Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
Amen. On Oct 30, 2013 12:00 PM, "John McKown" wrote: > IMO, use of UID(0) for a non-BCP component by a vendor or by IBM is simply > an indication that the software designer is too damn lazy to determine what > access they really need and simply refuse to spend the effort (and money) > to determine which of the UNIXPRIV authorities might actually let them do > what they need. Or just have the SUPERUSER privilege in order to switch > into "root" for a short time to do something. IMO, it would be like saying > that the program run by an STC needed to be put into the SCHEDxx member of > PARMLIB to run non-cancelable and in PSW key 0 with a RACF id which had > OPERATIONS authority. > > > > > > In one of my client's sysplexes non UID(0) UIDs are shared between a > > certain > > group of end users (1000s of them in some cases) and that also has to be > > remediated also. But that is an AIM issue only because that sysplex > didn't > > use BPX.DEFAULT.USER. BPX.UNIQUE.USER would help, but it's a catch 22. > > > > BTW, this issue does affect ACF2 and Top Secret as well. > > > > Mark > > -- > > > > > -- > This is clearly another case of too many mad scientists, and not enough > hunchbacks. > > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
Specifics are for MXG users, but the APAR is a general note: Change 30.268 RACF317='BPX*DEFAULT*USER*USED?' is added to TYPE8028 VMAC80Athru TYPE8065 to identify if the FACILITY class profile Dec 25, 2012 BPX.DEFAULT.USER is being used; that facility will NOT exist in z/OS 2.1 (because it allowed many users of UNIX system services to share a UID and GID, no longer a good idea and FACILITY class profile BPX.UNIQUE.USER or other alternatives are REQUIRED with z/OS 2.1). RACF317 will be Y/N if a SMF80DTP=317 segment exists, otherwise, blank. Note that APAR OA37164 added detection in the Health and Migration Checks, for an alternative to determine if the profile is being used. Barry -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
On Wed, 30 Oct 2013 10:59:55 -0500, John McKown wrote: >IMO, use of UID(0) for a non-BCP component by a vendor or by IBM is simply >an indication that the software designer is too damn lazy to determine what >access they really need and simply refuse to spend the effort (and money) >to determine which of the UNIXPRIV authorities might actually let them do >what they need. Or just have the SUPERUSER privilege in order to switch >into "root" for a short time to do something. IMO, it would be like saying >that the program run by an STC needed to be put into the SCHEDxx member of >PARMLIB to run non-cancelable and in PSW key 0 with a RACF id which had >OPERATIONS authority. > > Agree!! That is why I was surprised to still see UID(0) documented for some of the software other teams supported (database, monitors). OTOH, some software has been updated over the years and has documented procedures for not using UID(0) and can make use of BPX.SUPERUSER. -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com ITIL v3 Foundation Certified Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
On Wed, 30 Oct 2013 16:57:31 +0100, R.S. wrote: >Well, AIM3 (and AIM at all) was introduced in OS/390 2.10 AFAIR, approx >13 years ago. >It's much more time, than BPX.UNIQUE.USER - it was new feature in z/OS >1.11 and have-to-be-done in 1.13. Big difference. Yes, I recall trying to get my client to go to AIM 3 sometime around 2003, but it had the same restriction then with shared UIDs and they didn't want to do the remediation. >BTW: IMHO *both* changes (AIM and UNIQUE.USER) are relatively simple to >perform, but that's another story. Yes, assuming you don't have the remediation issue my client has. I haven't looked at the doc in a while, but I think the AIM migration suggests IPLs between certain steps or there could be problems with the unix mapping. That will be a big problem for my client and defeats the purpose of 24 x 7 parallel sysplex application availability since the RACF DB is a single shared resource. Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com ITIL v3 Foundation Certified Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
IMO, use of UID(0) for a non-BCP component by a vendor or by IBM is simply an indication that the software designer is too damn lazy to determine what access they really need and simply refuse to spend the effort (and money) to determine which of the UNIXPRIV authorities might actually let them do what they need. Or just have the SUPERUSER privilege in order to switch into "root" for a short time to do something. IMO, it would be like saying that the program run by an STC needed to be put into the SCHEDxx member of PARMLIB to run non-cancelable and in PSW key 0 with a RACF id which had OPERATIONS authority. > In one of my client's sysplexes non UID(0) UIDs are shared between a > certain > group of end users (1000s of them in some cases) and that also has to be > remediated also. But that is an AIM issue only because that sysplex didn't > use BPX.DEFAULT.USER. BPX.UNIQUE.USER would help, but it's a catch 22. > > BTW, this issue does affect ACF2 and Top Secret as well. > > Mark > -- > -- This is clearly another case of too many mad scientists, and not enough hunchbacks. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
W dniu 2013-10-30 16:27, Mark Zelden pisze: Usually customers have more time to migrate off fading solution/technique. Not to mention ISAM or IMBED... It's a bit more complicated than just migrating to BPX.UNIQUE.USER. You have to be at AIM (Application identity Mapping ) stage 3 for RACF. However, you can't convert to AIM 3 if you have more than 129 userids sharing a UID. There are a number of IBM products that still require or at least document using UID(0) and when you clone that usage to various STCs / userids between prod/devl/qa etc. that limit can be hit easily.Remediation work is in progress for this at my client and I'm hoping it doesn't delay a z/OS 2.1 migration in production next year (usually starts around April or May). Yes, I've been warning the RACF team about this for over 2 years since z/OS 1.13 planning started, but no action was taken. So to Radoslaw's point, it really doesn't matter how much time IBM gives for some of these things. Shops don't take action until they are forced to. In one of my client's sysplexes non UID(0) UIDs are shared between a certain group of end users (1000s of them in some cases) and that also has to be remediated also. But that is an AIM issue only because that sysplex didn't use BPX.DEFAULT.USER. BPX.UNIQUE.USER would help, but it's a catch 22. Well, AIM3 (and AIM at all) was introduced in OS/390 2.10 AFAIR, approx 13 years ago. It's much more time, than BPX.UNIQUE.USER - it was new feature in z/OS 1.11 and have-to-be-done in 1.13. Big difference. BTW: IMHO *both* changes (AIM and UNIQUE.USER) are relatively simple to perform, but that's another story. Regards -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2013 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.555.904 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
>Usually customers have more time to migrate off fading solution/technique. >Not to mention ISAM or IMBED... It's a bit more complicated than just migrating to BPX.UNIQUE.USER. You have to be at AIM (Application identity Mapping ) stage 3 for RACF. However, you can't convert to AIM 3 if you have more than 129 userids sharing a UID. There are a number of IBM products that still require or at least document using UID(0) and when you clone that usage to various STCs / userids between prod/devl/qa etc. that limit can be hit easily.Remediation work is in progress for this at my client and I'm hoping it doesn't delay a z/OS 2.1 migration in production next year (usually starts around April or May). Yes, I've been warning the RACF team about this for over 2 years since z/OS 1.13 planning started, but no action was taken. So to Radoslaw's point, it really doesn't matter how much time IBM gives for some of these things. Shops don't take action until they are forced to. In one of my client's sysplexes non UID(0) UIDs are shared between a certain group of end users (1000s of them in some cases) and that also has to be remediated also. But that is an AIM issue only because that sysplex didn't use BPX.DEFAULT.USER. BPX.UNIQUE.USER would help, but it's a catch 22. BTW, this issue does affect ACF2 and Top Secret as well. Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:m...@mzelden.com ITIL v3 Foundation Certified Mark's MVS Utilities: http://www.mzelden.com/mvsutil.html Systems Programming expert at http://search390.techtarget.com/ateExperts/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
This is pretty old ... Have seen this several times in the past . And of course...There are bigger fishes to fry :) On Wednesday, October 30, 2013 6:57 PM, Lizette Koehler wrote: If you have not done so, you can join the RACF newsgroup with this URL http://www.listserv.uga.edu/archives/racf-l.html Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Elardus Engelbrecht > Sent: Wednesday, October 30, 2013 5:35 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1 > > RCG wrote: > > >Not sure if this was already discussed / notified... So for the benefit of > >everyone.. > > It was discussed here and also on RACF-L. Check out RACF-L for lots of > discussion of that profile. > > >The FACILITY class profile BPX.DEFAULT.USER is not supported in z/OS 2.1. > > This was mentioned since z/OS 1.11 (if I remember correctly) and that z/OS > v1.13 > would be the last z/OS which support it. > > In fact, BPX.UNIQUE.USER was introduced in z/OS v1.11. > > Groete / Greetings > Elardus Engelbrecht > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
W dniu 2013-10-30 13:35, Elardus Engelbrecht pisze: [...] This was mentioned since z/OS 1.11 (if I remember correctly) and that z/OS v1.13 would be the last z/OS which support it. In fact, BPX.UNIQUE.USER was introduced in z/OS v1.11. Usually customers have more time to migrate off fading solution/technique. Not to mention ISAM or IMBED... My €0.02 -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2013 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.555.904 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
If you have not done so, you can join the RACF newsgroup with this URL http://www.listserv.uga.edu/archives/racf-l.html Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Elardus Engelbrecht > Sent: Wednesday, October 30, 2013 5:35 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1 > > RCG wrote: > > >Not sure if this was already discussed / notified... So for the benefit of > >everyone.. > > It was discussed here and also on RACF-L. Check out RACF-L for lots of > discussion of that profile. > > >The FACILITY class profile BPX.DEFAULT.USER is not supported in z/OS 2.1. > > This was mentioned since z/OS 1.11 (if I remember correctly) and that z/OS > v1.13 > would be the last z/OS which support it. > > In fact, BPX.UNIQUE.USER was introduced in z/OS v1.11. > > Groete / Greetings > Elardus Engelbrecht > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
RCG wrote: >Not sure if this was already discussed / notified... So for the benefit of >everyone.. It was discussed here and also on RACF-L. Check out RACF-L for lots of discussion of that profile. >The FACILITY class profile BPX.DEFAULT.USER is not supported in z/OS 2.1. This was mentioned since z/OS 1.11 (if I remember correctly) and that z/OS v1.13 would be the last z/OS which support it. In fact, BPX.UNIQUE.USER was introduced in z/OS v1.11. Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
FACILITY Class profile BPX.DEFAULT.USER in zOS 2.1
Dear group, Not sure if this was already discussed / notified... So for the benefit of everyone.. The FACILITY class profile BPX.DEFAULT.USER is not supported in z/OS 2.1. > BPX.DEFAULT.USER provides users without OMVS segment a 'temporary' OMVS > segment when USS services are invoked. > > So, before migrating to z/OS 2.1, you will need to check if the FACILITY > class profile BPX.DEFAULT.USER is defined. If it is defined, you need to > remediate the profile (i.e. you can't just delete the profile), by defining > new profiles to allow automatic UID / GID assignment.. Thank you ! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
