Re: SDSF authorizing - AUTH(ALL)
Mark, No, we missed that too. AND, I see there is now an AUTH=(ALLOPER) and an AUTH=(ALLUSER), which I now need to investigate and see what's under them. At 03:53 PM 10/4/2005, you wrote: Speaking of SDSF authorizations... Did anyone using ISFPRMxx or ISFPARMS notice that you can now specify AUTH(ALL) as of z/OS 1.5 instead of listing all of the individual commands? I didn't until the SDSF PTF was applied to support the new CK (Health Checker) command and I went to add the new authority. Missed this when we upgraded from z/OS 1.4 to z/OS 1.6. Adding new SDSF commands (for sysprogs) was always part of our OS upgrade check list and we don't have to worry about that now - at least for the "SDSF super users". Of course if you use SAF and have your sysprogs authorized to a default profile of ISFCMD.** then you don't need to worry about it either. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America and Farmers Insurance Group mailto: [EMAIL PROTECTED] Systems Programming expert at http://Search390.com/ateExperts/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Brian W. France Systems Administrator (Mainframe) Pennsylvania State University Administrative Information Services - Infrastructure/Sysarc Rm 25 Shields Bldg., University Park, Pa. 16802 814-863-4739 [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
OK I moved her entrie above the DSFA entrie and she still gets put into the group that is defined to the IUID(DSFA) which is now after IUID(DSFADJP). I am noe think that I will have to define a unice IUID for all DSFA users. Does this sound right? If any one wants to e-amil me please use my work id [EMAIL PROTECTED] Thanks John WOlf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Yes - you need to move her entry before the more generic one. In SDSF parms, first hit counts, not best fit. Don Imbriale >-Original Message- >From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf >Of John C. Wolf >Sent: Tuesday, October 04, 2005 3:54 PM >To: IBM-MAIN@BAMA.UA.EDU >Subject: Re: SDSF authorizing > >Rich, >In your message you asked me to have her do a who and you were right the >relevant fieldes GRPINDEX=48,GRPNAME=ISF00048 are for the group which is >directly ahead of her and their IUID is IUID(DFSA) which is the high order >four bytes of her id which is DFSADJP. >So what should I do? should I move her entry before the DFSA entry? > *** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. *** -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Yes. The most restrictive entries have to be first. Bob John C. Wolf wrote: Rich, In your message you asked me to have her do a who and you were right the relevant fieldes GRPINDEX=48,GRPNAME=ISF00048 are for the group which is directly ahead of her and their IUID is IUID(DFSA) which is the high order four bytes of her id which is DFSADJP. So what should I do? should I move her entry before the DFSA entry? Thanks John Wolf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing - AUTH(ALL)
Speaking of SDSF authorizations... Did anyone using ISFPRMxx or ISFPARMS notice that you can now specify AUTH(ALL) as of z/OS 1.5 instead of listing all of the individual commands? I didn't until the SDSF PTF was applied to support the new CK (Health Checker) command and I went to add the new authority. Missed this when we upgraded from z/OS 1.4 to z/OS 1.6. Adding new SDSF commands (for sysprogs) was always part of our OS upgrade check list and we don't have to worry about that now - at least for the "SDSF super users". Of course if you use SAF and have your sysprogs authorized to a default profile of ISFCMD.** then you don't need to worry about it either. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America and Farmers Insurance Group mailto: [EMAIL PROTECTED] Systems Programming expert at http://Search390.com/ateExperts/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Rich, In your message you asked me to have her do a who and you were right the relevant fieldes GRPINDEX=48,GRPNAME=ISF00048 are for the group which is directly ahead of her and their IUID is IUID(DFSA) which is the high order four bytes of her id which is DFSADJP. So what should I do? should I move her entry before the DFSA entry? Thanks John Wolf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
John, Have you tried trying on tracing in JES2 for security? It might provide ACF2 messages that could help in identifying this issue? Lizette Koehler - Original Message - From: "John C. Wolf" <[EMAIL PROTECTED]> Newsgroups: bit.listserv.ibm-main To: Sent: Tuesday, October 04, 2005 12:41 PM Subject: Re: SDSF authorizing Does she have the appropriate RACF authorities in the JESSPOOL class? We use ACF2 here and she can look at her own jobs output all right. We control our SDSF users via the SDSF parm route. John Wolf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Does she have the appropriate RACF authorities in the JESSPOOL class? We use ACF2 here and she can look at her own jobs output all right. We control our SDSF users via the SDSF parm route. John Wolf -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Yes I did a 'f sdsf,refresh,m=22' after SDSF said that it had refreshed the parms I had our user logoff TSO and log back on no go. We use ACF2 here and we control our SDSF users via the SDFF parms and don't use ACf2 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
She could be falling into another entry. Confirm correct entry by having her issue the "who" command form the SDSF prompt. You will be looking for the GRPINDEX and the GRPNAME which should correlate to your definitions. Rich -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] Behalf Of McKown, John Sent: Tuesday, October 04, 2005 2:50 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: SDSF authorizing > -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of John C. Wolf > Sent: Tuesday, October 04, 2005 1:22 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: SDSF authorizing > > > I havew a problem with SDSF under z/OS 1.4. I have a user who needs to > see jobs which are not hers. She can see a listing of all the jobs she > just can't look at any output. > The folling are the SDSFPARMS entries that I have set up but > they don't > work. She still gets 'Not authorized for job' message when she tres to > look at any output. > IUID(DSFADJP), > ACTION(ALL), > AUTH(DA,H,I,INPUT,O,PR,ST,INIT,PREF,DEST,FINDLIM), > DADFLT(IN,OUT,TRANS,READY,STC,INIT,TSU,JOB), > DSPAUTH(ALL), > ICMD(IDSFADJP), > IDSP(IDSFADJP), > The rest follow but I woun't bore you all with them. > Here are a few NTBL entries: > NTBL NAME(IDSFADJP) > NTBLENT STRING(A700SFA),OFFSET(1) > There are a lot more entries but these are the ones which I > think control > what I am trying to do. > She is trying to see jobs which are SFA I have entered all the job > names which end with SFA. > Thank for any help > > > John Wolf sysprog University of Cincinnati voice 513-556-0009 Does she have the appropriate RACF authorities in the JESSPOOL class? -- John McKown Senior Systems Programmer UICI Insurance Center Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its' content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
Did you refresh the SDSF server? Did you have the user re-enter SDSF (as in =s) after doing so? [...(SFA),OFFSET(5) is easier.] Bob John C. Wolf wrote: I havew a problem with SDSF under z/OS 1.4. I have a user who needs to see jobs which are not hers. She can see a listing of all the jobs she just can't look at any output. The folling are the SDSFPARMS entries that I have set up but they don't work. She still gets 'Not authorized for job' message when she tres to look at any output. IUID(DSFADJP), ACTION(ALL), AUTH(DA,H,I,INPUT,O,PR,ST,INIT,PREF,DEST,FINDLIM), DADFLT(IN,OUT,TRANS,READY,STC,INIT,TSU,JOB), DSPAUTH(ALL), ICMD(IDSFADJP), IDSP(IDSFADJP), The rest follow but I woun't bore you all with them. Here are a few NTBL entries: NTBL NAME(IDSFADJP) NTBLENT STRING(A700SFA),OFFSET(1) There are a lot more entries but these are the ones which I think control what I am trying to do. She is trying to see jobs which are SFA I have entered all the job names which end with SFA. Thank for any help John Wolf sysprog University of Cincinnati voice 513-556-0009 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: SDSF authorizing
> -Original Message- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of John C. Wolf > Sent: Tuesday, October 04, 2005 1:22 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: SDSF authorizing > > > I havew a problem with SDSF under z/OS 1.4. I have a user who needs to > see jobs which are not hers. She can see a listing of all the jobs she > just can't look at any output. > The folling are the SDSFPARMS entries that I have set up but > they don't > work. She still gets 'Not authorized for job' message when she tres to > look at any output. > IUID(DSFADJP), > ACTION(ALL), > AUTH(DA,H,I,INPUT,O,PR,ST,INIT,PREF,DEST,FINDLIM), > DADFLT(IN,OUT,TRANS,READY,STC,INIT,TSU,JOB), > DSPAUTH(ALL), > ICMD(IDSFADJP), > IDSP(IDSFADJP), > The rest follow but I woun't bore you all with them. > Here are a few NTBL entries: > NTBL NAME(IDSFADJP) > NTBLENT STRING(A700SFA),OFFSET(1) > There are a lot more entries but these are the ones which I > think control > what I am trying to do. > She is trying to see jobs which are SFA I have entered all the job > names which end with SFA. > Thank for any help > > > John Wolf sysprog University of Cincinnati voice 513-556-0009 Does she have the appropriate RACF authorities in the JESSPOOL class? -- John McKown Senior Systems Programmer UICI Insurance Center Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its' content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html