Re: RACF Resource Classes
Shmuel, If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, no authorization check will be made to FACILITY class resource ICHBLP, and therefore, any associated profile is meaningless. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Tue, 22 Feb 2011 07:05:54 -0500 From:Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net Subject: Re: RACF Resource Classes In ncbblknfeephcaamofkliehbmgaa.r.han...@rshconsulting.com, on 02/22/2011 at 05:56 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com said: If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. I believe that the point at issue is what happens if you define ICHBLP in the FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Elardus, Setting BLP to YES or NO on a JES2 JOBCLASS statement merely determines whether you can or cannot use BLP in jobs submitted via that particular class. Many installations reserve one or two JOBCLASSes for BLP use and some limit who can use these classes via exits. Note: If you have DITTO or File Manager and it is running APF-authorized, and you have READ access to FACILITY class resource DITTO.TAPE.BLP or FILEM.TAPE.BLP respectively, you can submit BLP jobs using these utilities in any JOBCLASS. It overrides JOBCLASS BLP=NO. The authorization check for FACILITY class resource ICHBLP is made in addition to JES, DITTO, or FILEM allowing using of BLP. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Wed, 23 Feb 2011 07:12:08 -0600 From:Elardus Engelbrecht elardus.engelbre...@sita.co.za Subject: Re: RACF Resource Classes Shmuel Metz (Seymour J.) wrote: I believe that the point at issue is what happens if you define ICHBLP in the FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES. Robert S. Hansel (RSH) wrote: If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. What about this JES2 init statement with above combination(s)? JOBCLASS(?),BLP=YES(or NO) What will happens when BLP is YES or when it is NO? Just curious, because I can't test it for a while. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Robert S. Hansel (RSH) wrote: Setting BLP to YES or NO on a JES2 JOBCLASS statement merely determines whether you can or cannot use BLP in jobs submitted via that particular class. Many installations reserve one or two JOBCLASSes for BLP use and some limit who can use these classes via exits. Thanks. This I found also after some nice RTFM. We don't use any exits sofar to limit usage of BLP and NL. Note: If you have DITTO or File Manager and it is running APF-authorized, and you have READ access to FACILITY class resource DITTO.TAPE.BLP or FILEM.TAPE.BLP respectively, you can submit BLP jobs using these utilities in any JOBCLASS. It overrides JOBCLASS BLP=NO. Thanks for that lesson about overriding. I've learned something new. Thanks Robert! The authorization check for FACILITY class resource ICHBLP is made in addition to JES, DITTO, or FILEM allowing using of BLP. We use RACF profiles, JES2 JOBCLASS statements and when needed/used, DITTO, to limit usage of BLP and NL. As discussed in this thread, we don't limit (so far) usage of specific drives to be used for BLP. Thanks Robert. This thread and your replies was very useful for me! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
In ncbblknfeephcaamofkliehbmgaa.r.han...@rshconsulting.com, on 02/22/2011 at 05:56 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com said: If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. I believe that the point at issue is what happens if you define ICHBLP in the FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Shmuel Metz (Seymour J.) wrote: I believe that the point at issue is what happens if you define ICHBLP in the FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES. Robert S. Hansel (RSH) wrote: If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. What about this JES2 init statement with above combination(s)? JOBCLASS(?),BLP=YES(or NO) What will happens when BLP is YES or when it is NO? Just curious, because I can't test it for a while. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Elardus Engelbrecht pisze: Shmuel Metz (Seymour J.) wrote: I believe that the point at issue is what happens if you define ICHBLP in the FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES. Robert S. Hansel (RSH) wrote: If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. What about this JES2 init statement with above combination(s)? JOBCLASS(?),BLP=YES(or NO) What will happens when BLP is YES or when it is NO? Just curious, because I can't test it for a while. ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In simple words JOHN has no right to BLP, while FRANK is allowed to use BLP. JES2 JOBCLASS BLP parameter is all or nothing. No authorized people. In case of BLP=YES everyone can use it (but other mechanisms like RACF still apply!). For BLP=NO every BLP request is chaged to NL. It can be veeery misleading - BTDT in approx 2002. ;-) RMM can further add its own BLP protection mechanism... BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect the jobclass in RACF using some exit, like IEFUJI. In such scenario BLP is protected (and available for authorized persons!) despite type of configuration of RMM (other TMS) and RACF TAPEVOL. My €0.02 -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
That is what I do not like about either JOBCLASS control or even ICHBLP within RACF. The choice is either USER-A has BLP and USER-B does not. But that is not limiting enough in my opinion. I want to allow a large group of users the ability to use BLP to map foreign tapes (tapes with volsers that are NOT defined to my Tape Management System), and I want a very small group of users to have the ability to use BLP to map in-house tapes (tapes with volsers that ARE defined to my Tape Management System). Granted, with BLP the volser specified in the JCL (and mount message) does not have to match the volser of the mounted tape. But, in order to request volume 123456 and get ABC123 mounted instead requires either physical access to operations or the ability to communicate with someone in operations that will mount a volume different than what is being requested. In the shops I was at, that was a small group of system-programmers. The group of people allowed to map foreign tapes was much larger and included application programmers and even data control people. That is why I wanted to make sure that ability to control BLP was not simply a YES/NO decision but also based on volsers. Or, it can also be based on UCB address's; so that only a few physical devices in a secure location can be used for BLP processing. Again, a YES/NO decision is not sufficient. The BLP SAF call should come from the Tape Management System and indicate if the volume is defined or not (foreign or in-house); what UCB device it is mounted on; and possibly even what volser is being called for. But, that is just my 2-cents worth. Russell Witt CA 1 L2 Support Manager Radoslaw said ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In simple words JOHN has no right to BLP, while FRANK is allowed to use BLP. JES2 JOBCLASS BLP parameter is all or nothing. No authorized people. In case of BLP=YES everyone can use it (but other mechanisms like RACF still apply!). For BLP=NO every BLP request is chaged to NL. It can be veeery misleading - BTDT in approx 2002. ;-) RMM can further add its own BLP protection mechanism... BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect the jobclass in RACF using some exit, like IEFUJI. In such scenario BLP is protected (and available for authorized persons!) despite type of configuration of RMM (other TMS) and RACF TAPEVOL. My €0.02 -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Russell, In general good point: it's good idea to control BLP by volser, to distinguish i.e. in-house and external tapes. Or even more categories. Or just by volser. Note, that (AFAIK) even for BLP processing RMM still checks the volser. Note2 - in ATL, VTL it's not so easy to fake the volser (but it's possible in some scenarios). However I have to disagree with one statement: BLP *should NOT* be the way for reading external tapes, just because they're external, not defined in TMS, etc. Assuming external tape is regular SL one, there is no reason to use BLP. No reason except (my opinion) poor environment configuration. Regards -- Radoslaw Skorupka Lodz, Poland Russell Witt pisze: That is what I do not like about either JOBCLASS control or even ICHBLP within RACF. The choice is either USER-A has BLP and USER-B does not. But that is not limiting enough in my opinion. I want to allow a large group of users the ability to use BLP to map foreign tapes (tapes with volsers that are NOT defined to my Tape Management System), and I want a very small group of users to have the ability to use BLP to map in-house tapes (tapes with volsers that ARE defined to my Tape Management System). Granted, with BLP the volser specified in the JCL (and mount message) does not have to match the volser of the mounted tape. But, in order to request volume 123456 and get ABC123 mounted instead requires either physical access to operations or the ability to communicate with someone in operations that will mount a volume different than what is being requested. In the shops I was at, that was a small group of system-programmers. The group of people allowed to map foreign tapes was much larger and included application programmers and even data control people. That is why I wanted to make sure that ability to control BLP was not simply a YES/NO decision but also based on volsers. Or, it can also be based on UCB address's; so that only a few physical devices in a secure location can be used for BLP processing. Again, a YES/NO decision is not sufficient. The BLP SAF call should come from the Tape Management System and indicate if the volume is defined or not (foreign or in-house); what UCB device it is mounted on; and possibly even what volser is being called for. But, that is just my 2-cents worth. Russell Witt CA 1 L2 Support Manager Radoslaw said ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In simple words JOHN has no right to BLP, while FRANK is allowed to use BLP. JES2 JOBCLASS BLP parameter is all or nothing. No authorized people. In case of BLP=YES everyone can use it (but other mechanisms like RACF still apply!). For BLP=NO every BLP request is chaged to NL. It can be veeery misleading - BTDT in approx 2002. ;-) RMM can further add its own BLP protection mechanism... BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect the jobclass in RACF using some exit, like IEFUJI. In such scenario BLP is protected (and available for authorized persons!) despite type of configuration of RMM (other TMS) and RACF TAPEVOL. My €0.02 -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237 NIP: 526-021-50-88 Według stanu na dzień 16.07.2010 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.248.328 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Tom, If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the FACILITY class, then RACF is not guarding the use of BLP and anyone can use BLP with RMM. Granted, you can limit the use of BLP to specific job classes using JESPARMS JOBCLASS parameter BLP=NO (this is still true even when ICHBLP is fully functional), but RACF isn't involved in enforcing this limitation. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Mon, 21 Feb 2011 09:22:30 -0500 From:Pinnacle pinnc...@rochester.rr.com Subject: Re: RACF Resource Classes - Original Message - From: Robert S. Hansel , RSH r.han...@rshconsulting.com Newsgroups: bit.listserv.ibm-main Sent: Monday, February 21, 2011 6:18 AM Subject: Re: RACF Resource Classes Tom, CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM govern the use of DD statement parameter EXPDT=98000. Use of BLP is controlled by FACILITY class resource ICHBLP with RMM and CA@APE class resources BLPRES and BLPNORES with CA-1. Bob, I've never enabled TAPEVOL with RMM, and I've never had a problem using BLP with RMM. What am I missing? Thanks, Tom -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Thanks to all for your experiences and insight. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Monday, February 21, 2011 5:16 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes Tom, CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM govern the use of DD statement parameter EXPDT=98000. Use of BLP is controlled by FACILITY class resource ICHBLP with RMM and CA@APE class resources BLPRES and BLPNORES with CA-1. Dennis, Very few installations fully implement the TAPEVOL class. By fully implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape Volume Table of Contents) that lists every dataset on the tape by its full 44-character dsname so that RACF verifies the user is properly specifying the dsname when accessing a dataset on the tape. Most installations rely on their tape management system to verify the proper dsname is used. While the RACF TVTOC dsname validation check is somewhat more secure than the one done by the tape management system, few installations are willing to incur the overhead of maintaining and processing TAPEVOL profiles for this added level of protection. On the other hand, many installations do activate the TAPEVOL class just to enable use of FACILITY class profile ICHBLP. They don't bother to create TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create and maintain TAPEVOL profiles to guard its own tapes. All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise, the TAPEVOL profiles are essentially ignored. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Sun, 20 Feb 2011 19:58:48 -0500 From:Pinnacle pinnc...@rochester.rr.com Subject: Re: RACF Resource Classes - Original Message - From: Givens, Dennis W. dennis.giv...@cnasurety.com Newsgroups: bit.listserv.ibm-main Sent: Friday, February 18, 2011 3:25 PM Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. Dennis, I've implemented both RMM and CA-1 in many different shops and I've never implemented TAPEVOL. It's extremely difficult to administer, and better controls are available. Not sure why Bob Hansel and Russ Witt say you need it for ICHBLP with RMM. RMM added STGADMIN.EDG profiles to handle BLP tapes that mirror the FORRES and FORNORES controls of CA-1, and that's all I've ever needed to implement for BLP under RMM. I don't know about the new TAPAUTHDSN control that they reference, I have no experience with it. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Tom, CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM govern the use of DD statement parameter EXPDT=98000. Use of BLP is controlled by FACILITY class resource ICHBLP with RMM and CA@APE class resources BLPRES and BLPNORES with CA-1. Dennis, Very few installations fully implement the TAPEVOL class. By fully implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape Volume Table of Contents) that lists every dataset on the tape by its full 44-character dsname so that RACF verifies the user is properly specifying the dsname when accessing a dataset on the tape. Most installations rely on their tape management system to verify the proper dsname is used. While the RACF TVTOC dsname validation check is somewhat more secure than the one done by the tape management system, few installations are willing to incur the overhead of maintaining and processing TAPEVOL profiles for this added level of protection. On the other hand, many installations do activate the TAPEVOL class just to enable use of FACILITY class profile ICHBLP. They don't bother to create TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create and maintain TAPEVOL profiles to guard its own tapes. All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise, the TAPEVOL profiles are essentially ignored. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Sun, 20 Feb 2011 19:58:48 -0500 From:Pinnacle pinnc...@rochester.rr.com Subject: Re: RACF Resource Classes - Original Message - From: Givens, Dennis W. dennis.giv...@cnasurety.com Newsgroups: bit.listserv.ibm-main Sent: Friday, February 18, 2011 3:25 PM Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. Dennis, I've implemented both RMM and CA-1 in many different shops and I've never implemented TAPEVOL. It's extremely difficult to administer, and better controls are available. Not sure why Bob Hansel and Russ Witt say you need it for ICHBLP with RMM. RMM added STGADMIN.EDG profiles to handle BLP tapes that mirror the FORRES and FORNORES controls of CA-1, and that's all I've ever needed to implement for BLP under RMM. I don't know about the new TAPAUTHDSN control that they reference, I have no experience with it. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Russ, I tend to agree with you on this. If this particular Health Checker check were to first confirm that PARMLIB DEVSUPxx TAPEAUTHDSN is set to NO, then it makes sense to raise activation of TAPEVOL as an issue. However, the verbiage should probably mention TAPEAUTHDSN as an alternative. I don't know whether the check does or doesn't look at this parameter. Perhaps the check author can shed light on this. In general, I too think DEVSUPxx is the better way to go, but I wouldn't rule out the use of TAPEVOL universally. An installation with tapes that are not defined to its tape management system could optionally use TAPEVOL profiles to guard them. If they set TAPEAUTHDSN to YES, the TAPEVOL checks are nullified. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Sat, 19 Feb 2011 09:09:15 -0600 From:Russell Witt res09...@verizon.net Subject: Re: RACF Resource Classes That is the part I don't understand. With the new DEVSUPxx parameters, why even use TAPEVOL and/or TAPEDSN as RACF options? They perform a similar function and do it better (in my opinion). So, why a HealthCheck to make sure that the old (obsolete?) TAPEVOL class is active? And if you are attempting to control BLP; then it really depends on your tape management system. With RMM, yes you would need this. But with both CA TLMS and CA 1; they have better BLP protection available within them. Russell Witt CA 1 L2 Support Manager -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Saturday, February 19, 2011 6:05 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes Dennis, Add CA Endevor, releases earlier than R12, to Sam's list of potential TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April 2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via the following URL: http://www.rshconsulting.com/racfres.htm One reason for activating the TAPEVOL class would be to implement restrictions on the use of Bypass Label Processing (BLP) using the FACILITY class profile ICHBLP when your tape management system is IBM's DFSMSrmm. However, if you activate tape protection using PARMLIB DEVSUPxx parameter TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the ICHBLP profile. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
- Original Message - From: Robert S. Hansel , RSH r.han...@rshconsulting.com Newsgroups: bit.listserv.ibm-main Sent: Monday, February 21, 2011 6:18 AM Subject: Re: RACF Resource Classes Tom, CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM govern the use of DD statement parameter EXPDT=98000. Use of BLP is controlled by FACILITY class resource ICHBLP with RMM and CA@APE class resources BLPRES and BLPNORES with CA-1. Bob, I've never enabled TAPEVOL with RMM, and I've never had a problem using BLP with RMM. What am I missing? Thanks, Tom -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
- Original Message - From: Givens, Dennis W. dennis.giv...@cnasurety.com Newsgroups: bit.listserv.ibm-main Sent: Friday, February 18, 2011 3:25 PM Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. Dennis, I've implemented both RMM and CA-1 in many different shops and I've never implemented TAPEVOL. It's extremely difficult to administer, and better controls are available. Not sure why Bob Hansel and Russ Witt say you need it for ICHBLP with RMM. RMM added STGADMIN.EDG profiles to handle BLP tapes that mirror the FORRES and FORNORES controls of CA-1, and that's all I've ever needed to implement for BLP under RMM. I don't know about the new TAPAUTHDSN control that they reference, I have no experience with it. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Pinnacle pisze: - Original Message - From: Givens, Dennis W. dennis.giv...@cnasurety.com Newsgroups: bit.listserv.ibm-main Sent: Friday, February 18, 2011 3:25 PM Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. Dennis, I've implemented both RMM and CA-1 in many different shops and I've never implemented TAPEVOL. It's extremely difficult to administer, and better controls are available. Well, I also implemented RMM, *with* TAPEVOL active and see nothing difficult to administer. ;-) I'm serious. Not sure why Bob Hansel and Russ Witt say you need it for ICHBLP with RMM. Because (AFAIR) ICHBLP does work only with TAPEVOL active. That's good reason IMHO. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Dennis, Add CA Endevor, releases earlier than R12, to Sam's list of potential TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April 2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via the following URL: http://www.rshconsulting.com/racfres.htm One reason for activating the TAPEVOL class would be to implement restrictions on the use of Bypass Label Processing (BLP) using the FACILITY class profile ICHBLP when your tape management system is IBM's DFSMSrmm. However, if you activate tape protection using PARMLIB DEVSUPxx parameter TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the ICHBLP profile. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2011 RACF Training Audit for Results - Boston - APR 12-14 Intro Basic Admin - Boston - MAY 10-12 Visit our website for registration details - -Original Message- Date:Fri, 18 Feb 2011 20:25:12 + From:Givens, Dennis W. dennis.giv...@cnasurety.com Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
That is the part I don't understand. With the new DEVSUPxx parameters, why even use TAPEVOL and/or TAPEDSN as RACF options? They perform a similar function and do it better (in my opinion). So, why a HealthCheck to make sure that the old (obsolete?) TAPEVOL class is active? And if you are attempting to control BLP; then it really depends on your tape management system. With RMM, yes you would need this. But with both CA TLMS and CA 1; they have better BLP protection available within them. Russell Witt CA 1 L2 Support Manager -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Robert S. Hansel (RSH) Sent: Saturday, February 19, 2011 6:05 AM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes Dennis, Add CA Endevor, releases earlier than R12, to Sam's list of potential TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April 2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via the following URL: http://www.rshconsulting.com/racfres.htm One reason for activating the TAPEVOL class would be to implement restrictions on the use of Bypass Label Processing (BLP) using the FACILITY class profile ICHBLP when your tape management system is IBM's DFSMSrmm. However, if you activate tape protection using PARMLIB DEVSUPxx parameter TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the ICHBLP profile. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
RACF Resource Classes
I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Whether or not to activate the TAPEVOL class is a business practice decision, not a technical one. We have never done so and most likely never will because of changes that would be imposed on the client community for dubious benefit. Extensive use of generic profiles and our tape management software provide extra layers of protection that render TAPEVOL less important. We also run without TEMPDSN, but I can't say why. . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Givens, Dennis W. dennis.giv...@cnasurety.com To: IBM-MAIN@bama.ua.edu Date: 02/18/2011 12:25 PM Subject:RACF Resource Classes Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
TAPEVOL class will have to be researched within your shop to make sure you don't break something by mistake. If you wish to implement, you can put in in warning mode and then see what is accessing. TEMPDSN is real straight forward and prevents jobs/users from accessing someone elses TEMP datasets especially if there is and ABEND. The one thing to be aware of if you put this in is make sure you don't have any in flight data sets. If a job is running when you turn on this resource, it could cause the job to fail with a RACF error because it will no longer have access to its temp data that it created with the resource off. On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com wrote: Whether or not to activate the TAPEVOL class is a business practice decision, not a technical one. We have never done so and most likely never will because of changes that would be imposed on the client community for dubious benefit. Extensive use of generic profiles and our tape management software provide extra layers of protection that render TAPEVOL less important. We also run without TEMPDSN, but I can't say why. . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Givens, Dennis W. dennis.giv...@cnasurety.com To: IBM-MAIN@bama.ua.edu Date: 02/18/2011 12:25 PM Subject: RACF Resource Classes Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Thanks. That is good information. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of zSeries Systems Programmer Sent: Friday, February 18, 2011 3:50 PM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes TAPEVOL class will have to be researched within your shop to make sure you don't break something by mistake. If you wish to implement, you can put in in warning mode and then see what is accessing. TEMPDSN is real straight forward and prevents jobs/users from accessing someone elses TEMP datasets especially if there is and ABEND. The one thing to be aware of if you put this in is make sure you don't have any in flight data sets. If a job is running when you turn on this resource, it could cause the job to fail with a RACF error because it will no longer have access to its temp data that it created with the resource off. On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com wrote: Whether or not to activate the TAPEVOL class is a business practice decision, not a technical one. We have never done so and most likely never will because of changes that would be imposed on the client community for dubious benefit. Extensive use of generic profiles and our tape management software provide extra layers of protection that render TAPEVOL less important. We also run without TEMPDSN, but I can't say why. . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Givens, Dennis W. dennis.giv...@cnasurety.com To: IBM-MAIN@bama.ua.edu Date: 02/18/2011 12:25 PM Subject:RACF Resource Classes Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html The information contained in this e-mail may contain confidential and/or privileged information and is intended for the sole use of the intended recipient. If you are not the intended recipient, you are hereby notified that any unauthorized use, disclosure, distribution or copying of this communication is strictly prohibited. If you received this e-mail in error, please reply to sender and destroy or delete the message and any attachments. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
If you don't want to or need to activate those classes, you can consider changing the health check to lower the severity. - Don Imbriale On Fri, Feb 18, 2011 at 4:54 PM, Givens, Dennis W. dennis.giv...@cnasurety.com wrote: Thanks. That is good information. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of zSeries Systems Programmer Sent: Friday, February 18, 2011 3:50 PM To: IBM-MAIN@bama.ua.edu Subject: Re: RACF Resource Classes TAPEVOL class will have to be researched within your shop to make sure you don't break something by mistake. If you wish to implement, you can put in in warning mode and then see what is accessing. TEMPDSN is real straight forward and prevents jobs/users from accessing someone elses TEMP datasets especially if there is and ABEND. The one thing to be aware of if you put this in is make sure you don't have any in flight data sets. If a job is running when you turn on this resource, it could cause the job to fail with a RACF error because it will no longer have access to its temp data that it created with the resource off. On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com wrote: Whether or not to activate the TAPEVOL class is a business practice decision, not a technical one. We have never done so and most likely never will because of changes that would be imposed on the client community for dubious benefit. Extensive use of generic profiles and our tape management software provide extra layers of protection that render TAPEVOL less important. We also run without TEMPDSN, but I can't say why. . . JO.Skip Robinson SCE Infrastructure Technology Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Givens, Dennis W. dennis.giv...@cnasurety.com To: IBM-MAIN@bama.ua.edu Date: 02/18/2011 12:25 PM Subject:RACF Resource Classes Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: RACF Resource Classes
Hi Dennis, We have been running with TEMPDSN since the mid 1990's.I do recommend just like the IBM health check that you run with this enabled. A couple caveat's TEMPDSN is a logical switch so when you activate that class new access control is automatically enforced for temporary data sets. Unlike some classes it is the act of activating the class that that matters there are no profiles to define. You should plan to do this just before an IPL Changing the rules in the middle of the game can be confusing. You should treat it like a system change including implementing it first in any less critical LPARs/Sysplex that you have and doing change notice for others information and your own protection should it break something someone cares about. While it is not likely to cause you a problem some OEM products may not work correctly with TEMPDSN and this is a global switch so there is no way to exempt some impolite utility or software which has been built by an ISV with incorrect assumptions and not tested in an environment with RACF TEMPDSN active. Over the years we have reported defects and gotten fixes from many ISV's. I won't bother listing the ones older than one year. In the last year CA-MSM 3.0 deployment feature only no problems with basic service retrieval and installation product aspects and BMC IMS database recovery plus were both found to have issues. For the BMC IMS database utility issue PTF BPQ4956 has been written with a minimum requirement of PUT1002A and is available from BMC now. For CA-MSM deployment we have tested a field tested a solution methodology and the development team is in the process of building it into a proper fix and getting it QAed. RACF is a great place for advice on setting RACF options and implications http://www-03.ibm.com/systems/z/os/zos/features/racf/links/racf-l.html TAPEVOL depends on what tape management system you have and some other tape related security options in RACF and your tape management system. IBM and CA tape and RACF experts have always provided good advice often on IBM-MAIN and RACF-L much more useful than anything I could add. Search the archives and best discuss it with the vendor whose tape management system you use. I won't recommend to activate or not to activate that class but rather make sure you completely understand the tape security you have today and any gaps and what the implications are of enabling additional tape security. If you use CA-1 (TMS) open a ticket or better yet get them to do an MVP review (best practices checkup it's free) and they can give you a complete recommendation. If you have DFSMSrmm or some other post here and maybe contact the vendor. Again treat any changes in this area the same way you would any other system change. YMMV so checkout anything you plan do and be completely comfortable in your decision on what to configure on your system. I hope that helps. Have a great weekend! Best Regards, Sam Knutson, GEICO System z Team Leader mailto:sknut...@geico.com (office) 301.986.3574 (cell) 301.996.1318 Think big, act bold, start simple, grow fast... -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Givens, Dennis W. Sent: Friday, February 18, 2011 3:25 PM To: IBM-MAIN@bama.ua.edu Subject: RACF Resource Classes I am working on the resolution of exceptions produced by the recently activated Health Checker feature on a Z/OS 1.10 system. Specifically the following 2 checks: CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE) Check Severity: Medium IRRH229E The class TAPEVOL is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE) Check Severity: Medium IRRH229E The class TEMPDSN is not active. Explanation: The class is not active. IBM recommends that the security administrator at your installation activate this class and define in it the profiles to properly protect your system. I am contemplating activating both of these resource classes but have no immediate plans for using them in any profiles. My concern is that the activation of these classes will in itself cause me problems. Any experiences or insight would be much appreciated. Signed A Novice RACF Administrator This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. -- For IBM-MAIN