subject:"RACF Resource Classes"

Re: RACF Resource Classes

2011-02-24 Thread Robert S. Hansel (RSH)

Shmuel,

If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES,
no authorization check will be made to FACILITY class resource ICHBLP, and
therefore, any associated profile is meaningless.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Tue, 22 Feb 2011 07:05:54 -0500
From:Shmuel Metz (Seymour J.) shmuel+ibm-m...@patriot.net
Subject: Re: RACF Resource Classes

In ncbblknfeephcaamofkliehbmgaa.r.han...@rshconsulting.com, on
02/22/2011
   at 05:56 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com
said:

If you do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

I believe that the point at issue is what happens if you define ICHBLP
in the FACILITY class but do not activate either the TAPEVOL class or
DEVSUPxx TAPEAUTHDSN=YES.

--
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-24 Thread Robert S. Hansel (RSH)

Elardus,

Setting BLP to YES or NO on a JES2 JOBCLASS statement merely determines
whether you can or cannot use BLP in jobs submitted via that particular
class. Many installations reserve one or two JOBCLASSes for BLP use and some
limit who can use these classes via exits.

Note: If you have DITTO or File Manager and it is running APF-authorized,
and you have READ access to FACILITY class resource DITTO.TAPE.BLP or
FILEM.TAPE.BLP respectively, you can submit BLP jobs using these utilities
in any JOBCLASS. It overrides JOBCLASS BLP=NO.

The authorization check for FACILITY class resource ICHBLP is made in
addition to JES, DITTO, or FILEM allowing using of BLP.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Wed, 23 Feb 2011 07:12:08 -0600
From:Elardus Engelbrecht elardus.engelbre...@sita.co.za
Subject: Re: RACF Resource Classes

Shmuel Metz (Seymour J.) wrote:
I believe that the point at issue is what happens if you define ICHBLP in
the
FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES.

Robert S. Hansel (RSH) wrote:
If you do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

What about this JES2 init statement with above combination(s)?

 JOBCLASS(?),BLP=YES(or NO)

What will happens when BLP is YES or when it is NO?

Just curious, because I can't test it for a while.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-24 Thread Elardus Engelbrecht

Robert S. Hansel (RSH) wrote:

Setting BLP to YES or NO on a JES2 JOBCLASS statement merely determines
whether you can or cannot use BLP in jobs submitted via that particular class. 
Many installations reserve one or two JOBCLASSes for BLP use and some limit 
who can use these classes via exits.

Thanks. This I found also after some nice RTFM. We don't use any exits sofar 
to limit usage of BLP and NL.

Note: If you have DITTO or File Manager and it is running APF-authorized,
and you have READ access to FACILITY class resource DITTO.TAPE.BLP or
FILEM.TAPE.BLP respectively, you can submit BLP jobs using these utilities
in any JOBCLASS. It overrides JOBCLASS BLP=NO.

Thanks for that lesson about overriding. I've learned something new. Thanks 
Robert!

The authorization check for FACILITY class resource ICHBLP is made in
addition to JES, DITTO, or FILEM allowing using of BLP.

We use RACF profiles, JES2 JOBCLASS statements and when needed/used, 
DITTO, to limit usage of BLP and NL. As discussed in this thread, we don't 
limit 
(so far) usage of specific drives to be used for BLP.

Thanks Robert. This thread and your replies was very useful for me!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-23 Thread Shmuel Metz (Seymour J.)

In ncbblknfeephcaamofkliehbmgaa.r.han...@rshconsulting.com, on
02/22/2011
   at 05:56 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com
said:

If you do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

I believe that the point at issue is what happens if you define ICHBLP
in the FACILITY class but do not activate either the TAPEVOL class or
DEVSUPxx TAPEAUTHDSN=YES.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-23 Thread Elardus Engelbrecht

Shmuel Metz (Seymour J.) wrote:
I believe that the point at issue is what happens if you define ICHBLP in the 
FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx 
TAPEAUTHDSN=YES.

Robert S. Hansel (RSH) wrote: 
If you do not activate either the TAPEVOL class or DEVSUPxx
TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

What about this JES2 init statement with above combination(s)?

 JOBCLASS(?),BLP=YES(or NO)

What will happens when BLP is YES or when it is NO?

Just curious, because I can't test it for a while. 

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-23 Thread R.S.


Elardus Engelbrecht pisze:

Shmuel Metz (Seymour J.) wrote:
I believe that the point at issue is what happens if you define ICHBLP in the 
FACILITY class but do not activate either the TAPEVOL class or DEVSUPxx 
TAPEAUTHDSN=YES.


Robert S. Hansel (RSH) wrote: 

If you do not activate either the TAPEVOL class or DEVSUPxx

TAPEAUTHDSN=YES, and if you do not also define profile ICHBLP to the
FACILITY class, then RACF is not guarding the use of BLP and anyone
can use BLP with RMM.

What about this JES2 init statement with above combination(s)?

 JOBCLASS(?),BLP=YES(or NO)

What will happens when BLP is YES or when it is NO?

Just curious, because I can't test it for a while. 



ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In 
simple words JOHN has no right to BLP, while FRANK is allowed to use BLP.

JES2 JOBCLASS BLP parameter is all or nothing. No authorized people.
In case of BLP=YES everyone can use it (but other mechanisms like RACF 
still apply!). For BLP=NO every BLP request is chaged to NL. It can be 
veeery misleading - BTDT in approx 2002. ;-)

RMM can further add its own BLP protection mechanism...

BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect 
the jobclass in RACF using some exit, like IEFUJI. In such scenario BLP 
is protected (and available for authorized persons!) despite type of 
configuration of RMM (other TMS) and RACF TAPEVOL.


My €0.02
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-23 Thread Russell Witt

That is what I do not like about either JOBCLASS control or even ICHBLP within 
RACF. The choice is either USER-A has BLP and USER-B does not. But that is not 
limiting enough in my opinion. I want to allow a large group of users the 
ability to use BLP to map foreign tapes (tapes with volsers that are NOT 
defined to my Tape Management System), and I want a very small group of users 
to have the ability to use BLP to map in-house tapes (tapes with volsers that 
ARE defined to my Tape Management System). 

Granted, with BLP the volser specified in the JCL (and mount message) does not 
have to match the volser of the mounted tape. But, in order to request volume 
123456 and get ABC123 mounted instead requires either physical access to 
operations or the ability to communicate with someone in operations that will 
mount a volume different than what is being requested. In the shops I was at, 
that was a small group of system-programmers. The group of people allowed to 
map foreign tapes was much larger and included application programmers and even 
data control people. That is why I wanted to make sure that ability to control 
BLP was not simply a YES/NO decision but also based on volsers.

Or, it can also be based on UCB address's; so that only a few physical devices 
in a secure location can be used for BLP processing. Again, a YES/NO decision 
is not sufficient. The BLP SAF call should come from the Tape Management System 
and indicate if the volume is defined or not (foreign or in-house); what UCB 
device it is mounted on; and possibly even what volser is being called for. 
But, that is just my 2-cents worth.

Russell Witt
CA 1 L2 Support Manager


Radoslaw said

ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In simple words 
JOHN has no right to BLP, while FRANK is allowed to use BLP.
JES2 JOBCLASS BLP parameter is all or nothing. No authorized people.
In case of BLP=YES everyone can use it (but other mechanisms like RACF still 
apply!). For BLP=NO every BLP request is chaged to NL. It can be veeery 
misleading - BTDT in approx 2002. ;-) RMM can further add its own BLP 
protection mechanism...

BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect the 
jobclass in RACF using some exit, like IEFUJI. In such scenario BLP is 
protected (and available for authorized persons!) despite type of configuration 
of RMM (other TMS) and RACF TAPEVOL.

My €0.02
--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Russell,
In general good point: it's good idea to control BLP by volser, to
distinguish i.e. in-house and external tapes. Or even more categories.
Or just by volser.
Note, that (AFAIK) even for BLP processing RMM still checks the volser.
Note2 - in ATL, VTL it's not so easy to fake the volser (but it's
possible in some scenarios).

However I have to disagree with one statement: BLP *should NOT* be the
way for reading external tapes, just because they're external, not
defined in TMS, etc. Assuming external tape is regular SL one, there is
no reason to use BLP. No reason except (my opinion) poor environment
configuration.

Regards
--
Radoslaw Skorupka
Lodz, Poland

Russell Witt pisze:
That is what I do not like about either JOBCLASS control or even ICHBLP within RACF. The choice is either USER-A has BLP and USER-B does not. But that is not limiting enough in my opinion. I want to allow a large group of users the ability to use BLP to map foreign tapes (tapes with volsers that are NOT defined to my Tape Management System), and I want a very small group of users to have the ability to use BLP to map in-house tapes (tapes with volsers that ARE defined to my Tape Management System).

Granted, with BLP the volser specified in the JCL (and mount message) does not
have to match the volser of the mounted tape. But, in order to request volume
123456 and get ABC123 mounted instead requires either physical access to
operations or the ability to communicate with someone in operations that will
mount a volume different than what is being requested. In the shops I was at,
that was a small group of system-programmers. The group of people allowed to
map foreign tapes was much larger and included application programmers and even
data control people. That is why I wanted to make sure that ability to control
BLP was not simply a YES/NO decision but also based on volsers.

Or, it can also be based on UCB address's; so that only a few physical devices
in a secure location can be used for BLP processing. Again, a YES/NO decision
is not sufficient. The BLP SAF call should come from the Tape Management System
and indicate if the volume is defined or not (foreign or in-house); what UCB
device it is mounted on; and possibly even what volser is being called for.
But, that is just my 2-cents worth.

Russell Witt
CA 1 L2 Support Manager

Radoslaw said

ICHBLP is RACF mechanism, with regular USER/GROUP access lists. In simple words
JOHN has no right to BLP, while FRANK is allowed to use BLP.
JES2 JOBCLASS BLP parameter is all or nothing. No authorized people.
In case of BLP=YES everyone can use it (but other mechanisms like RACF still
apply!). For BLP=NO every BLP request is chaged to NL. It can be veeery
misleading - BTDT in approx 2002. ;-) RMM can further add its own BLP
protection mechanism...

BTW: IMHO it's good idea to define one JOBLCASS with BLP=YES and protect the
jobclass in RACF using some exit, like IEFUJI. In such scenario BLP is
protected (and available for authorized persons!) despite type of configuration
of RMM (other TMS) and RACF TAPEVOL.

My €0.02
--
Radoslaw Skorupka
Lodz, Poland

--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sąd Rejonowy dla m. st. Warszawy
XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
nr rejestru przedsiębiorców KRS 025237

NIP: 526-021-50-88
Według stanu na dzień 16.07.2010 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.248.328 złotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-22 Thread Robert S. Hansel (RSH)

Tom,

If you do not activate either the TAPEVOL class or DEVSUPxx TAPEAUTHDSN=YES,
and if you do not also define profile ICHBLP to the FACILITY class, then
RACF is not guarding the use of BLP and anyone can use BLP with RMM.
Granted, you can limit the use of BLP to specific job classes using JESPARMS
JOBCLASS parameter BLP=NO (this is still true even when ICHBLP is fully
functional), but RACF isn't involved in enforcing this limitation.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Mon, 21 Feb 2011 09:22:30 -0500
From:Pinnacle pinnc...@rochester.rr.com
Subject: Re: RACF Resource Classes

- Original Message -
From: Robert S. Hansel , RSH r.han...@rshconsulting.com
Newsgroups: bit.listserv.ibm-main
Sent: Monday, February 21, 2011 6:18 AM
Subject: Re: RACF Resource Classes


 Tom,

 CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for
 RMM
 govern the use of DD statement parameter EXPDT=98000. Use of BLP is
 controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
 resources BLPRES and BLPNORES with CA-1.


Bob,

I've never enabled TAPEVOL with RMM, and I've never had a problem using BLP
with RMM.  What am I missing?

Thanks,
Tom

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-22 Thread Givens, Dennis W.

Thanks to all for your experiences and insight.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Robert S. Hansel (RSH)
Sent: Monday, February 21, 2011 5:16 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes

Tom,

CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM
govern the use of DD statement parameter EXPDT=98000. Use of BLP is
controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
resources BLPRES and BLPNORES with CA-1.

Dennis,

Very few installations fully implement the TAPEVOL class. By fully
implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape
Volume Table of Contents) that lists every dataset on the tape by its full
44-character dsname so that RACF verifies the user is properly specifying
the dsname when accessing a dataset on the tape. Most installations rely on
their tape management system to verify the proper dsname is used. While the
RACF TVTOC dsname validation check is somewhat more secure than the one done
by the tape management system, few installations are willing to incur the
overhead of maintaining and processing TAPEVOL profiles for this added level
of protection.

On the other hand, many installations do activate the TAPEVOL class just to
enable use of FACILITY class profile ICHBLP. They don't bother to create
TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's
SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create
and maintain TAPEVOL profiles to guard its own tapes.

All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise,
the TAPEVOL profiles are essentially ignored.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Sun, 20 Feb 2011 19:58:48 -0500
From:Pinnacle pinnc...@rochester.rr.com
Subject: Re: RACF Resource Classes

- Original Message -
From: Givens, Dennis W. dennis.giv...@cnasurety.com
Newsgroups: bit.listserv.ibm-main
Sent: Friday, February 18, 2011 3:25 PM
Subject: RACF Resource Classes

I am working on the resolution of exceptions produced by the recently
activated Health Checker feature on a Z/OS 1.10 system.
 Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
 IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the
 security administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.

Dennis,

I've implemented both RMM and CA-1 in many different shops and I've never
implemented TAPEVOL.  It's extremely difficult to administer, and better
controls are available.  Not sure why Bob Hansel and Russ Witt say you need
it for ICHBLP with RMM.  RMM added STGADMIN.EDG profiles to handle BLP tapes
that mirror the FORRES and FORNORES controls of CA-1, and that's all I've
ever needed to implement for BLP under RMM.  I don't know about the new
TAPAUTHDSN control that they reference, I have no experience with it.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

The information contained in this e-mail may contain confidential and/or 
privileged information and is intended for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any unauthorized use, disclosure, distribution or copying of this communication 
is strictly prohibited. If you received this e-mail in error, please reply to 
sender and destroy or delete the message and any attachments. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-21 Thread Robert S. Hansel (RSH)

Tom,

CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for RMM
govern the use of DD statement parameter EXPDT=98000. Use of BLP is
controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
resources BLPRES and BLPNORES with CA-1.

Dennis,

Very few installations fully implement the TAPEVOL class. By fully
implement, I mean define a TAPEVOL profile for every tape with a TVTOC (Tape
Volume Table of Contents) that lists every dataset on the tape by its full
44-character dsname so that RACF verifies the user is properly specifying
the dsname when accessing a dataset on the tape. Most installations rely on
their tape management system to verify the proper dsname is used. While the
RACF TVTOC dsname validation check is somewhat more secure than the one done
by the tape management system, few installations are willing to incur the
overhead of maintaining and processing TAPEVOL profiles for this added level
of protection.

On the other hand, many installations do activate the TAPEVOL class just to
enable use of FACILITY class profile ICHBLP. They don't bother to create
TAPEVOL profiles. Others activate TAPEVOL in conjunction with using HSM's
SETSYS TAPESECURITY(RACF or RACFINCLUDE) to have HSM automatically create
and maintain TAPEVOL profiles to guard its own tapes.

All this assumes PARMLIB DEVSUPxx TAPEAUTHDSN=NO is in effect; otherwise,
the TAPEVOL profiles are essentially ignored.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Sun, 20 Feb 2011 19:58:48 -0500
From:Pinnacle pinnc...@rochester.rr.com
Subject: Re: RACF Resource Classes

- Original Message -
From: Givens, Dennis W. dennis.giv...@cnasurety.com
Newsgroups: bit.listserv.ibm-main
Sent: Friday, February 18, 2011 3:25 PM
Subject: RACF Resource Classes


I am working on the resolution of exceptions produced by the recently
activated Health Checker feature on a Z/OS 1.10 system.
 Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
 IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the
 security administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.


Dennis,

I've implemented both RMM and CA-1 in many different shops and I've never
implemented TAPEVOL.  It's extremely difficult to administer, and better
controls are available.  Not sure why Bob Hansel and Russ Witt say you need
it for ICHBLP with RMM.  RMM added STGADMIN.EDG profiles to handle BLP tapes
that mirror the FORRES and FORNORES controls of CA-1, and that's all I've
ever needed to implement for BLP under RMM.  I don't know about the new
TAPAUTHDSN control that they reference, I have no experience with it.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-21 Thread Robert S. Hansel (RSH)

Russ,

I tend to agree with you on this. If this particular Health Checker check
were to first confirm that PARMLIB DEVSUPxx TAPEAUTHDSN is set to NO, then
it makes sense to raise activation of TAPEVOL as an issue. However, the
verbiage should probably mention TAPEAUTHDSN as an alternative. I don't know
whether the check does or doesn't look at this parameter. Perhaps the check
author can shed light on this.

In general, I too think DEVSUPxx is the better way to go, but I wouldn't
rule out the use of TAPEVOL universally. An installation with tapes that are
not defined to its tape management system could optionally use TAPEVOL
profiles to guard them. If they set TAPEAUTHDSN to YES, the TAPEVOL checks
are nullified.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Sat, 19 Feb 2011 09:09:15 -0600
From:Russell Witt res09...@verizon.net
Subject: Re: RACF Resource Classes

That is the part I don't understand. With the new DEVSUPxx parameters, why
even use TAPEVOL and/or TAPEDSN as RACF options? They perform a similar
function and do it better (in my opinion). So, why a HealthCheck to make
sure that the old (obsolete?) TAPEVOL class is active?

And if you are attempting to control BLP; then it really depends on your
tape management system. With RMM, yes you would need this. But with both CA
TLMS and CA 1; they have better BLP protection available within them.

Russell Witt
CA 1 L2 Support Manager

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Robert S. Hansel (RSH)
Sent: Saturday, February 19, 2011 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes

Dennis,

Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:

http://www.rshconsulting.com/racfres.htm

One reason for activating the TAPEVOL class would be to implement
restrictions on the use of Bypass Label Processing (BLP) using the FACILITY
class profile ICHBLP when your tape management system is IBM's DFSMSrmm.
However, if you activate tape protection using PARMLIB DEVSUPxx parameter
TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the
ICHBLP profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-21 Thread Pinnacle

- Original Message - 
From: Robert S. Hansel , RSH r.han...@rshconsulting.com

Newsgroups: bit.listserv.ibm-main
Sent: Monday, February 21, 2011 6:18 AM
Subject: Re: RACF Resource Classes

Tom,

CA-1's FORRES and NORNORES and the equivalent STGADMIN.EDG profiles for 
RMM

govern the use of DD statement parameter EXPDT=98000. Use of BLP is
controlled by FACILITY class resource ICHBLP with RMM and CA@APE class
resources BLPRES and BLPNORES with CA-1.

Bob,

I've never enabled TAPEVOL with RMM, and I've never had a problem using BLP 
with RMM.  What am I missing?

Thanks,
Tom 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-20 Thread Pinnacle

- Original Message - 
From: Givens, Dennis W. dennis.giv...@cnasurety.com

Newsgroups: bit.listserv.ibm-main
Sent: Friday, February 18, 2011 3:25 PM
Subject: RACF Resource Classes

I am working on the resolution of exceptions produced by the recently 
activated Health Checker feature on a Z/OS 1.10 system.

Specifically the following 2 checks:

 CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
 Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
   Explanation:  The class is not active. IBM recommends that the 
security administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

Dennis,

I've implemented both RMM and CA-1 in many different shops and I've never 
implemented TAPEVOL.  It's extremely difficult to administer, and better 
controls are available.  Not sure why Bob Hansel and Russ Witt say you need 
it for ICHBLP with RMM.  RMM added STGADMIN.EDG profiles to handle BLP tapes 
that mirror the FORRES and FORNORES controls of CA-1, and that's all I've 
ever needed to implement for BLP under RMM.  I don't know about the new 
TAPAUTHDSN control that they reference, I have no experience with it.

Regards,
Tom Conley 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-20 Thread R.S.


Pinnacle pisze:
- Original Message - From: Givens, Dennis W. 
dennis.giv...@cnasurety.com

Newsgroups: bit.listserv.ibm-main
Sent: Friday, February 18, 2011 3:25 PM
Subject: RACF Resource Classes


I am working on the resolution of exceptions produced by the recently 
activated Health Checker feature on a Z/OS 1.10 system.

Specifically the following 2 checks:

 CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
 Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
   Explanation:  The class is not active. IBM recommends that the 
security administrator at your
installation activate this class and define in it the profiles to 
properly protect your system.




Dennis,

I've implemented both RMM and CA-1 in many different shops and I've 
never implemented TAPEVOL.  It's extremely difficult to administer, and 
better controls are available.  


Well, I also implemented RMM, *with* TAPEVOL active and see nothing 
difficult to administer. ;-) I'm serious.



Not sure why Bob Hansel and Russ Witt 
say you need it for ICHBLP with RMM.  


Because (AFAIR) ICHBLP does work only with TAPEVOL active. That's good 
reason IMHO.



--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 16.07.2010 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.248.328 zotych. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-19 Thread Robert S. Hansel (RSH)

Dennis,

Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:

http://www.rshconsulting.com/racfres.htm

One reason for activating the TAPEVOL class would be to implement
restrictions on the use of Bypass Label Processing (BLP) using the FACILITY
class profile ICHBLP when your tape management system is IBM's DFSMSrmm.
However, if you activate tape protection using PARMLIB DEVSUPxx parameter
TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the
ICHBLP profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-
2011 RACF Training
 Audit for Results   - Boston - APR 12-14
 Intro  Basic Admin - Boston - MAY 10-12
Visit our website for registration  details
-

-Original Message-
Date:Fri, 18 Feb 2011 20:25:12 +
From:Givens, Dennis W. dennis.giv...@cnasurety.com
Subject: RACF Resource Classes

I am working on the resolution of exceptions produced by the recently
activated Health Checker feature on a Z/OS 1.10 system.
Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the
security administrator at your
installation activate this class and define in it the profiles to properly
protect your system.

  CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
Check Severity: Medium
IRRH229E The class TEMPDSN is not active.
Explanation:  The class is not active. IBM recommends that the security
administrator at your
installation activate this class and define in it the profiles to properly
protect your system.

I am contemplating activating both of these resource classes but have no
immediate plans for using them in any profiles.
My concern is that the activation of these classes will in itself cause me
problems. Any experiences or insight would be much appreciated.

Signed A Novice RACF Administrator

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-19 Thread Russell Witt

That is the part I don't understand. With the new DEVSUPxx parameters, why
even use TAPEVOL and/or TAPEDSN as RACF options? They perform a similar
function and do it better (in my opinion). So, why a HealthCheck to make
sure that the old (obsolete?) TAPEVOL class is active?

And if you are attempting to control BLP; then it really depends on your
tape management system. With RMM, yes you would need this. But with both CA
TLMS and CA 1; they have better BLP protection available within them. 

Russell Witt
CA 1 L2 Support Manager

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf
Of Robert S. Hansel (RSH)
Sent: Saturday, February 19, 2011 6:05 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes

Dennis,

Add CA Endevor, releases earlier than R12, to Sam's list of potential
TEMPDSN problem products. See article TEMPDSN and CA-Endevor in the April
2009 issue of our RSH RACF Tips Newsletter, a copy of which is available via
the following URL:

http://www.rshconsulting.com/racfres.htm

One reason for activating the TAPEVOL class would be to implement
restrictions on the use of Bypass Label Processing (BLP) using the FACILITY
class profile ICHBLP when your tape management system is IBM's DFSMSrmm.
However, if you activate tape protection using PARMLIB DEVSUPxx parameter
TAPAUTHDSN, it isn't necessary to activate TAPEVOL to enable use of the
ICHBLP profile.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

RACF Resource Classes

2011-02-18 Thread Givens, Dennis W.

I am working on the resolution of exceptions produced by the recently activated 
Health Checker feature on a Z/OS 1.10 system.
Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the security 
administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

  CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
Check Severity: Medium
IRRH229E The class TEMPDSN is not active.
Explanation:  The class is not active. IBM recommends that the security 
administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

I am contemplating activating both of these resource classes but have no 
immediate plans for using them in any profiles.
My concern is that the activation of these classes will in itself cause me 
problems. Any experiences or insight would be much appreciated.

Signed A Novice RACF Administrator






The information contained in this e-mail may contain confidential and/or 
privileged information and is intended for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any unauthorized use, disclosure, distribution or copying of this communication 
is strictly prohibited. If you received this e-mail in error, please reply to 
sender and destroy or delete the message and any attachments. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-18 Thread Skip Robinson

Whether or not to activate the TAPEVOL class is a business practice 
decision, not a technical one. We have never done so and most likely never 
will because of changes that would be imposed on the client community for 
dubious benefit.  Extensive use of generic profiles and our tape 
management software provide extra layers of protection that render TAPEVOL 
less important. 

We also run without TEMPDSN, but I can't say why. 


.
.
JO.Skip Robinson
SCE Infrastructure Technology Services
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
626-302-7535 Office
323-715-0595 Mobile
jo.skip.robin...@sce.com



From:   Givens, Dennis W. dennis.giv...@cnasurety.com
To: IBM-MAIN@bama.ua.edu
Date:   02/18/2011 12:25 PM
Subject:RACF Resource Classes
Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu



I am working on the resolution of exceptions produced by the recently 
activated Health Checker feature on a Z/OS 1.10 system.
Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the 
security administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

  CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
Check Severity: Medium
IRRH229E The class TEMPDSN is not active.
Explanation:  The class is not active. IBM recommends that the security 
administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

I am contemplating activating both of these resource classes but have no 
immediate plans for using them in any profiles.
My concern is that the activation of these classes will in itself cause me 
problems. Any experiences or insight would be much appreciated.

Signed A Novice RACF Administrator



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-18 Thread zSeries Systems Programmer

TAPEVOL class will have to be researched within your shop to make sure
you don't break something by mistake.  If you wish to implement, you
can put in in warning mode and then see what is accessing.

TEMPDSN is real straight forward and prevents jobs/users from
accessing someone elses TEMP datasets especially if there is and
ABEND.  The one thing to be aware of if you put this in is make sure
you don't have any in flight data sets.  If a job is running when you
turn on this resource, it could cause the job to fail with a RACF
error because it will no longer have access to its temp data that it
created with the resource off.

On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com wrote:
 Whether or not to activate the TAPEVOL class is a business practice
 decision, not a technical one. We have never done so and most likely never
 will because of changes that would be imposed on the client community for
 dubious benefit.  Extensive use of generic profiles and our tape
 management software provide extra layers of protection that render TAPEVOL
 less important.

 We also run without TEMPDSN, but I can't say why.


 .
 .
 JO.Skip Robinson
 SCE Infrastructure Technology Services
 Electric Dragon Team Paddler
 SHARE MVS Program Co-Manager
 626-302-7535 Office
 323-715-0595 Mobile
 jo.skip.robin...@sce.com



 From:   Givens, Dennis W. dennis.giv...@cnasurety.com
 To:     IBM-MAIN@bama.ua.edu
 Date:   02/18/2011 12:25 PM
 Subject:        RACF Resource Classes
 Sent by:        IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu



 I am working on the resolution of exceptions produced by the recently
 activated Health Checker feature on a Z/OS 1.10 system.
 Specifically the following 2 checks:

       CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
       Check Severity: Medium
 IRRH229E The class TAPEVOL is not active.
         Explanation:  The class is not active. IBM recommends that the
 security administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.

       CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
 Check Severity: Medium
 IRRH229E The class TEMPDSN is not active.
 Explanation:  The class is not active. IBM recommends that the security
 administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.

 I am contemplating activating both of these resource classes but have no
 immediate plans for using them in any profiles.
 My concern is that the activation of these classes will in itself cause me
 problems. Any experiences or insight would be much appreciated.

 Signed A Novice RACF Administrator



 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-18 Thread Givens, Dennis W.

Thanks. That is good information.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
zSeries Systems Programmer
Sent: Friday, February 18, 2011 3:50 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: RACF Resource Classes

TAPEVOL class will have to be researched within your shop to make sure
you don't break something by mistake.  If you wish to implement, you
can put in in warning mode and then see what is accessing.

TEMPDSN is real straight forward and prevents jobs/users from
accessing someone elses TEMP datasets especially if there is and
ABEND.  The one thing to be aware of if you put this in is make sure
you don't have any in flight data sets.  If a job is running when you
turn on this resource, it could cause the job to fail with a RACF
error because it will no longer have access to its temp data that it
created with the resource off.

On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com wrote:
 Whether or not to activate the TAPEVOL class is a business practice
 decision, not a technical one. We have never done so and most likely never
 will because of changes that would be imposed on the client community for
 dubious benefit.  Extensive use of generic profiles and our tape
 management software provide extra layers of protection that render TAPEVOL
 less important.

 We also run without TEMPDSN, but I can't say why.

 .
 .
 JO.Skip Robinson
 SCE Infrastructure Technology Services
 Electric Dragon Team Paddler
 SHARE MVS Program Co-Manager
 626-302-7535 Office
 323-715-0595 Mobile
 jo.skip.robin...@sce.com

 From:   Givens, Dennis W. dennis.giv...@cnasurety.com
 To: IBM-MAIN@bama.ua.edu
 Date:   02/18/2011 12:25 PM
 Subject:RACF Resource Classes
 Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu

 I am working on the resolution of exceptions produced by the recently
 activated Health Checker feature on a Z/OS 1.10 system.
 Specifically the following 2 checks:

   CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
   Check Severity: Medium
 IRRH229E The class TAPEVOL is not active.
 Explanation:  The class is not active. IBM recommends that the
 security administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.

   CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
 Check Severity: Medium
 IRRH229E The class TEMPDSN is not active.
 Explanation:  The class is not active. IBM recommends that the security
 administrator at your
 installation activate this class and define in it the profiles to properly
 protect your system.

 I am contemplating activating both of these resource classes but have no
 immediate plans for using them in any profiles.
 My concern is that the activation of these classes will in itself cause me
 problems. Any experiences or insight would be much appreciated.

 Signed A Novice RACF Administrator

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

The information contained in this e-mail may contain confidential and/or 
privileged information and is intended for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any unauthorized use, disclosure, distribution or copying of this communication 
is strictly prohibited. If you received this e-mail in error, please reply to 
sender and destroy or delete the message and any attachments. Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-18 Thread Don Imbriale

If you don't want to or need to activate those classes, you can consider
changing the health check to lower the severity.

- Don Imbriale

On Fri, Feb 18, 2011 at 4:54 PM, Givens, Dennis W. 
dennis.giv...@cnasurety.com wrote:

 Thanks. That is good information.

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
 Behalf Of zSeries Systems Programmer
 Sent: Friday, February 18, 2011 3:50 PM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: RACF Resource Classes

 TAPEVOL class will have to be researched within your shop to make sure
 you don't break something by mistake.  If you wish to implement, you
 can put in in warning mode and then see what is accessing.

 TEMPDSN is real straight forward and prevents jobs/users from
 accessing someone elses TEMP datasets especially if there is and
 ABEND.  The one thing to be aware of if you put this in is make sure
 you don't have any in flight data sets.  If a job is running when you
 turn on this resource, it could cause the job to fail with a RACF
 error because it will no longer have access to its temp data that it
 created with the resource off.

 On Friday, February 18, 2011, Skip Robinson jo.skip.robin...@sce.com
 wrote:
  Whether or not to activate the TAPEVOL class is a business practice
  decision, not a technical one. We have never done so and most likely
 never
  will because of changes that would be imposed on the client community for
  dubious benefit.  Extensive use of generic profiles and our tape
  management software provide extra layers of protection that render
 TAPEVOL
  less important.
 
  We also run without TEMPDSN, but I can't say why.
 
 
  .
  .
  JO.Skip Robinson
  SCE Infrastructure Technology Services
  Electric Dragon Team Paddler
  SHARE MVS Program Co-Manager
  626-302-7535 Office
  323-715-0595 Mobile
  jo.skip.robin...@sce.com
 
 
 
  From:   Givens, Dennis W. dennis.giv...@cnasurety.com
  To: IBM-MAIN@bama.ua.edu
  Date:   02/18/2011 12:25 PM
  Subject:RACF Resource Classes
  Sent by:IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu
 
 
 
  I am working on the resolution of exceptions produced by the recently
  activated Health Checker feature on a Z/OS 1.10 system.
  Specifically the following 2 checks:
 
CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
Check Severity: Medium
  IRRH229E The class TAPEVOL is not active.
  Explanation:  The class is not active. IBM recommends that the
  security administrator at your
  installation activate this class and define in it the profiles to
 properly
  protect your system.
 
CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
  Check Severity: Medium
  IRRH229E The class TEMPDSN is not active.
  Explanation:  The class is not active. IBM recommends that the security
  administrator at your
  installation activate this class and define in it the profiles to
 properly
  protect your system.
 
  I am contemplating activating both of these resource classes but have no
  immediate plans for using them in any profiles.
  My concern is that the activation of these classes will in itself cause
 me
  problems. Any experiences or insight would be much appreciated.
 
  Signed A Novice RACF Administrator
 
 
 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Resource Classes

2011-02-18 Thread Knutson, Sam

Hi Dennis,

We have been running with TEMPDSN since the mid 1990's.I do recommend just 
like the IBM health check that you run with this enabled.  A couple caveat's

TEMPDSN is a logical switch so when you activate that class new access control 
is automatically enforced for temporary data sets.  Unlike some classes it is 
the act of activating the class that that matters there are no profiles to 
define.
You should plan to do this just before an IPL  Changing the rules in the middle 
of the game can be confusing. 
You should treat it like a system change including implementing it first in any 
less critical LPARs/Sysplex that you have and doing  change notice for others 
information and your own protection should it break something someone cares 
about.

While it is not likely to cause you a problem some OEM products may not work 
correctly with TEMPDSN and this is a global switch so there is no way to exempt 
some impolite utility or software which has been built by an ISV with incorrect 
assumptions and not tested in an environment with RACF TEMPDSN active.  Over 
the years we have reported defects and gotten fixes from many ISV's. I won't 
bother listing the ones older than one year.  In the last year CA-MSM 3.0 
deployment feature only no problems with basic service retrieval and 
installation product aspects and BMC IMS database recovery plus were both found 
to have issues. For the BMC IMS database utility issue PTF BPQ4956 has been 
written with a minimum requirement of PUT1002A and is available from BMC now. 
For CA-MSM deployment we have tested a field tested a solution methodology and 
the development team is in the process of building it into a proper fix and 
getting it QAed.  

RACF is a great place for advice on setting RACF options and implications 
http://www-03.ibm.com/systems/z/os/zos/features/racf/links/racf-l.html 

TAPEVOL depends on what tape management system you have and some other tape 
related security options in RACF and your tape management system.  
IBM and CA tape and RACF experts have always provided good advice often on 
IBM-MAIN and RACF-L much more useful than anything I could add.  Search the 
archives and best discuss it with the vendor whose tape management system you 
use.  I won't recommend to activate or not to activate that class but rather 
make sure you completely understand the tape security you have today and any 
gaps and what the implications are of enabling additional tape security.  If 
you use CA-1 (TMS) open a ticket or better yet get them to do an MVP review 
(best practices checkup it's free) and they can give you a complete 
recommendation.  If you have DFSMSrmm or some other post here and maybe contact 
the vendor. Again treat any changes in this area the same way you would any 
other system change.

YMMV so checkout anything you plan do and be completely comfortable in your 
decision on what to configure on your system.  I hope that helps.

Have a great weekend! 

    Best Regards, 

    Sam Knutson, GEICO 
    System z Team Leader 
    mailto:sknut...@geico.com 
    (office)  301.986.3574 
    (cell) 301.996.1318
  
Think big, act bold, start simple, grow fast... 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of 
Givens, Dennis W.
Sent: Friday, February 18, 2011 3:25 PM
To: IBM-MAIN@bama.ua.edu
Subject: RACF Resource Classes

I am working on the resolution of exceptions produced by the recently activated 
Health Checker feature on a Z/OS 1.10 system.
Specifically the following 2 checks:

  CHECK(IBMRACF,RACF_TAPEVOL_ACTIVE)
  Check Severity: Medium
IRRH229E The class TAPEVOL is not active.
Explanation:  The class is not active. IBM recommends that the security 
administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

  CHECK(IBMRACF,RACF_TEMPDSN_ACTIVE)
Check Severity: Medium
IRRH229E The class TEMPDSN is not active.
Explanation:  The class is not active. IBM recommends that the security 
administrator at your
installation activate this class and define in it the profiles to properly 
protect your system.

I am contemplating activating both of these resource classes but have no 
immediate plans for using them in any profiles.
My concern is that the activation of these classes will in itself cause me 
problems. Any experiences or insight would be much appreciated.

Signed A Novice RACF Administrator


This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.

--
For IBM-MAIN

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

Re: RACF Resource Classes

23 matches

Site Navigation

Mail list logo

Footer information