Re: DB2 access and administration security
I believe, the very short answer to this is: you give the DB2 GRANTs to RACF groups instead of individual users, and then you use RACF to do the administration of the RACF groups, that is: if anyone needs some DB2 rights, you make him or her a member of the proper RACF group. You need a naming convention to know what DB2 rights are contained in what RACF group. Maybe you could pack all tables that belong to an application or a system in one RACF group and make the name of the RACF group the name of the application or the system. Or: one RACF group for all the tables in your DB2 test or development system etc. Kind regards Bernd Am 07.07.2012 15:06, schrieb Mohamed Juma: Hi list, I have a conser about using RACF to secure the access to our data base for users and administration instead of using internal security. Can any one give me clue for such implementation; Mohamed Juma -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF question
Craig, Here is the problem in a nutshell. Customer has a z/os 1.11 environment. The term used fo the security environment was hardened. But the customer doesn't know their security environment, no documentation, etc. So, we are trying to determine what is causing the s306-30 abend. What RACF commands we can use to determine what is or isn't required for product installation. I need some suggestions...any help is appreciated. Scott ford www.identityforge.com On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: Not always, Here is the ABEND 306-30 documentation. The user attempted to use a controlled program but is not authorized by RACF to use that program. This can occur when a user has EXECUTE access to a program library's data set profile, even if none of the program modules involved are RACF program protected. Have the system security administrator grant you READ access to the data set profile instead. Thanks, Craig From: Scott Ford scott_j_f...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 07/06/2012 15:34 Subject:RACF question Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU All, I have a question, I have a customer receiving a csv0025i abends306-30 on a adduser. Shouldn't we be seeing a ich408i message ? Scott ford www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ** This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. ** -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF question
How is the ADDUSER/AU being invoked? If in batch TSO as a TSO command it should only require RACF SPECIAL authority by the invoking userid (and correct definition to TSO of RACF authorized commands). Unless program access is specifically disallowed by PROGRAM profiles, I would have thought EXECUTE dsn access would be sufficient as long as it is loaded via LINKLST. If it is being invoked from some script as 'SYS1.LINKLIB(ADDUSER)' that is a different issue, as that syntax says you are potentially invoking something not in LINKLST; and since ADDUSER is a TSO command processor, it really shouldn't be invoked that way. JC Ewing On 07/07/2012 01:42 PM, Scott Ford wrote: Craig, Here is the problem in a nutshell. Customer has a z/os 1.11 environment. The term used fo the security environment was hardened. But the customer doesn't know their security environment, no documentation, etc. So, we are trying to determine what is causing the s306-30 abend. What RACF commands we can use to determine what is or isn't required for product installation. I need some suggestions...any help is appreciated. Scott ford www.identityforge.com On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: Not always, Here is the ABEND 306-30 documentation. The user attempted to use a controlled program but is not authorized by RACF to use that program. This can occur when a user has EXECUTE access to a program library's data set profile, even if none of the program modules involved are RACF program protected. Have the system security administrator grant you READ access to the data set profile instead. Thanks, Craig From: Scott Ford scott_j_f...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 07/06/2012 15:34 Subject:RACF question Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU All, I have a question, I have a customer receiving a csv0025i abends306-30 on a adduser. Shouldn't we be seeing a ich408i message ? Scott ford www.identityforge.com -- -- Joel C. Ewing,Bentonville, AR jcew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SYNCSORT - Save a data item for use in OUTREC output
Use an E15 exit to read the input file, store the value you need to preserve and on each successive record just overwrite with the saved value and pass the record to sort. I have a few examples of E15 exit code but the SYNCSORT manual should have some examples of exit code. Wayne Bickerdike On Sat, Jul 7, 2012 at 7:40 AM, George, William@FTB william.geo...@ftb.ca.gov wrote: Sorry, the formatting didn't retain how I had originally keyed it. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of George, William@FTB Sent: Friday, July 06, 2012 2:36 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: SYNCSORT - Save a data item for use in OUTREC output Is there a means via SYNCSORT to save a data item found on the 1st input record and then have it placed on all subsequent output records. For example. 1. Input 1 - 07/06/2012 asfasdlfjl. (save the date 07/06/2012 and not output the record) 2. Input 2 - poiutkjgfertqe Output - 07/06/2012 poiutkjgfertqe... That is, place the saved data item (date) someplace in the output record 3. Input 3 - (same as #2 and to the end of file) Thanks for any insights. __ CONFIDENTIALITY NOTICE: This email from the State of California is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review or use, including disclosure or distribution, is prohibited. If you are not the intended recipient, please contact the sender and destroy all copies of this email. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Wayne V. Bickerdike -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF question
Joel, Hers the exact error: 11.51.03 STC00472 CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCESSED, USE 11.51.03 STC00472 IEF196I CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCES 11.51.03 STC00472 IEF196I UNAUTHORIZED 11.51.03 STC00472 CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF 11.51.03 STC00472 IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF Scott ford www.identityforge.com On Jul 7, 2012, at 4:11 PM, Scott Ford scott_j_f...@yahoo.com wrote: Joel, Thank you very much. We are working with the customer on Monday. So I have homework.. Scott ford www.identityforge.com On Jul 7, 2012, at 4:05 PM, Joel C. Ewing jcew...@acm.org wrote: Since the error does explicitly complain about authorization for a controlled program, check for existence of PROGRAM profiles of ** or ADDUSER with an associated member entry with SYS1.LINKLIB, and if they exist whether the address space getting the error runs with a userid that would have READ access to the controlling profile. Particularly with a PROGRAM ** profile designed to cover linklist libraries, UACC(READ) would be typical. If the request is coming from a RESTRICTED userid, that could mean it wouldn't see UACC permits and would require explicit access either directly or via a connected group. If you end up altering any program profiles, don't forget to REFRESH the in-memory PROGRAM profiles before testing. JC Ewing On 07/07/2012 02:36 PM, Scott Ford wrote: Hey Joel, We invoke via irrseq00, the permits are good for irr.radmin.adduser, etc ..so those permits are good. We run our product as a STC with Special, no issue there Scott ford www.identityforge.com On Jul 7, 2012, at 3:00 PM, Joel C. Ewing jcew...@acm.org wrote: How is the ADDUSER/AU being invoked? If in batch TSO as a TSO command it should only require RACF SPECIAL authority by the invoking userid (and correct definition to TSO of RACF authorized commands). Unless program access is specifically disallowed by PROGRAM profiles, I would have thought EXECUTE dsn access would be sufficient as long as it is loaded via LINKLST. If it is being invoked from some script as 'SYS1.LINKLIB(ADDUSER)' that is a different issue, as that syntax says you are potentially invoking something not in LINKLST; and since ADDUSER is a TSO command processor, it really shouldn't be invoked that way. JC Ewing On 07/07/2012 01:42 PM, Scott Ford wrote: Craig, Here is the problem in a nutshell. Customer has a z/os 1.11 environment. The term used fo the security environment was hardened. But the customer doesn't know their security environment, no documentation, etc. So, we are trying to determine what is causing the s306-30 abend. What RACF commands we can use to determine what is or isn't required for product installation. I need some suggestions...any help is appreciated. Scott ford www.identityforge.com On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: Not always, Here is the ABEND 306-30 documentation. The user attempted to use a controlled program but is not authorized by RACF to use that program. This can occur when a user has EXECUTE access to a program library's data set profile, even if none of the program modules involved are RACF program protected. Have the system security administrator grant you READ access to the data set profile instead. Thanks, Craig From: Scott Ford scott_j_f...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 07/06/2012 15:34 Subject:RACF question Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU All, I have a question, I have a customer receiving a csv0025i abends306-30 on a adduser. Shouldn't we be seeing a ich408i message ? Scott ford www.identityforge.com -- -- Joel C. Ewing,Bentonville, AR jcew...@acm.org ... -- Joel C. Ewing,Bentonville, AR jcew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Off topic
Has anyone has messages disappear when the sent them to the listserv ? Scott ford www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Fwd: RACF question
Scott ford www.identityforge.com Begin forwarded message: From: Scott Ford scott_j_f...@yahoo.com Date: July 7, 2012 4:49:13 PM EDT To: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACF question Joel, Hers the exact error: 11.51.03 STC00472 CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCESSED, USE 11.51.03 STC00472 IEF196I CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCES 11.51.03 STC00472 IEF196I UNAUTHORIZED 11.51.03 STC00472 CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF 11.51.03 STC00472 IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF I tried to post this had problems Scott ford www.identityforge.com On Jul 7, 2012, at 4:11 PM, Scott Ford scott_j_f...@yahoo.com wrote: Joel, Thank you very much. We are working with the customer on Monday. So I have homework.. Scott ford www.identityforge.com On Jul 7, 2012, at 4:05 PM, Joel C. Ewing jcew...@acm.org wrote: Since the error does explicitly complain about authorization for a controlled program, check for existence of PROGRAM profiles of ** or ADDUSER with an associated member entry with SYS1.LINKLIB, and if they exist whether the address space getting the error runs with a userid that would have READ access to the controlling profile. Particularly with a PROGRAM ** profile designed to cover linklist libraries, UACC(READ) would be typical. If the request is coming from a RESTRICTED userid, that could mean it wouldn't see UACC permits and would require explicit access either directly or via a connected group. If you end up altering any program profiles, don't forget to REFRESH the in-memory PROGRAM profiles before testing. JC Ewing On 07/07/2012 02:36 PM, Scott Ford wrote: Hey Joel, We invoke via irrseq00, the permits are good for irr.radmin.adduser, etc ..so those permits are good. We run our product as a STC with Special, no issue there Scott ford www.identityforge.com On Jul 7, 2012, at 3:00 PM, Joel C. Ewing jcew...@acm.org wrote: How is the ADDUSER/AU being invoked? If in batch TSO as a TSO command it should only require RACF SPECIAL authority by the invoking userid (and correct definition to TSO of RACF authorized commands). Unless program access is specifically disallowed by PROGRAM profiles, I would have thought EXECUTE dsn access would be sufficient as long as it is loaded via LINKLST. If it is being invoked from some script as 'SYS1.LINKLIB(ADDUSER)' that is a different issue, as that syntax says you are potentially invoking something not in LINKLST; and since ADDUSER is a TSO command processor, it really shouldn't be invoked that way. JC Ewing On 07/07/2012 01:42 PM, Scott Ford wrote: Craig, Here is the problem in a nutshell. Customer has a z/os 1.11 environment. The term used fo the security environment was hardened. But the customer doesn't know their security environment, no documentation, etc. So, we are trying to determine what is causing the s306-30 abend. What RACF commands we can use to determine what is or isn't required for product installation. I need some suggestions...any help is appreciated. Scott ford www.identityforge.com On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: Not always, Here is the ABEND 306-30 documentation. The user attempted to use a controlled program but is not authorized by RACF to use that program. This can occur when a user has EXECUTE access to a program library's data set profile, even if none of the program modules involved are RACF program protected. Have the system security administrator grant you READ access to the data set profile instead. Thanks, Craig From: Scott Ford scott_j_f...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 07/06/2012 15:34 Subject:RACF question Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU All, I have a question, I have a customer receiving a csv0025i abends306-30 on a adduser. Shouldn't we be seeing a ich408i message ? Scott ford www.identityforge.com -- -- Joel C. Ewing,Bentonville, AR jcew...@acm.org ... -- Joel C. Ewing,Bentonville, AR jcew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Off topic
There's some pretty nasty malware going around, supposed to strike 'Monday' whenever that is. Usually run with ACK as listserv option and the server will confirm receipt. Course iffin it's in Estonia where it's routed may not mean much In a message dated 7/7/2012 5:05:19 P.M. Central Daylight Time, scott_j_f...@yahoo.com writes: Has anyone has messages disappear when the sent them to the listserv ? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Off topic
On 7/7/2012 4:21 PM, Ed Finnell wrote: There's some pretty nasty malware going around, supposed to strike 'Monday' whenever that is. Usually run with ACK as listserv option and the server will confirm receipt. Course iffin it's in Estonia where it's routed may not mean much I've heard snippits about this. Is there any believable source for the story? In a message dated 7/7/2012 5:05:19 P.M. Central Daylight Time, scott_j_f...@yahoo.com writes: Has anyone has messages disappear when the sent them to the listserv ? -- Kind regards, -Steve Comstock The Trainer's Friend, Inc. 303-355-2752 http://www.trainersfriend.com * To get a good Return on your Investment, first make an investment! + Training your people is an excellent investment * Try our tool for calculating your Return On Investment for training dollars at http://www.trainersfriend.com/ROI/roi.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF question
Do you, somehow, have a STEPLIB in the RACF started task? If so, is it (they if multiple) in the PROGRAM class for the appropriate profile in the PROGRAM class? Also, are all the DSNs APF authorized? If no STEPLIB, look in your LINKLIST. What DSN is ADDUSER being fetched from? If you use DDLIST, then LINKLIST, you can do a MEMBER ADDUSER LINKLIST command to find out. If there are multiple (shouldn't be!), then look at the first DSN . Depending of the LNKTAB parameter in IEASYSnn, the DSN may need to be specifically APF authorized. Also, make sure it is in the appropriate profile in the PROGRAM class. On Sat, 2012-07-07 at 16:49 -0400, Scott Ford wrote: Joel, Hers the exact error: 11.51.03 STC00472 CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCESSED, USE 11.51.03 STC00472 IEF196I CSV025I PROGRAM CONTROLLED MODULE ADDUSER NOT ACCES 11.51.03 STC00472 IEF196I UNAUTHORIZED 11.51.03 STC00472 CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF 11.51.03 STC00472 IEF196I CSV028I ABEND306-30 JOBNAME=RACF STEPNAME=RACF Scott ford www.identityforge.com On Jul 7, 2012, at 4:11 PM, Scott Ford scott_j_f...@yahoo.com wrote: Joel, Thank you very much. We are working with the customer on Monday. So I have homework.. Scott ford www.identityforge.com On Jul 7, 2012, at 4:05 PM, Joel C. Ewing jcew...@acm.org wrote: Since the error does explicitly complain about authorization for a controlled program, check for existence of PROGRAM profiles of ** or ADDUSER with an associated member entry with SYS1.LINKLIB, and if they exist whether the address space getting the error runs with a userid that would have READ access to the controlling profile. Particularly with a PROGRAM ** profile designed to cover linklist libraries, UACC(READ) would be typical. If the request is coming from a RESTRICTED userid, that could mean it wouldn't see UACC permits and would require explicit access either directly or via a connected group. If you end up altering any program profiles, don't forget to REFRESH the in-memory PROGRAM profiles before testing. JC Ewing On 07/07/2012 02:36 PM, Scott Ford wrote: Hey Joel, We invoke via irrseq00, the permits are good for irr.radmin.adduser, etc ..so those permits are good. We run our product as a STC with Special, no issue there Scott ford www.identityforge.com On Jul 7, 2012, at 3:00 PM, Joel C. Ewing jcew...@acm.org wrote: How is the ADDUSER/AU being invoked? If in batch TSO as a TSO command it should only require RACF SPECIAL authority by the invoking userid (and correct definition to TSO of RACF authorized commands). Unless program access is specifically disallowed by PROGRAM profiles, I would have thought EXECUTE dsn access would be sufficient as long as it is loaded via LINKLST. If it is being invoked from some script as 'SYS1.LINKLIB(ADDUSER)' that is a different issue, as that syntax says you are potentially invoking something not in LINKLST; and since ADDUSER is a TSO command processor, it really shouldn't be invoked that way. JC Ewing On 07/07/2012 01:42 PM, Scott Ford wrote: Craig, Here is the problem in a nutshell. Customer has a z/os 1.11 environment. The term used fo the security environment was hardened. But the customer doesn't know their security environment, no documentation, etc. So, we are trying to determine what is causing the s306-30 abend. What RACF commands we can use to determine what is or isn't required for product installation. I need some suggestions...any help is appreciated. Scott ford www.identityforge.com On Jul 6, 2012, at 5:15 PM, craig.p...@fotlinc.com wrote: Not always, Here is the ABEND 306-30 documentation. The user attempted to use a controlled program but is not authorized by RACF to use that program. This can occur when a user has EXECUTE access to a program library's data set profile, even if none of the program modules involved are RACF program protected. Have the system security administrator grant you READ access to the data set profile instead. Thanks, Craig From: Scott Ford scott_j_f...@yahoo.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 07/06/2012 15:34 Subject:RACF question Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU All, I have a question, I have a customer receiving a csv0025i abends306-30 on a adduser. Shouldn't we be seeing a ich408i message ? Scott ford www.identityforge.com -- -- Joel C. Ewing,Bentonville, AR jcew...@acm.org ... -- Joel C. Ewing,Bentonville, AR jcew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access
Re: Off topic
Yes. I do not remember the name of the malware, but it redirected DNS to a hijacked one. The US FBI set up a clone of the hijacked DNS server and have been running it to take away the malware power for better than a year. The reason for the Monday deadline is that is when the FBI is shutting down the cloned DNS server. Check Wired and Ars Technica. They have been had articles about it within the past month or so. Lloyd - Original Message From: Steve Comstock st...@trainersfriend.com To: IBM-MAIN@LISTSERV.UA.EDU Sent: Sat, July 7, 2012 6:26:08 PM Subject: Re: Off topic On 7/7/2012 4:21 PM, Ed Finnell wrote: There's some pretty nasty malware going around, supposed to strike 'Monday' whenever that is. Usually run with ACK as listserv option and the server will confirm receipt. Course iffin it's in Estonia where it's routed may not mean much I've heard snippits about this. Is there any believable source for the story? In a message dated 7/7/2012 5:05:19 P.M. Central Daylight Time, scott_j_f...@yahoo.com writes: Has anyone has messages disappear when the sent them to the listserv ? -- Kind regards, -Steve Comstock The Trainer's Friend, Inc. 303-355-2752 http://www.trainersfriend.com * To get a good Return on your Investment, first make an investment! + Training your people is an excellent investment * Try our tool for calculating your Return On Investment for training dollars at http://www.trainersfriend.com/ROI/roi.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN