:44 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: how to list LE options
Snipped 
 There are pros and cons like everything else.  If you want or need 
 tight security controls, then on a need to know basis is a good
approach.

See, that's the attitude I am talking about.  Hide the data and make
people ask for it and justify asking for it.  Why?  Because some fool of
an auditor doesn't understand mainframes?  That's just BS IMHO.  Fire
the auditor for incompetence.

 You picked a bad example.  I don't want to handcuff anyone to keep 
 them from doing their jobs, but PARMLIB should definitely be 
 UACC(NONE) except to the sysprogs who need to update it.

Again, why?  What possible security exposure could result from
application programmers browsing PARMLIB?  AFAIK there aren't any
passwords or any secrets stored there that would give any programmer
the ability to bypass RACF or any other active security protocol.  If
that's true, why UACC(NONE)?
Even if (to take an old and probably obsolete example) there are user
SVC numbers listed in PARMLIB which when used would provide supervisor
state and key zero, RACF and/or other active security in the SVC code
itself should already prevent said programmer from actually using that
SVC unless authorized to do so, so where is the harm is letting the SVC
number be known?

And if there is NOT security software protecting that privileged
resource, why not?  THAT would be the security exposure, not the
availability of the information that it exists.

 If you don't think that is proper... just ask any auditor. ;-)  Do you

 really think the APF list should be published?!

Yes I do.  Where is the harm?  What is the exposure?  If I am not
authorized to write into any of the libraries in that list, what harm
can I do knowing their names?

Seriously... have you ever been involved with a SAS70 audit?

No, nor ever hope to be.  But if I was, I would strenuously argue
against hiding any non-security-exposure information.  Knowing there IS
a secured facility and being able to USE it are NOT the same thing.
Knowing is not a security exposure, only the ability to use it is.

 The attitude I don't understand seems to be If I hide it they won't 
 find out how I do my job, or bother me about it, or try to show me a 
 better way to get this business done than I know about.
 
 Unfortunately, that is probably the attitude many application 
 programmers have.  Hiding things is more likely due to security /
audit concerns.
 Don't take it personally, it isn't a conspiracy to keep you from doing

 your job (at least at the shops I've worked at).

Well it certainly looks that way most of the time, because no one gives
a good reason for hiding anything -- just security and need to know.
 
 Good relations between sysprogs and application programmers are 
 crucial to business success.  Locking yourself and your data in a 
 closet does not help.
 
 Agree.  But having tight security doesn't preclude that.  I am a phone
 call, email or instant message away.Bad relations are more likely
due
 to the stereotypical grouchy sysprog who just shoves someone away 
 without helping or answers questions with a response of RTFM all the
time.

Possibly, or also possibly management that tells sysprogs to keep
everyone else ignorant because they like it that way.  I can only go by
what I see.

I do have and have had excellent relations with sysprogs, but still
there are stupidities foisted on them and us as security requirements.
That's my real beef.

Thanks for listening.

Peter

This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and
confidential. If the reader of the message is not the intended recipient
or an authorized representative of the intended recipient, you are
hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, please
notify us immediately by e-mail and delete the message and any
attachments from your system.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Tom Schmidt]

On Thu, 21 Jun 2007 14:58:28 -0400, Tom Savor wrote:
 
Another pet-peave, why do companies buy tools, then SYSPROG decides that
only they get to use it.  Example:  My customer has purchased
CICS/Abend-Aid, but has only configured it for CICS dumps.
None of the applicatioin dumps can access it.  I asked them why can't
we both use it ??, answer...because none of the applications asked for it.
 
So ask already!  Don't wait to be asked to the prom - if you want to dance, 
make 'em dance!  
 
More and more SYSPROGs like to hide their stuff, even from viewing.
Now the ability to insure that CICS definitions are setup properly is being
hidden from view.  This makes some problems VERY difficult to solve or
eliminate possible causes when all you want to do is view the definition.
 
I disagree with your more and more assertion -- there are fewer and fewer 
sysprogs around these days, after all.  (Check the archives here.)  
 
 
If your system security is setup properly, I can see no harm in browsing
anything on the system.  After all, isn't that how you learn ??
 
 
That is certainly one way to learn.  Reading books and taking classes is 
another.  
 
But if your company doesn't believe in you enough to pay to send you to, say, 
a z/OS Installation and Tuning class (even though you are in Apps), why 
should the Tech Support manager (or a sysprog) believe in you enough to 
spend time (i.e., money) out of their limited budget to answer your questions 
whenever you feel like asking (and learning)??  
 
Besides, there are a surprisingly small number of sites with proper security... 
and the requirements for security/audit compliance/support have increased 
substantially (what with SOX, HIPPA, etc.).  Cover-ups don't stop at the 
boardroom, you know.  
 
-- 
Tom Schmidt 
Madison, WI

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: SV: how to list LE options

[Ed Gould]

On Jun 21, 2007, at 4:44 AM, Thomas Berg wrote:
--SNIP--



The consultants
howled as
they could no longer assemble programs (no access to sys1.maclib)


???

Our official language was COBOL nothing else was permitted into  
production. The consultants had a habit of doing the other work on  
our system, those contained assembler.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Robert Justice]

Funny how it's ok for SYSPROGs to cruise Applications and tell us what
needs to be changed or how to tune our application (when we didn't ask
for their opinion), but it's not ok for us to cruise your PARMLIB
settings   Never heard of a PARMLIB setting getting screwed-up by
looking at it.  Unbelieveable !!!. 


Hmmm, funny how it's okay for application programmers to avoid coding their 
application to work correctly with daylight savings time, or god forbid 
actually 
SYSPLEX ENABLING their applications. UNBELIEVABLE.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[R.S.]

Wayne Driscoll wrote:

In the JES2 Init deck, you can specify clear text passwords for RJE
lines.  That is a great reason for specifying UACC(NONE).  


It is also good reason to get rid of such solution.
However, if - for any reason - it cannot be done, this is really good 
reason for UACC(N). Similar reasons can exist in other members.


BTW: Do we discuss about access to parmlib on PRODUCTION or DEVELOPMENT? 
Developers could (or couldn't) have access to parmlib on dev. system. 
When we talk about production, the anwser is simple: no access to the 
system at all - including parmlib. *Very well* justified excpetions 
could apply.



--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci 
opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 
r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 
z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Mark Zelden]

On Thu, 21 Jun 2007 15:14:00 -0500, Robert Justice [EMAIL PROTECTED] wrote:

Funny how it's ok for SYSPROGs to cruise Applications and tell us what
needs to be changed or how to tune our application (when we didn't ask
for their opinion), but it's not ok for us to cruise your PARMLIB
settings   Never heard of a PARMLIB setting getting screwed-up by
looking at it.  Unbelieveable !!!.


Hmmm, funny how it's okay for application programmers to avoid coding their
application to work correctly with daylight savings time, or god forbid
actually
SYSPLEX ENABLING their applications. UNBELIEVABLE.


Why can't we all just get along? :-)

To respond to the first statement in many shops that is not true at all.

Here (and also in other large environments I have worked at) the performance 
team is actively involved in helping applications tune, but it is at their
request 
because the techies have more experience with tuning and some of the
tools.  That is their primary job.   The application programmers' primary job
is to write code (under a deadline usually) and performance / efficient 
code is not always given the attention it needs for production.
 
And that other pet peeve about not letting applications use the tools... well, 
in my experience the application people are the main users of products like
Strobe, Expedite, etc.  Those are their tools (even though we install them).
Many of them I don't really have a clue how to use beyond the very basics
if at all. 

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: PARMLIB(s) (Was: how to list LE options)

[Joel C. Ewing]

[EMAIL PROTECTED] wrote:

Binyamin Dissen wrote:

On Thu, 21 Jun 2007 15:54:09 + Ted MacNEIL [EMAIL PROTECTED]

wrote:

:ever have users cruise your parmlib and then tell you how to tune

the system? Solution: UACC(NONE).

:I have yet to see a single member of PARMLIB that is any business of

anybody outside SYSPROGs.

How much of PARMLIB cannot be detected by examining storage in a live

system -

not using APF or anything special?

Security by obscurity is useless.



100% agreed. However in this case UACC(N) not for security, it is for
shutting up folks commenting PARMLIB settings. Just to stop discussions
and complaints. IMHO, if I have nothing to be ashamed, I don't have to
hide it.
From the other hand it is not bad to hide PARMLIB, *but not for the
purpose above*.


Funny how it's ok for SYSPROGs to cruise Applications and tell us what
needs to be changed or how to tune our application (when we didn't ask
for their opinion), but it's not ok for us to cruise your PARMLIB
settings   Never heard of a PARMLIB setting getting screwed-up by
looking at it.  Unbelieveable !!
...

 Tom Savor
...


Perhaps it's somehow related to the fact that most SYSPROGs have System 
Performance as part of their job responsibility and training while 
application folks only have responsibility that their apps generate 
correct results in a manner their end users find acceptable.  If their 
apps cause system-wide problems to other end-users, that's frequently 
viewed as someone else's problem.


As a SYSPROG I have never had time to randomly inspect application code, 
but if the system is under stress, one starts looking for what changed 
and if there are any obvious big resource hogs contributing to the 
problem.  If this points to application code, then we do whatever it 
takes to resolve the problem, and if this involves looking at 
application code or JCL for obvious deficiencies, we go to that level. 
The more experienced application programmers usually do a decent job, 
but we also find that most colleges tend to do a poor job of instilling 
performance thinking into new programmers - the idea that techniques OK 
for 100 transactions may be inappropriate when scaled to millions, or 
that dataset access can be tuned for performance, too often tends to be 
untaught or unlearned. Fortunately, everyone here accepts that 
eliminating performance problems is part of our job and theirs.


We publish daily charts and tables of where the system resources are 
being used.  We have on numerous occasions had application areas and 
managers question relative allocation of resources when their users are 
hurting and request changes to policies and/or priorities.  The esoteric 
details of how such changes are implemented, via PARMLIB or elsewhere, 
is generally of minimal interest - their interest is in the results.



--
Joel C. Ewing, Fort Smith, AR[EMAIL PROTECTED]

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Walt Farrell]

On 6/21/2007 3:40 PM, Wayne Driscoll wrote:

In the JES2 Init deck, you can specify clear text passwords for RJE
lines.  That is a great reason for specifying UACC(NONE).  


But why would you want to have clear-text RJE passwords in the JES2 init 
deck when JES2 supports using RACF to perform the RJE authentication 
(and has done so for the last 17 years or so)?


Walt Farrell, CISSP
STSM, z/OS Security Design, IBM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[J R]

In the JES2 Init deck, you can specify clear text passwords for RJE lines.  
That is a great reason for specifying UACC(NONE).


That sounds like a great reason for not keeping the JES2
Init deck in PARMLIB.



From: Wayne Driscoll [EMAIL PROTECTED]
Reply-To: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Security vs knowledge [was: RE: how to list LE options]
Date: Thu, 21 Jun 2007 15:40:02 -0400

In the JES2 Init deck, you can specify clear text passwords for RJE
lines.  That is a great reason for specifying UACC(NONE).
Wayne Driscoll
Product Developer
JME Software LLC
NOTE: All opinions are strictly my own.


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Farley, Peter x23353
Sent: Thursday, June 21, 2007 12:33 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Security vs knowledge [was: RE: how to list LE options]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
 Behalf Of Mark Zelden
 Sent: Thursday, June 21, 2007 10:44 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: how to list LE options
Snipped
 There are pros and cons like everything else.  If you want or need
 tight security controls, then on a need to know basis is a good
approach.

See, that's the attitude I am talking about.  Hide the data and make
people ask for it and justify asking for it.  Why?  Because some fool of
an auditor doesn't understand mainframes?  That's just BS IMHO.  Fire
the auditor for incompetence.

 You picked a bad example.  I don't want to handcuff anyone to keep
 them from doing their jobs, but PARMLIB should definitely be
 UACC(NONE) except to the sysprogs who need to update it.

Again, why?  What possible security exposure could result from
application programmers browsing PARMLIB?  AFAIK there aren't any
passwords or any secrets stored there that would give any programmer
the ability to bypass RACF or any other active security protocol.  If
that's true, why UACC(NONE)?
Even if (to take an old and probably obsolete example) there are user
SVC numbers listed in PARMLIB which when used would provide supervisor
state and key zero, RACF and/or other active security in the SVC code
itself should already prevent said programmer from actually using that
SVC unless authorized to do so, so where is the harm is letting the SVC
number be known?

And if there is NOT security software protecting that privileged
resource, why not?  THAT would be the security exposure, not the
availability of the information that it exists.

 If you don't think that is proper... just ask any auditor. ;-)  Do you

 really think the APF list should be published?!

Yes I do.  Where is the harm?  What is the exposure?  If I am not
authorized to write into any of the libraries in that list, what harm
can I do knowing their names?

Seriously... have you ever been involved with a SAS70 audit?

No, nor ever hope to be.  But if I was, I would strenuously argue
against hiding any non-security-exposure information.  Knowing there IS
a secured facility and being able to USE it are NOT the same thing.
Knowing is not a security exposure, only the ability to use it is.

 The attitude I don't understand seems to be If I hide it they won't
 find out how I do my job, or bother me about it, or try to show me a
 better way to get this business done than I know about.

 Unfortunately, that is probably the attitude many application
 programmers have.  Hiding things is more likely due to security /
audit concerns.
 Don't take it personally, it isn't a conspiracy to keep you from doing

 your job (at least at the shops I've worked at).

Well it certainly looks that way most of the time, because no one gives
a good reason for hiding anything -- just security and need to know.

 Good relations between sysprogs and application programmers are
 crucial to business success.  Locking yourself and your data in a
 closet does not help.

 Agree.  But having tight security doesn't preclude that.  I am a phone
 call, email or instant message away.Bad relations are more likely
due
 to the stereotypical grouchy sysprog who just shoves someone away
 without helping or answers questions with a response of RTFM all the
time.

Possibly, or also possibly management that tells sysprogs to keep
everyone else ignorant because they like it that way.  I can only go by
what I see.

I do have and have had excellent relations with sysprogs, but still
there are stupidities foisted on them and us as security requirements.
That's my real beef.

Thanks for listening.

Peter


_
Who's that on the Red Carpet? Play  win glamorous prizes. 
http://club.live.com/red_carpet_reveal.aspx?icid=REDCARPET_hotmailtextlink3


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN

Re: PARMLIB(s) (Was: how to list LE options)

[J R]

I (honestly) do not understand your point.


And that's part of the problem.

As someone who's spent a couple of decades
on each side of this discussion, I can see both
points of view.  However, the system is there
for the benefit of the applications; the reverse
is not the case.  If the systems guy cannot
understand the application guy's point, that is
a problem.



From: Ted MacNEIL [EMAIL PROTECTED]
Reply-To: IBM Mainframe Discussion List IBM-MAIN@BAMA.UA.EDU
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: PARMLIB(s) (Was: how to list LE options)
Date: Thu, 21 Jun 2007 18:29:05 +

How much of PARMLIB cannot be detected by examining storage in a live 
system - not using APF or anything special?


Security by obscurity is useless.

I (honestly) do not understand your point.

-
Too busy driving to stop for gas!


_
Hotmail to go? Get your Hotmail, news, sports and much more! 
http://mobile.msn.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Ed Gould]

On Jun 21, 2007, at 1:08 PM, Barkow, Eileen wrote:



as for SMPE datasets, I was only referring to being able to look at
other compoenents SMPE datasets for which there is a real
need for in debugging a product using a different SMPE environment.
Which SMPE datasets a product uses is a function of the
vendors installation requirements, not some management security  
policy.

 Fortuneatly, this issue was resolved here a long time ago.



I don't know if I quite agree with you on this one. Especially when  
it comes to consultants. I have had personally hours of discussions  
with with quite a few consultants about which PTF was on or which was  
not. Some of them think they understand SMPe concepts, some of them  
know enough to be dangerous.


I once got a call at 2AM saying that they needed PTF x on *NOW*. It  
was an IBM ptf . I listened to their remarks and finally woke up  
enough to say I would check on it in a few minutes. I logged on and  
went into SMPe dialogs and did a list for the PTF and came back not  
found so I switched over to IBMLINK and found the PTF but it was  
*NOT* for our ptf  level I did a little more research and found the  
ptf and did a little back tracking and came up with the correct PTF  
for our system so I went back to SMPe and found out that we had it on  
(for at least 6 months). I called back and informed them that the PTF  
number was not correct for our system and PTF Y which was was on.  
They insisted I was wrong and I reiterated the correct information.  
They hung up and called the VP and insisted they needed this fix on  
NOW. So I got another call this time from the VP and he said put it  
on. I told him it was already on. I then told him the exact sequence  
of pre and coreqs for the ptf in question. I told him I could put the  
PTF on even if I wanted to. He told me to get in there and figure out  
what was going on.
I got dressed and went into work and took one look at the sysout and  
it was a parm error not a ptf error. I pointed this out to the  
consultant and he said the message was in error. So we got the book  
out and indeed the parm was incorrect. He turn a couple shades of  
pale so I got the VP out of bed and explained to him what had happened.

The next day the consultant was gone.
I really didn't like to have to explain to a VP at 3AM what I did day  
in and day out and was really PE'oed that the VP wouldn't believe me.  
I know it was a political thing but I did not appreciate the whole  
thing.
Information is OK if its in the right hands other than that they  
don't need to know.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Ed Gould]

On Jun 21, 2007, at 2:40 PM, Wayne Driscoll wrote:


In the JES2 Init deck, you can specify clear text passwords for RJE
lines.  That is a great reason for specifying UACC(NONE).
Wayne Driscoll
Product Developer
JME Software LLC
NOTE: All opinions are strictly my own.




Wayne,

Not to disagree with you too much. But a long time ago (10+ years) I  
moved jes2 init deck out of parmlib.


2 reasons at that time (IIRC) parmlib had to be 80-80 (f) and I kept  
having to compress it and the other reason was was that the network  
people needed (at times) to browse the member and I could not give  
out read access to only one member.


Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Kenneth E Tomiak]

 I don't know about your shop, but at ours it gets to be a
 pain when users call to complain because:

 my job is 20th on the queue

Hit Enter.


Tell them:
Stop hitting enter because all the computer has time to do is service your 
request to see if it moved up in the queue. Put a NOTIFY=SYSUID on your 
job card and the system will tell you when your job came to an end. While you 
are waiting, write that documentation you have been meaning to get to. Get 
100  programmers tapping that enter key just as quick as they can to see if 
their job ran and you know why that procesor upgrade is imminent.

Monitors in the wrong hands need the same control you hear on tv about the 
machine where someone in the hospital can press a button to get more pain 
reliever into their drip line. Only it does not honor every request. SDSF and 
RMFMON should have an IGNORE x number of enter requests in a certain 
period of time.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Security vs knowledge [was: RE: how to list LE options]

[Wayne Driscoll]

I never said that putting clear text passwords was a good idea, just
that it could be a reason that parmlib has UACC(NONE).  As for not
putting JES2 Init deck in parmlib, you are correct that it doesn't have
to be there, but for you time reference, it has been at least 20 years
(probably longer) since parmlib could not be blocked.
Wayne Driscoll
Product Developer
JME Software LLC
NOTE: All opinions are strictly my own.
  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ed Gould
Sent: Thursday, June 21, 2007 9:23 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Security vs knowledge [was: RE: how to list LE options]

On Jun 21, 2007, at 2:40 PM, Wayne Driscoll wrote:

 In the JES2 Init deck, you can specify clear text passwords for RJE 
 lines.  That is a great reason for specifying UACC(NONE).
 Wayne Driscoll
 Product Developer
 JME Software LLC
 NOTE: All opinions are strictly my own.



Wayne,

Not to disagree with you too much. But a long time ago (10+ years) I
moved jes2 init deck out of parmlib.

2 reasons at that time (IIRC) parmlib had to be 80-80 (f) and I kept
having to compress it and the other reason was was that the network
people needed (at times) to browse the member and I could not give out
read access to only one member.

Ed

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

how to list LE options

[Schramm, Rob]

I keep looking thru the manuals, but all I see is the use of RPTOPTS(ON)
on some current LE using program.

I am sure (ok.. hoping) that there is a way list out all LE run-time
options?

-Rob Schramm

This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Mark Zelden]

On Wed, 20 Jun 2007 12:38:44 -0400, Schramm, Rob [EMAIL PROTECTED] wrote:

I keep looking thru the manuals, but all I see is the use of RPTOPTS(ON)
on some current LE using program.

I am sure (ok.. hoping) that there is a way list out all LE run-time
options?

-Rob Schramm

If you don't know of a cobol program to run, compile/link the IVP:
see hlq.SIGYSAMP(IGYWFIV1)

Then run it with...

// PARM='/RPTOPTS(ON)'  LE OPTS

or

// PARM='/RPTOPTS(ON),RPTSTG(ON)'  

This gives you the storage report also.

In z/OS 1.7 and above you can also use a CEEOPTS DD instead:

//CEEOPTS DD *  
RPTOPTS(ON),RPTSTG(ON)  
/* 

--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Dave Kopischke]

On Wed, 20 Jun 2007 12:38:44 -0400, Schramm, Rob wrote:

I keep looking thru the manuals, but all I see is the use of RPTOPTS(ON)
on some current LE using program.

I am sure (ok.. hoping) that there is a way list out all LE run-time
options?


Run a stub with the LE report options on in the JCL:

Sorry about the length of this one. I clipped most of the comments and 
unnecessary junk from the program, but it's still pretty long. Just compile the 
program and run the JCL and you'll get an LE report. This is the only way I 
know of to list currently active LE options.

//
//DUMMY1  EXEC PGM=DUMMYPGM,
// PARM='/RPTOPTS(ON),RPTSTG(ON)'
//
//SYSPRINT DD  SYSOUT=*
//SYSOUT   DD  SYSOUT=*
//SYSUDUMP DD  SYSOUT=*
//SUBDAT   DD  DSN=MFD.PARMADLY.MFDE0S0G(POPDATE),
// DISP=SHR
//DUMMYFIL DD  DUMMY,
// DCB=BLKSIZE=80
//*



   IDENTIFICATION DIVISION.
   PROGRAM-ID.DUMMYPGM.
   AUTHOR.DAVE KOPISCHKE.
   DATE-WRITTEN.  JULY 23, 2003.
   DATE-COMPILED.

   ENVIRONMENT DIVISION.
   CONFIGURATION SECTION.   
   SOURCE-COMPUTER.  IBM-370.   
   OBJECT-COMPUTER.  IBM-370.   

   INPUT-OUTPUT SECTION.
   FILE-CONTROL.
   SELECT DUMMY-FILE   ASSIGN TO DUMMYFIL.  

   DATA DIVISION.   

   FILE SECTION.

   FD  DUMMY-FILE   
   LABEL RECORDS ARE STANDARD   
   RECORDING MODE IS F  
   BLOCK CONTAINS 0 RECORDS.

   01  DUMMY-RECORD.
   05  DUMMY-REC   PIC X(80).   

   WORKING-STORAGE SECTION. 

   01  FILLER  PIC X(40)   VALUE
   'WORKING STORAGE STARTS HERE'.   

   PROCEDURE DIVISION.  

  ** 
  *   * 
  * -MAIN-PROCESSING. * 
  *   * 
  ** 

   -MAIN-PROCESSING.

   PERFORM 1000-INITIALIZATION THRU 
   1000-INITIALIZATION-EXIT.

   PERFORM 9000-TERMINATION THRU
   9000-TERMINATION-EXIT.   

   GOBACK.  

  ** 
  *   * 
  *   1000-INITIALIZATION.* 
  *   * 
  * THIS ROUTINE OPENS INPUT FILE AND INITIALIZES AREAS

Re: how to list LE options

[Mark Jacobs]

Schramm, Rob wrote:

I keep looking thru the manuals, but all I see is the use of RPTOPTS(ON)
on some current LE using program.

I am sure (ok.. hoping) that there is a way list out all LE run-time
options?

-Rob Schramm
  

If you are at zOS 1.7 or above this command seems to work;

D CEE,CEEDOPT

CEE3745I 13.03.12 DISPLAY CEEDOPT   
CEE=(00)
LAST WHERE SET OPTION  
---
PARMLIB(CEEPRM00)ABPERC(NONE)  
PARMLIB(CEEPRM00)ABTERMENC(ABEND)  
PARMLIB(CEEPRM00)  NOAIXBLD
PARMLIB(CEEPRM00)ALL31(OFF)
PARMLIB(CEEPRM00)ANYHEAP(16384,8192,ANYWHERE,FREE) 
PARMLIB(CEEPRM00)  NOAUTOTASK  
PARMLIB(CEEPRM00)BELOWHEAP(8192,4096,FREE) 
PARMLIB(CEEPRM00)CBLOPTS(ON)   
PARMLIB(CEEPRM00)CBLPSHPOP(OFF)
PARMLIB(CEEPRM00)CBLQDA(ON)
PARMLIB(CEEPRM00)CHECK(ON) 
PARMLIB(CEEPRM00)COUNTRY(US)   
PARMLIB(CEEPRM00)DEBUG 
PARMLIB(CEEPRM00)DEPTHCONDLMT(0)   
PARMLIB(CEEPRM00)ENVAR() 
PARMLIB(CEEPRM00)ERRCOUNT(0)   




This e-mail transmission contains information that is confidential and may be 
privileged.   It is intended only for the addressee(s) named above. If you 
receive this e-mail in error, please do not read, copy or disseminate it in any 
manner. If you are not the intended recipient, any disclosure, copying, 
distribution or use of the contents of this information is prohibited. Please 
reply to the message immediately by informing the sender that the message was 
misdirected. After replying, please erase it from your computer system. Your 
assistance in correcting this error is appreciated.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

  



--
Mark Jacobs
Technical Services
Time Customer Service - Tampa, FL
--
Victory in defeat, there is none higher. She didn't give up, Ben; 
she's still trying to lift that stone after it has crushed her.
She's a father going down to a dull office job while cancer is 
painfully eating away his insides, so as to bring home one more pay 
check for the kids. She's a twelve-year-old girl trying to mother her
baby brothers and sisters because Mama had to go to Heaven. She's a 
switchboard operator sticking to her job while smoke is choking her 
and the fire is cutting off her escape. She's all the unsung heroes

who couldn't quite cut it but never quit.*

Robert A. Heinlein - Stranger in a Strange Land 


*Referring to the Auguste Rodin sculpture, Caryatid Who Has Fallen under Her 
Stone

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Lizette Koehler]

Under z/OS V1.7 and above you can use the CEEPRMxx member in Parmlib to set 
global parms.  For onlines, you may need to look somewhere else for the 
answers.  If you are below z/OS V1.7, then you need to look at CEEUOPT, 
CEECOPT, and CEEDOPT for what is set.

First,  WHICH LE options do you want.  If you want something that may have been 
LKED into a program with CEEUOPT, then you would need to run that program with 
REPORTS(ON)

If it is in the CICS or IMS environment, you need to do something different.

The processes identified so far are for global LE options.  But you still could 
have unique LE Options on a per application/program basis or Online environment.

in CICS you have a CLER transaction that can show you the CICS options.  Not 
sure about IMS.

Lizette



Run a stub with the LE report options on in the JCL:

Sorry about the length of this one. I clipped most of the comments and 
unnecessary junk from the program, but it's still pretty long. Just compile 
the 
program and run the JCL and you'll get an LE report. This is the only way I 
know of to list currently active LE options.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Mark Jacobs
 
 Schramm, Rob wrote:
  I keep looking thru the manuals, but all I see is the use of 
  RPTOPTS(ON) on some current LE using program.
 
  I am sure (ok.. hoping) that there is a way list out all LE run-time

  options?
   
 If you are at zOS 1.7 or above this command seems to work;
 
 D CEE,CEEDOPT
 
 CEE3745I 13.03.12 DISPLAY CEEDOPT 
   
 CEE=(00)

Doesn't work if you haven't migrated to using the PARMLIB member
CEEPRMxx.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Farley, Peter x23353]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
 Behalf Of Chase, John
Snipped 
  -Original Message-
  From: IBM Mainframe Discussion List On Behalf Of Mark Jacobs
Snipped
  If you are at zOS 1.7 or above this command seems to work;
 
  D CEE,CEEDOPT
 
  CEE3745I 13.03.12 DISPLAY CEEDOPT
 
  CEE=(00)
 
 Doesn't work if you haven't migrated to using the PARMLIB member
 CEEPRMxx.

Also doesn't work if you don't have OPERATOR authority (like me and many
others on the list).

I never understood the auditor/sysprog paranoia about letting normal users
have access to the operator Display commands, but I also understand that
sufficiently fine-grained definitions of authority that permit Display and
nothing else (and $D for JES2) haven't been available.

Peter

This message and any attachments are intended only for the use of the addressee 
and
may contain information that is privileged and confidential. If the reader of 
the 
message is not the intended recipient or an authorized representative of the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this communication in
error, please notify us immediately by e-mail and delete the message and any
attachments from your system.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Mark Zelden]

On Wed, 20 Jun 2007 12:19:42 -0500, Mark Zelden [EMAIL PROTECTED]
wrote:

If you don't know of a cobol program to run, compile/link the IVP:
see hlq.SIGYSAMP(IGYWFIV1)


I hadn't looked in a while.  The sample name I quoted was from
COBOL for MVS  VM.  The same sample for Enterprise COBOL
is in  hlq.SIGYSAMP(IGYWIVP1).

//IGYWIVP1   JOB JOB PARAMETERS   
//  JCLLIB ORDER=SYS1.IGY.SIGYPROC  
//RUNIVP EXEC IGYWCLG,PARM.COBOL=RENT,REGION=1400K, 
// PARM.LKED='LIST,XREF,LET,MAP',   
// LNGPRFX='SYS1.IGY',LIBPRFX='SYS1.CEE',   
// PARM.GO='/RPTOPTS(ON),RPTSTG(ON)'
//COBOL.SYSIN DD DSN=SYS1.IGY.SIGYSAMP(IGYIVP),DISP=SHR 
//GO.SYSOUT DD SYSOUT=* 

Someone already mentioned using CLER for finding out the options
under CICS.   Another way is to look at a dump with IPCS and use
VERBX LEDATA. 

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group:  G-ITO
mailto:[EMAIL PROTECTED]
z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/
Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: how to list LE options

[Arthur T.]

On 20 Jun 2007 09:39:22 -0700, in bit.listserv.ibm-main 
(Message-ID:[EMAIL PROTECTED]) 
[EMAIL PROTECTED] (Schramm, Rob) wrote:


I keep looking thru the manuals, but all I see is the use 
of RPTOPTS(ON)

on some current LE using program.

I am sure (ok.. hoping) that there is a way list out all 
LE run-time

options?


 It's been a long time since I did this, but you might 
try assembling, linking, and running:


CEEUOPT  CSECT
CEEUOPT  AMODE ANY
CEEUOPT  RMODE ANY
 CEEXOPT RPTOPTS=(ON)
 END


--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur at intergate dot com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html