Re: Racf Userid

[Robert S. Hansel (RSH)]

Hi Shelia,

First off, in output of the LISTUSER command, find the most recent LAST-CONNECT 
date/time in the group connect information for all ID's groups. Most likely it 
will be associated with the ID's default group. If it is the same as the 
LAST-ACCESS date/time, then the later was updated due to a logon. If the 
LAST-ACCESS date/time is later, then someone did an ALTUSER RESUME on the ID, 
in which case you'll want to examine SMF type 80 records for ALTUSER events.

If it appears to be a logon, you will want to examine SMF type 80 records for 
event JOBINIT (logon) and INITOEDP (Unix dub) as well as type 30 subtype 1 
records (TSO, Batch, and Started Task logons). Note that successful logons are 
often not logged. It all depends on how the resource manager processing the 
logon is designed and configured.

The SMF event names I'm referring to appear in the output of RACF's SMF unload 
utility. This utility converts raw SMF 80 and 30 records into text or XML 
output. If you have RACF administration add-on product such as zSecure, it will 
provide its own mechanisms for reporting from SMF data.

If the above doesn't yield any useful information, try adding the UAUDIT 
attribute to the ID to record all its access activity. This activity might 
provide some clues as to how and from where the ID is being used. If you have 
zSecure Access Monitor, it can also provide helpful access activity information.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel 
www.rshconsulting.com 

-Original Message-
Date:Wed, 10 Jan 2024 21:37:46 +
From:"Chalk, Shelia" 
Subject: Racf Userid

Hello,

I have a userid abc that was last access in racf on 1/7/24 at 5:06 a.m.  Is 
there a report or something that will tell me who (batch job, script, etc..) is 
using this userid?

Thanks
Shelia Chalk
Mainframe System Programmer
sch...@ssfcu.org

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: zOSMF install - SDSF ISFPRMxx

[Robert S. Hansel (RSH)]

Hi Peter,

You might also find my presentation on SDSF and RACF helpful, which I just 
posted on my website.

https://www.rshconsulting.com/RSHpres/RSH_Consulting__SDSF_and_RACF__November_2023.pdf

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel 
www.rshconsulting.com 

Upcoming RSH RACF Training - WebEx
- RACF Level I Administration - DEC 4-8, 2023
- RACF Level II Administration - MAR 18-22, 2024
- RACF Level III Admin, Audit, & Compliance - APR 8-12, 2024
- RACF - Securing z/OS UNIX  - FEB 26 - MAR 1, 2024
-

-Original Message-
Date:Sun, 3 Dec 2023 08:39:08 +0400
From:Peter 
Subject: Re: zOSMF install - SDSF ISFPRMxx

Hello Rob

Thank you so much for your response

Could you please point to your presentation on migrating off from ISFPRMXX
to RACF ?

Fortunately our shop is very small and we don't have any archiving tool or
any automation tool.

Peter

On Sat, Dec 2, 2023, 9:55 PM Rob Scott  wrote:

> Peter,
>
> Can I strongly suggest you instigate a project to activate OPERCMDS (and
> JESSPOOL if not already active).
>
> ISFPRMx  just controls actions within SDSF and does not preclude any
> semi-capable programmer from writing code to issue operator commands (or
> access SYSOUT using the JES SSI).
>
> Starting with z/OS 2 5, SDSF no longer uses ISFPRMxx to control security
> as everything now only goes through SAF authority. We use the SDSF class
> for product controls, and also make OPERCMDS and JESSPOOL checks on the
> user's behalf when processing actions taken within the product.
>
> Please be aware that converting your systems to correctly use OPERCMDS and
> JESSPOOL can be a lengthy process,  and you should allow many weeks for
> testing and validation.
>
> The OPERCMDS and JESSPOOL classes being activated can affect a broad range
> of other products including sysout archiving and automated operations.
>
> I do have some presentations about SDSF security and can point you in the
> right direction if you want.
>
> As a further note, the old ISFACR tool that was written 25+ years ago to
> aid in SAF security migration is showing its age a bit. We have some more
> recent (and much simpler) tools and processes now.
>
> Rob Scott
> Rocket Software
>
> Sent from Samsung Mobile on O2
> Sent from Outlook for Android
> 
> From: IBM Mainframe Discussion List  on behalf
> of Peter 
> Sent: Saturday, December 2, 2023 9:31:26 AM
> To: IBM-MAIN@LISTSERV.UA.EDU 
> Subject: zOSMF install - SDSF ISFPRMxx
>
> EXTERNAL EMAIL
>
>
>
>
>
> Hello All
>
> Good morning
>
> I have planned to install zOSMF in our test LPAR. Our SDSF uses its own
> security features using ISFPRMXX and I can see zOSMF has its own IZUSEC
> jobs where it activates OPERCMDS class. We never activated OPERCMDS instead
> we manage using ISFPRMXX PARMLIB member.
>
> Is there anyone who have installed zOSMF with above scenario?
>
> Peter
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACROUTE REQUEST=AUTH problem

[Robert S. Hansel (RSH)]

John,

Are they defining generic profiles to protect resources in this class? If yes, 
did they remember to activate SETROPTS GENCMD and GENERIC for the class, 
especially _before_ creating such profiles. Have them execute SEARCH 
CLASS(class) and examine the resulting profile list to verify all profiles 
containing generic characters show a '(G)' to the right of the profile. Also 
look at SETROPTS LIST to confirm the class is listed under both GENERIC PROFILE 
CLASSES and GENERIC COMMAND CLASSES.

Assuming GENERIC is active, have them create a ** catch-all profile in the 
class to see if this results in a profile being found.

Have they RACLISTed the class? If yes, are they remembering to RACLIST REFRESH 
the class every time they make a profile change? The REFRESH needs to be 
performed on each system sharing the RACF database, especially on the system 
where this CICS environment is running.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Wed, 29 Nov 2023 16:18:49 +
From:Rob Scott 
Subject: Re: RACROUTE REQUEST=AUTH problem

Yes - so you have a "4,4,0"  set of SAF_RC,RACF_RC and RACF_RSN

>From the RACROUTE macro docs , the RACF-RC/RSN means :

04
The specified resource is not protected by RACF.
If PROTECTALL is active, no profile is found, and the user ID whose authority 
was checked does
not have the SPECIAL attribute, RACF returns a return code X'08' instead of a 
return code X'04'
and denies access.
Reason code
Meaning
00
One of the following has occurred:
• There is no RACF profile protecting the resource.
• RACF is not active.
• Specified class is not in the RACF class descriptor table.
• Specified class (other than DSNR) is not active.
• Specified class requires SETROPTS RACLIST option to be active and it is not.
• CLASS TEMPDSN was active and the data set is a temporary data set.
• A userid of *BYPASS* has been passed on the authorization check. No profile 
checking will
occur.

You have at least one of the above conditions

Rob

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
John Blythe Reid
Sent: Wednesday, November 29, 2023 4:14 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: RACROUTE REQUEST=AUTH problem

EXTERNAL EMAIL





Rob,

I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a 
non-existent resource SAFPRRET contains X'0004' and SAFPRREA contains 
binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return 
code in R15 is also X'04'.

Regards,
John.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF ICH408I messages

[Robert S. Hansel (RSH)]

Hi Shelia,

Assuming your RACF monitoring options have been set correctly, the ICH408I 
messages will likely have corresponding SMF records. You can use RACF's SMF 
Unload utility to generate text or XML output from these records for research 
and reporting. If you have an adjunct RACF SMF reporting product (e.g., zSecure 
Audit or Vanguard Advisor), it will provide ISPF menus for generating reports.

For more on setting up RACF monitoring options and using the SMF Unload, see 
our presentation on this topic.

https://www.rshconsulting.com/RSHpres/RSH_Consulting__RACF_Monitoring_&_Reporting__May_2019.pdf

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Level I Administration - DEC 4-8, 2023
- RACF Level II Administration - NOV 13-17, 2023
- RACF Level III Admin, Audit, & Compliance - OCT 30 - NOV 3, 2023***Date 
Change***
- RACF - Securing z/OS UNIX  - FEB 26 - MAR 1, 2024
-

-Original Message-
Date:Wed, 4 Oct 2023 17:38:18 +
From:"Chalk, Shelia" 
Subject: RACF ICH408I messages

Hello,

Is there a report that I can run to list all the ICH408i messages within a time 
period?

Thanks
Shelia Chalk

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: XCFAS and TRUSTED

[Robert S. Hansel (RSH)]

To add to this discussion, it is my understanding that when IBM tests new 
version of z/OS, they do so with the tasks named in the documentation with 
TRUSTED authority. Since they have TRUSTED, IBM does not determine or document 
what access authorization the tasks require. If you choose to run z/OS with any 
of these tasks without TRUSTED, you are doing so in a state IBM has not tested 
nor provided access authorization guidance; hence, you do so at your own risk 
and may encounter access authorization issues that could be detrimental to the 
system. I used to advocate for not using PRIVILEGED or TRUSTED for any tasks 
but relented once I learned of this for the sake of system availability. I now 
warn clients whenever I discover any of these tasks running without TRUSTED.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Mon, 21 Aug 2023 09:40:20 +1000
From:Andrew Rowley 
Subject: Re: XCFAS and TRUSTED

On 21/08/2023 9:28 am, Lennie Dymoke-Bradshaw wrote:

> Secondly, when IBM states that a task should be given the attribute of 
> Trusted, then I take it to mean that IBM is saying that the task can be 
> trusted that this attribute cannot be the source of an exposure for that task.

I think when IBM says a task should be given trusted, it's a stronger 
statement than that.

I take it to mean that the task should never be denied access by the 
security system, and any denial of access risks the stability or 
operation of the system.

-- 
Andrew Rowley
Black Hill Software

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: XCFAS and TRUSTED

[Robert S. Hansel (RSH)]

HI Radoslaw,

1. Here is where the requirement is documented.
IBM Manual: MVS Initialization and Tuning Reference (System Tailoring - 
Assigning the RACF TRUSTED Attribute)
https://www.ibm.com/docs/en/zos/2.5.0?topic=tailoring-assigning-racf-trusted-attribute

2. XCFAS will need to be restarted. I do not know if this requires an IPL.

3. Here is mention of a reason why TRUSTED is required. I don't know if this is 
the only reason.
IBM Manual: MVS Setting Up a Sysplex (Planning sysplex availability and 
recovery - Requirements for participating in automatic restart management)
https://www.ibm.com/docs/en/zos/2.5.0?topic=management-requirements-participating-in-automatic-restart

What healthcheck reported the issue?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Sat, 19 Aug 2023 23:53:55 +0200
From:Radoslaw Skorupka 
Subject: XCFAS and TRUSTED

I'm setting up some sysplex and found some healthcheck is not OK, the 
reason was XCFAS was not TRUSTED.
Questions:
1. Is the requirement of the TRUSTED status documented anywhere? That's 
good to know before auditor asked.
2. Is there any way to fix it without reIPL?
3. Somehow related to 2.  - IMHO actually it is not matter of the 
attribute, but the matter of access to some resources. Are the resources 
needed for XCFAS documented/known ?


-- 
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: eliminate use of id(0)

[Robert S. Hansel (RSH)]

Hi Colin,

What is the product? If you share this, perhaps someone who is familiar with 
the product and may have already addressed this issue can respond.

Ask the vendor if access to FACILITY BPX or UNIXPRIV resources could be used in 
lieu of Superuser authority.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Tue, 11 Apr 2023 20:06:02 +0100
From:Colin Paice 
Subject: eliminate use of id(0)

I've been reviewing someone's (ftp like) product documentation, and they
say that the userid that runs their product needs id(0) to be able to run.
This feels like giving too much authority to the userid.  Is there a better
way of defining the userid and its access to resources to be able to
eliminate the need for  id(0)?
Colin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Robert S. Hansel (RSH)]

Hi Terri,

Here are a couple of thoughts to add to what others have mentioned.

Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS 
resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is 
superfluous since the resource name never includes the jobname, so you can 
delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the 
.** generic suffix applies to zero or more qualifiers, and in this case it is 
zero qualifiers. The suggestions to lock down MVS cancel job commands won't 
help in this situation because SDSF is issuing JES2 commands instead of MVS 
commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked.

As was mentioned, to cancel a job typically also requires ALTER access to the 
JESSPOOL resource guarding the job. Look into setting up appropriate JESSPOOL 
profiles to isolate and restrict ALTER access to these jobs. Also consider 
whether users have been (inadvertently) set up as Destination Operators. If 
they have READ access to SDSF resource ISFOPER.DEST.JES2 and ALTER access to 
SDSF resources prefixed ISFAUTH.DEST., they can cancel jobs while bypassing 
JESSPOOL profile checks.

If the CONSOLE class is active, you can permit ID(*) UPDATE access to 
JES2.CANCEL.BAT.** conditionally by adding operand WHEN(CONSOLE(SDSF)) to the 
PERMIT command so that users can only issue JES2 cancel job commands from 
within SDSF panels. This would prevent them from cancelling jobs outside of 
SDSF, to include when using the SDSF / command. You would need to remove 
UACC(UPDATE) or ID(*) UPDATE permission, whichever applies, for the conditional 
permission to take effect. Operations and Tech Support staff will need 
'regular' UPDATE access permission. (CONSOLE is a Default Return Code 8 class, 
so don't activate it without first creating a ** profile with UACC(READ).)

To see exactly what resource names are being checked that are allowing the 
unwanted job cancellations, issue the SDSF command SET SECTRACE ON, cancel the 
job, and then issue the SDSF command ULOG. ULOG will show you all the access 
checks SDSF is making along with the results of each of these checks. SECTRACE 
is a phenomenal diagnostic tool that we use often.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Tue, 7 Feb 2023 13:31:41 +
From:"Shaffer, Terri" 
Subject: RACF - SDSF question

Hi,
 I know there is a RACF group, but hopefully this is simple and I am just 
missing something I have done 100 times over with no issues.

We run our CICS regions as batch jobs, and I just found out a user instead of 
them issuing a CEMT PERF SHUT command, they are canceling it.

Which then causing a 100 vsam messages on startup with all the verifies, and if 
something goes wrong they call me...

So I tried to stop this habit, I know they are putting a C beside the CICS and 
a $CJ(x) command

So I have 2 rules in RACF under OPERCMDS

JES2.CANCEL.BAT.C30TCI* (G)
JES2.CANCEL.BAT.** (G)

If I restrict the BAT.**  then they cant cancel even their own batch jobs, So I 
always thought more specific is looked at first?

One of my previous co-workers implemented SDSF-RACF rules converted from 
ISFPARMS.

Lastly, I understand this doesn’t stop them from canceling any other jobs, but 
since this is a development shop we allow more access than most.

But I don’t want users canceling a CICS or DB2 etc.

Any ideas how they are getting the access and not stopped with the more 
specific rule??


Ms Terri E Shaffer
Senior Systems Engineer,
z/OS Support:
ACIWorldwide – Telecommuter
H(412-766-2697) C(412-519-2592)
terri.shaf...@aciworldwide.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF - SDSF question

[Robert S. Hansel (RSH)]

Ed,

What you suggest only applies to DATASET profiles. With General Resource 
profiles such as those for OPERCMDS, the profile is always Discrete if fully 
spelled out and Generic only if it has masking characters.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-Original Message-
Date:Tue, 7 Feb 2023 18:31:46 -0800
From:Ed Jaffe 
Subject: Re: RACF - SDSF question

On 2/7/2023 5:14 PM, Seymour J Metz wrote:
> Generic is usually more useful, but you can certainly use specific profiles.

Even discrete profiles can be made generic by specifying GENERIC when 
created.

That's what we do here. We have NO discrete profiles, but we do have 
generic profiles with no wildcard characters in them.


-- 
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: rexx and IDCAMS functions

[Robert S. Hansel (RSH)]

Hi Lizette,

What, if any, ICH408I messages do you see in SYSLOG.

Do you have the necessary FACILITY STGADMIN profile permissions to perform 
these functions?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com


-Original Message-
Date:Tue, 16 Aug 2022 14:18:54 -0700
From:Lizette Koehler 
Subject: rexx and IDCAMS functions

I am going to write a process in REXX using things like DCOLLECT  LISTC
etc..

 

I am running into S913-70

 

I am trying to figure out what I need to do to resolve it

 

Something in RACF? Pads  IKJTSOxx??

 

 

Anu guidance appreciated

 

Lizette

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Superuser (su) in batch

[Robert S. Hansel (RSH)]

Hi William,

Here are examples of several different ways I found for doing this.

//RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=
//STEP0010 EXEC PGM=BPXBATCH,PARM='SH'  
//STDERR  DD  SYSOUT=*  
//STDOUT  DD  SYSOUT=*  
//STDIN   DD  PATH='/u/RSH/commands',PATHOPTS=(ORDONLY)<< su in stdin file

//RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=
//STEP0010 EXEC PGM=BPXBATCH,PARM='SH su'   
//STDERR  DD  SYSOUT=*  
//STDOUT  DD  SYSOUT=*  
//STDIN   DD  PATH='/u/RSH/commands2',PATHOPTS=(ORDONLY)   

//RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=
//STEP0010 EXEC PGM=BPXBATCH,PARM='SH su < /u/RSH/commands2'
//STDERR  DD  SYSOUT=*  
//STDOUT  DD  SYSOUT=*  

//RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=
//STEP0010 EXEC PGM=BPXBATCH
//STDERR  DD  SYSOUT=*  
//STDOUT  DD  SYSOUT=*  
//STDPARM DD  *
SH su < /u/RSH/commands3

//RSHSUTST JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY= 
//STEP0001 EXEC PGM=IKJEFT1B 
//SYSPROC  DD  DISP=SHR,DSN=SYS1.SBPXEXEC
//SYSOUT   DD  SYSOUT=*  
//SYSINDD  DUMMY 
//SYSTSPRT DD  SYSOUT=*  
//SYSTSIN  DD  * 
 PROF MSGID WTPMSG   
 OSHELL echo id | su 
 OSHELL print 'id' | su

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.  *** Celebrating our 30th Anniversary ***
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 11 Aug 2022 12:50:49 +
From:"Boyer, William" 
Subject: Superuser (su) in batch

My userid on z/OS is not a superuser but I have RACF READ access to 
BPX.SUPERUSER.   Occasionally as a Systems Programmer, I need to have perform 
something in USS that requires UID=0. In TSO I can switch to EUID=0 by going to 
3.17 (Utilities/Udlist) and type a su which seems to stay set for the entire 
length of the TSO session.   Is there a way do a su in batch and then copy 
files or adjust permits/owner etc.

For example interactively, I can set my euid=0 with su in 3.17, then go to =6 
and type in OPUT to copy files into USS to directories that my normal uid does 
not have permission but the OPUT works because I am still euid=0.  I am looking 
for a way to do this in batch.

Thanks

William Boyer
System Engineer Sr Advisor

T   410-842-1706
william.bo...@gdit.com
One W. Pennsylvania Ave
Towson, MD 21204
www.gdit.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SDSF & TSS (RACF)

[Robert S. Hansel (RSH)]

Hi Mark,

The option prevents all the violations when you 's' select the entire job. It 
won't help when you
select the job with ? and then select individual SYSOUTs. For the latter, it is 
WAD.

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
From: Steely.Mark [mailto:steely.m...@aaa-texas.com] 
Sent: Wednesday, May 25, 2022 12:04 PM
To: IBM Mainframe Discussion List
Cc: Robert S. Hansel (RSH)
Subject: RE: SDSF & TSS (RACF)
Importance: High

Thanks for the update - yes I did forget the custom parameter. It may work for 
what I need. When I
select the complete report it comes back as unauthorized. If I expand the 
report with a ? and select
a report it still get the violation and after several attempt it suspend the 
ID. 
Is there anything for that ? 

Thank You 

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Wednesday, May 25, 2022 5:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: FW: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from
unknown or unexpected emails.


Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP
statements that points to the PROPLIST NAME(proplist) statement with the 
PROPERTY parameter? And did
you refresh the ISFPARMS in all the SDSF servers?

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse
ldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149
048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI
wHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata
=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c
2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC
JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgn
sek0%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=0
5%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2d
d97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D&
amp;reserved=0

-Original Message-
Date:Tue, 24 May 2022 15:02:50 +
From:"Steely.Mark" 
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret).


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from
unknown or unexpected emails.


Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT
DDNAME associated with the job and can generate multiple violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July
2008 issue of our RACF Tips newsletter.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2
FRSH_Consulting__RACF_Tips__July_2008.pdfdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca
2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7C
TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Cs
data=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3Dreserved=0

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse
ldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149
048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI
wHQysYGDRo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata
=05%7C01%7CSteely.Mark%40aaa-texa

FW: SDSF & TSS (RACF)

[Robert S. Hansel (RSH)]

Mark,

I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in 
_all_ your GROUP statements that points to the PROPLIST NAME(proplist) 
statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all 
the SDSF servers?

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 24 May 2022 15:02:50 +
From:"Steely.Mark" 
Subject: Re: SDSF & TSS (RACF)

Thanks for the link for the output violations - it doesn't appear to work for 
TSS (Top Secret). 


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Robert S. Hansel (RSH)
Sent: Tuesday, May 24, 2022 8:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SDSF & TSS (RACF)

ATTENTION: This e-mail came from an external source. Do not open attachments or 
click on links from unknown or unexpected emails.


Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT DDNAME associated with the job and can generate multiple 
violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July 2008 issue of our RACF Tips newsletter.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdfdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=ReJ7GWolmeh4hc2MkFDbyahA0i5EVDrdN7qsfXgAKW4%3Dreserved=0

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanseldata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=U7odhzAml3JLOoHEPMB0H%2BugsJ0Rls0Z%2Fpk8Ht9KnPc%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACFdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=E8kbU8IAtv56Y%2BoiaQn%2BRuFS0IfJ6YswSdVy12zWCUo%3Dreserved=0
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2Fdata=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7Csdata=%2BF%2BtoZaedniGmSARZrgDspVsvtLk624fxaEllI4har0%3Dreserved=0

-Original Message-
Date:Mon, 23 May 2022 20:55:48 +
From:"Steely.Mark" 
Subject: SDSF & TSS (RACF)

I am trying to convert our SDSF from using ISFPARMS to TSS for security.

I need some direction on how to provide security for reports.

Currently I am trying to use JESSPOOL to control access.
The customer is allowed to view all currently active and held output jobs but 
may only look at certain JOBS & REPORTS.

During testing I have this occurring:

The customer is trying to view this job (which the customer is not authorized)

COMMAND INPUT ===>
PREFIX=*  DEST=(ALL)  OWNER=*  SYSNAME=
NP   DDNAME   StepName ProcStep DSID OwnerC Dest
 JESMSGLG JES2 2 TS0242   R LOCAL
 JESJCL   JES2 3 TS0242   R LOCAL
 JESYSMSG JES2 4 TS0242   R LOCAL

The above is displayed when I put a ? in the Held output screen.
This is just to show you the report has 3 different reports.

Then the customer goes back to the screen which shows the job name:

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55  LINE 1
COMMAND INPUT ===>
PREFIX=B1*  DEST=(ALL)  OWNER=*  SORT=JOBNAME/A  SYSNAME=
NP   JOBNAME  JobIDOwnerPrty C ODisp Dest
 B100042B JOB09087 TS0242144 R HOLD  LOCAL


Then select the job and receives the following messages:

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7141E Use of Accessor ID Suspended
TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - 
Excessive Violations: Signoff
CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED
**

I would hate to think someone would accidently try to look at

Re: SDSF & TSS (RACF)

[Robert S. Hansel (RSH)]

Hi Mark,

When a user attempts to select a job, SDSF does an authorization check for each 
individual SYSOUT DDNAME associated with the job and can generate multiple 
violations like this.

To address this issue, see article " Avoiding Output Browse Violation Messages 
in SDSF" in the July 2008 issue of our RACF Tips newsletter.

https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2008.pdf

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Mon, 23 May 2022 20:55:48 +
From:"Steely.Mark" 
Subject: SDSF & TSS (RACF)

I am trying to convert our SDSF from using ISFPARMS to TSS for security.

I need some direction on how to provide security for reports.

Currently I am trying to use JESSPOOL to control access.
The customer is allowed to view all currently active and held output jobs but 
may only look at certain JOBS & REPORTS.

During testing I have this occurring:

The customer is trying to view this job (which the customer is not authorized)

COMMAND INPUT ===>
PREFIX=*  DEST=(ALL)  OWNER=*  SYSNAME=
NP   DDNAME   StepName ProcStep DSID OwnerC Dest
 JESMSGLG JES2 2 TS0242   R LOCAL
 JESJCL   JES2 3 TS0242   R LOCAL
 JESYSMSG JES2 4 TS0242   R LOCAL

The above is displayed when I put a ? in the Held output screen.
This is just to show you the report has 3 different reports.

Then the customer goes back to the screen which shows the job name:

SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55  LINE 1
COMMAND INPUT ===>
PREFIX=B1*  DEST=(ALL)  OWNER=*  SORT=JOBNAME/A  SYSNAME=
NP   JOBNAME  JobIDOwnerPrty C ODisp Dest
 B100042B JOB09087 TS0242144 R HOLD  LOCAL


Then select the job and receives the following messages:

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7257E Unauthorized Access Level for JESSPOOL 

TSS7141E Use of Accessor ID Suspended
TSS7191E Job/Session Cancelled - Excessive Violations
TSS7192E Session Locked - Excessive Violations: Signoff
CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022
IKJ56453I SESSION CANCELLED
**

I would hate to think someone would accidently try to look at an  output they 
are not authorized to view and get their ID suspended.

Maybe I am going at this all wrong.

Is there a different way I should be doing this?

Any help would be appreciated.

We are currently at z/OS v2.4.

Thank You

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SAF without an ESM

[Robert S. Hansel (RSH)]

@zMan: SAF, itself, has exits that could be used to make security decisions and 
even overrule those made by the ESM.

@coasthermit: You experienced what it known as Failsoft processing. RACF itself 
wasn't disabled but its databases were, so it turns to the operator for 
approval of every access authorization check. I've only come across one 
installation that had an exit to do just what you suggest. 

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 5 May 2022 05:45:53 +0800
From:coasthermit 
Subject: Re: SAF without an ESM

Many years back I IPLed my onepak system with RACF disabled to see what 
happened.Every access of a resource sent a reply prompt to the console for 
YES/NO.It took a while but I eventually got enough of MVS up that I could logon 
to TSO/E.I considered writing my own RACF exit that returned OK for every 
access request, but in the end I just built a default RACF data base for that 
system to use.Maybe SAF still works the same way.

-Original Message-
Date:Wed, 4 May 2022 12:50:49 -0400
From:zMan 
Subject: SAF without an ESM

On https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-saf , IBM
says:

> System authorization facility or SAF is an interface defined by MVS™ that
> enables programs to use system authorization services to control access to
> resources, such as data sets and MVS commands. SAF either processes
> security authorization requests directly or works with RACF®, or other
> security product, to process them.


Someone on r/mainframe asks what SAF does without an ESM. I'm thinking "not
much", but the last sentence above sort of suggests otherwise--unless "SAF
either processes security authorization requests directly" means "returns
RC=0 in all cases", in which case it would be accurate but IMHO overly
vague. Thoughts?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: What is the audit basis to prevent read access to z/OS PARMLIB's?

[Robert S. Hansel (RSH)]

The IBM guidelines for protecting PARMLIB in the RACF Security Administrator's 
Guide indicate that default access of READ is acceptable; however, they qualify 
this as follows: "UACC should be NONE if any members contain passwords, or 
other sensitive  information, such as the ACBPW password in the TSOKEYxx 
member." How often does someone review PARMLIB looking for passwords and the 
like? Most likely never. If you lock it down, there are no worries you've 
missed something.

Whereas most of the configuration information in PARMLIB is in storage for 
anyone to view (e.g., current list of APF libraries), there are a few things in 
fetch-protected storage that require authorization to see, one being the PPT. 
READ access to PARMLIB would let me see what additions and modifications an 
installation has made to the PPT, in particular whether Bypass Password 
Protection or a System Key have been assigned to any program that could be 
exploited. This is a reason for also protecting RACF's DSMON program ICHDSM00 
as it provides PPT information.

I tend to agree with those advocating for least necessary privilege. If access 
isn't explicitly needed, don't provide it, or at least monitor activity to 
discover who is checking you out. Why make it easy for someone to probe your 
system undetected.

The STIG and the RACF SAG should both be amended to indicate the PARMLIB 
concatenation, not just SYS1.PARMLIB.

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist 2021 #IBMChampion
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Having some challenges with a SORT Utility

[Robert S. Hansel (RSH)]

Hi Cameron,

Generating and processing RACF LISTUSER data is extremely inefficient and is 
not a sanctioned application programming interface. I recommend you look into 
processing a RACF database unload file generated by the IRRDBU00 utility, with 
which you could probably use SORT's JOINKEY to do much of what you are trying 
to do with less code. Most installations generate an IRRDBU00 unload every day, 
so there is apt to be one readily available for you to use. Better still, I 
believe your firm has IBM's RACF add-on product zSecure. It might very well be 
able to generate the report you are looking for without having to write a 
single line of code. I suggest you contact your RACF Admin team to ask them 
about the availability of an IRRDBU00 unload and zSecure.

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist 2021 #IBMChampion
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Level I Administration - APR 4-8, 2022
- RACF Level II Administration - MAR 7-11, 2022
- RACF Level III Admin, Audit, & Compliance - FEB 14-18, 2022
- RACF - Securing z/OS UNIX  - JAN 24-28, 2022
---

-Original Message-
Date:Wed, 19 Jan 2022 22:23:51 +
From:Cameron Conacher 
Subject: Having some challenges with a SORT Utility

Hello folks,
Hopefully someone can point me in a correct direction.
I can do this in a different manner, but I am stubborn.

I have crafted a little sort utility to read a file and then to grab data from 
a couple of records and include the data with subsequent records.

So, I have a record identifying a dataset name. (One record)
Then some number of records later, I will have a record identifying an Owner 
group. (One record)
And then after a few records I will have some other record with names. (A 
number of records- hundreds or perhaps only one)

DataSet Name Record
Noise records
Owner Group record
Noise records
Name Record
Name Record
.
.
.
.
Noise records
DataSet Name Record

And so on.

My sort eliminate the noise records, and then I try to carry the dataset name 
and the owner group forward to add it to the name records for final output.

When I run my utility, I get the very first name record (with the dataset and 
owner information).
The subsequent name records do not have the additional data on output because 
somehow I have messed up.


Could someone have a peek at my sort control statement and suggest either a fix 
or tell me DON'T DO IT.

Thanks.

And here are my sort control statements.
**
**
*  SCAN THROUGH THE INPUT FILE AND GENERATE AN OUTPUT DETAIL *
*  FILE COMBINING DATA FROM MULTIPLE RECORDS.*
**
*  WE ONLY WANT THE RECORDS CONTAINING ONE OF:   *
* 'LISTDSD DATASET(' IN POSITION 002 *
* ' 00'  IN POSITION 002 *
* ' ALTER '  IN POISITON 011 *
* 'CONTROL'  IN POISITON 011 *
* ' READ  '  IN POISITON 011 *
* 'UPDATE '  IN POISITON 011 *
**
**

  INCLUDE COND=(01,20,SS,EQ,C'LISTDSD DATASET',  * ONLY LISTDSD RECS
OR,
01,20,SS,EQ,C' 00',  * OWNER RECORDS
OR,
10,20,SS,EQ,C' ALTER  ', * ALTER   ACCESS
OR,
10,20,SS,EQ,C'CONTROL ', * CONTROL ACCESS
OR,
10,20,SS,EQ,C' READ   ', * READACCESS
OR,
10,20,SS,EQ,C'UPDATE  ') * UPDATE  ACCESS


**
*  PARSE THE INPUT RECORDS LOOKING FOR THE LITERALS REPRESENTING *
*  THE LISTDSD, OWNER AND RACF ID/ACCESS (DIFFERENT RECORDS) *
*  USING A GROUP OF THREE RECORDS (1=LISTDSD 2=OWNER 3=RACF ID)  *
*  OVERLAY THE WORK AREA DATA IN 101-132 WITH:   *
* 101-104 = 'RACF'   *
* 105-150 = 45 CHARACTERS FOR LISTDSD NAME   *
* 151-158 = OWNER NAME   *
* 159-166 = RACF ID  *
* 167 175 = RACF ID ACCESS ALLOWED   *
* 

Re: Change password

[Robert S. Hansel (RSH)]

Gadi,

Use of the operand REVOKE(date) requires SPECIAL. It might work if the user 
executing the ALTUSER command is the owner of the user profile (e.g., ).

Regards, Bob

Robert S. Hansel35 years of RACF Experience
Lead RACF Specialist 2021 #IBMChampion
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Level I Administration - APR 4-8, 2022
- RACF Level II Administration - MAR 7-11, 2022
- RACF Level III Admin, Audit, & Compliance - FEB 14-18, 2022
- RACF - Securing z/OS UNIX  - JAN 24-28, 2022
---

-Original Message-
Date:Wed, 12 Jan 2022 10:28:30 +
From:Gadi Ben-Avi 
Subject: Change password

Hi,
I would like to allow a user that does not have the special or group special 
attribute to issue the following command succefully:
alu   password() resume noexpire  revoke ( 01/13/22 )

Is this possible?
Right now the command fails with
ICH408I USER(OP01) GROUP(OPER) NAME(OPER-01 )
  PARTIAL VIOLATION ON COMMAND ALTUSER


We are running z/OS v2.4.

Gadi

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: LDAP confusion with security settings

[Robert S. Hansel (RSH)]

Hi Rex,

Very strange indeed. This does not seem like a native LDAP issue. Have you 
looked at the source code of the software that is processing logons to see if 
this ID is embedded in the code? Is this ID coded as the USERID on any CICS 
terminal definitions or started transaction EXEC CICS START commands related to 
this logon process? If you have SETROPTS SAUDIT or AUDIT(USER) active, have you 
looked at SMF data to see if it is issuing any RACF commands, in particular 
ALTUSER PASSWORD NOEXPIRE? Have you tried adding UAUDIT to the ID to see what 
else it might be doing? If you have a product like zSecure Access Monitor, what 
activity does it show for this ID? What happens if you swap ROAUDIT for 
SPECIAL? If you define profiles LISTUSER and LU in the PROGRAM class with 
ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ) AUDIT(ALL), does SMF data show this 
ID using these programs? My extreme SWAG is that it is being used to handle 
password expiration and password changes.

Regards, Bob

Robert S. Hansel2021 #IBMChampion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Fri, 9 Jul 2021 17:10:22 +
From:"Pommier, Rex" 
Subject: LDAP confusion with security settings

Hi list,

I don't know if this belongs in the TCP/IP list, RACF list or here so I'm 
starting here.  Here's the situation as best I understand it.  First off, LDAP 
is a black hole as far as I'm concerned.  It was set up here long before my 
time.  We're using it to communicate and authenticate to RACF for users coming 
in from a browser into our CICS regions.  The LDAP server runs under a user ID 
of LDAPSRV.  Users coming in from the browser are given a logon screen where 
they enter their own ID and password which LDAP validates against RACF.  LDAP 
provides the appropriate ICH408I message if they fat-finger a password etc.  
That part is all OK.  The RACF group that LDAPSRV is a member of is LDAPGRP and 
some of the attributes assigned to LDAPSRV are actually given through the group.

The LDAP server is defined within RACF in the APPL class  and anybody that 
tries to log on through LDAP need to have READ access to this APPL.  


Here's where I'm getting confused.  There is another ID on the system, we'll 
call LDAPU, that has no special privileges except this ID is RACF SPECIAL.  The 
group this ID belongs to (LDAP) also has no special privileges.  The ID is not 
UID0 and the only connection LDAPU has is to the LDAP group, the only 
permission it has is to the LDAPSRV APPL.   The LDAP group actually has no 
permissions given to it.  The only thing strange is that the ID has SPECIAL.  
Since the ID isn't anything special (or so I thought) I removed SPECIAL from 
it.  As soon as I removed SPECIAL, anybody coming in through the browser 
started getting invalid userid or password errors on their browser logon page.  
They were getting NO RACF ICH408I messages being logged either in the SYSLOG or 
in the LDAPSRV address space.  As soon as I gave SPECIAL back to LDAPU 
everything started working again.  I can find nowhere within the LDAP config 
file that defines LDAPU as any kind of special ID that has magical powers over 
people trying to log in thru the LDAP.  If anybody has any idea where I could 
go look for what LDAP is using this ID for or where it is defined to use this 
ID for something, I'd appreciate it.  I really don't like the idea of having a 
RACF SPECIAL user floating around that nobody knows why it has SPECIAL.

Apologies if this sounds as confusing to you reading it as it does to me 
writing it.

Thanks,
Rex

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Unix Permissions Display Question

[Robert S. Hansel (RSH)]

HI Fred,

ACLs are kept in the File Security Packet (FSP) for each individual file in the 
Unix file system. They are not stored in RACF.

The ACL you show would allow these two users to write (w) to the file but not 
read (r) or execute(x) it. You might need to add read (r) authority if they are 
having difficulty accessing the file. Check for ICH408I violation messages as 
they will show INTENT and ALLOWED.

The file ACL should not have effect your ability to rename the file. Rename is 
controlled by access to the parent directory, and write (w) is required to 
rename it. Check your permissions to the directory. It, too, might have an ACL. 
Again, check for ICH408I messages.

BTW, the owner appears as a UID and not a RACF ID. Either there is no RACF ID 
with this UID, or the default group for the RACF ID with this UID doesn't have 
a GID. I recommend you remediate this.

Regards, Bob

Robert S. Hansel2021 #IBMChampion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 18-22, 2021
- RACF Level I Administration - DEC 6-10, 2021
- RACF Level II Administration - NOV 15-19, 2021
- RACF Level III Admin, Audit, & Compliance - NOV 1-5, 2021
- RACF - Securing z/OS UNIX  - SEPT 20-24, 2021
---

-Original Message-
Date:Fri, 2 Jul 2021 14:10:32 +
From:fred glenlake 
Subject: Re: Unix Permissions Display Question

Hi List,

Amazing response by so many members, very much appreciated.   Just to close the 
loop, I don't have Vista so that's out.   The Unix display that I re-typed was 
with the + in front of the 755.   From the follow-on copy and pastes below of 
your suggested commands it shows I have 2 USER ACL's defined somewhere in RACF 
that are likely the cause of my access issues when I try to rename this file in 
a simulated DR test scenario.

I issued the GETFACL command as suggested and that display is copied and pasted 
below.

$ getfacl SYSTEM/etc/pagent_TTLS.conf
#file:  SYSTEM/etc/pagent_TTLS.conf
#owner: 30456
#group: SYS1
user::rwx
group::r-x
other::r-x
user:DRTSTCPY:-w-
user:DREVTCPY:-w-



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z14 HMC log information

[Robert S. Hansel (RSH)]

Hi Rex,

You might want to protect QUIESCE and a few other similar commands so that they 
can only be done at a system console and not through SDSF and the like. See 
article "Protect Shutdown Commands" in our RSH RACF Newsletter:

https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__January_2013.pdf
 

Regards, Bob

Robert S. Hansel2021 #IBMChampion
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 18-22, 2021
- RACF Level I Administration - APR 12-16, 2021
- RACF Level II Administration - NOV 15-19, 2021
- RACF Level III Admin, Audit, & Compliance - NOV 1-5, 2021
- RACF - Securing z/OS UNIX  - SEPT 20-24, 2021
---

-Original Message-
Date:Wed, 24 Mar 2021 17:50:07 +
From:"Pommier, Rex" 
Subject: Re: [External] Re: z14 HMC log information

Hi Radoslaw,

I knew you meant it as a joke and I took it as such.  Hence my smiley face.  
The OPERCMDS class has several entries in it but somehow QUIESCE was missed 
from way back when for a specific lock down so it was allowed by a more generic 
profile.  

I checked the type80 records and there was nothing immediately before the 
quiesce command was entered.  

O well, we figured out what happened and put security in place to minimize the 
possibility of it happening again, and we now know what to do if it does happen 
so we can get the system back up without issue and be able to find and train 
the guilty party.  

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Radoslaw Skorupka
Sent: Wednesday, March 24, 2021 10:26 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: z14 HMC log information

Obviously the part about killing was only poor joke, but there is some sense 
hidden in.
I mean it is good idea to talk to person who did it. Not to punish, but talk 
and explain and hear his/her explanations.
For RACF admin it is quite obvious the security model should be somehow 
checked. Again the person can have good explanation of current state of 
protection.

Regarding traces - It is a little bit hard to test, especially without access 
to mainframe ;-) but I guess SMF80 can be written just before system freeze. 
Note it is RACF security check - it happens BEFORE the command is interpreted 
by the system. Simpler example: when you issue CANCEL CICSABC and you don't 
have such started task, you first will be checked by RACF (and maybe rejected) 
and then the command is really issued, and you will get answer like "there is 
no such started task to cancel".

BTW: I imagined what would happen after such case on production...

--
Radoslaw Skorupka
(looking for new job)
Lodz, Poland



W dniu 24.03.2021 o 14:58, Pommier, Rex pisze:
> I'm going to agree with *most* of it.  I don't like the part about killing 
> the RACF admin.  I'm not the one who initially set up the OPERCMDS security 
> but I missed the fact the QUIESCE command wasn't set as "don't let anybody 
> use".  Hari-kari is not on my bucket list.  :-)
>
> On to Radoslaw's comment about logging - it is logged, after the fact.  
> QUIESCE does exactly that - it stops the LPAR in its tracks.  Do not pass Go, 
> do not collect $200.  No z/OS logging at the time it happens.  IBM hardware 
> support found and reported the wait state back to us from some hardware logs 
> that were forwarded to them from our CE.  The z/OS logging takes place after 
> the PSW restart from the HMC occurs and yes, it shows the console or user 
> that executed the command.  However in our case since the LPAR stopped in the 
> middle of the day and we had managers breathing down our necks to get the 
> system back up we didn't have time to properly diagnose until after the fact 
> - which included an IPL which in turn did not allow the logging of the 
> quiesce command to take place.
>
> Rex
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> Carmen Vitullo
> Sent: Wednesday, March 24, 2021 8:07 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [External] Re: z14 HMC log information
>
> agree 100%, when I tested the command on my sandbox system I see my ID in the 
> syslog as the culprit :) if done from a console, then the console name is 
> shown.
> 
> Carmen Vitullo
>
> 
>
> -Original Message-
>
> From: Radoslaw 
> To: IBM-MAIN 
> Date: Wednesday, 24 March 2021 8:01 AM CDT
> Subject: Re: z14 HMC log information
>
> IMHO there should be a trace in a syslog. Maybe that part of syslog is 
> somehow lost.
> And it would be good idea to have SMF record for that command. I don't know 
> about console commands, but SMF80 could be cut if you take care about 
> AUDIT(ALL(READ)) in advance. I mean RACF profile.
>
> 

Re: SMF Type65 - Determine who Deleted the Dataset

[Robert S. Hansel (RSH)]

Hi Jasi,

You would most likely only see a RACF SMF DELRES event record for the deletion 
if the DATASET class is included in SETROPTS AUDIT set of classes. If DATASET 
is set for AUDIT, be sure your RACFRW command specifies EVENT ALLSVC.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 8-12, 2021
- RACF Level I Administration - APR 12-16, 2021
- RACF Level II Administration - MAR 22-26, 2021
- RACF Level III Admin, Audit, & Compliance - MAR 1-5, 2021
- RACF - Securing z/OS UNIX  - JAN 25-29, 2021
---

-Original Message-
Date:Thu, 31 Dec 2020 20:32:02 -0600
From:Jasi Grewal 
Subject: SMF Type65 - Determine who Deleted the Dataset

Hi, I have a situation where a user is requesting information in how his 
datasets got deleted.
We tried using SMF and then using RACFRW to generate report but is not 
reporting on Dataset delete but it has all other information.

Is there a Tool available where one can use to read SMF type 65 and generate 
reports on dataset deletes.
Any information would be appreciated.
Thank you in advance,
Regards,
Jasi Grewal.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF and ICHDEX01 Exit

[Robert S. Hansel (RSH)]

Hi Andy,   (cross-posted to IBM-MAIN and RACF-L)

I would strongly advise against implementing ICHDEX01 and retaining the masked 
passwords. If at some point you want to implement KDFAES encryption, which I 
recommend be your goal, having masked passwords will prevent you from doing so. 
You'll have to convert them to DES before you can go to KDFAES. Rather than 
implementing ICHDEX01, I suggest you convert the masked passwords to DES now 
and be done with it. You can do so either by resetting the passwords as you 
have done in a few cases or converting the existing masked passwords to DES 
using PWDCOPY.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - DEC 7-11, 2020
- RACF Level II Administration - NOV 16-20, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Mon, 10 Aug 2020 15:08:18 +
From:"Pesce, Andy" 
Subject: RACF and ICHDEX01 Exit

Good morning everyone !

I am going to post this over in the RACF Listserv as well.  So, I am trying to 
go to z/OS 2.2 and I found this APAR OA49109.
I have a ton of accounts that were created many years ago that are not able to 
login to z/OS 2.2.Of course once I go and
change the password on the account it works fine.  These accounts have not had 
their passwords changed since the
late 90's.Anyone have a sample "ICHDEX01" or can point me to a sample of 
that exit.  I want to be able to allow these
old passwords that are still using the old encryption.   Thanks in advance.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SMF record

[Robert S. Hansel (RSH)]

Hi Peter,

Try looking at the SMF 30, type 1, records, which you can process with RACF's 
SMF unload and which zSecure should also be able to report on.

There might be other events shown in SYSLOG immediately before and after the 
ICH408I message that give some clue as to its origins.

If JESINPUT and JESJOBS are active, look at associated Access Monitor records 
as they may provide further details.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - DEC 7-11, 2020
- RACF Level II Administration - NOV 16-20, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Mon, 13 Jul 2020 22:27:53 +
From:"TenEyck, Peter" 
Subject: SMF record

What SMF record and report/tool could I use to determine the point of origin 
for this attempted logon?

M 008 ABCD 20180 07:40:36.85 JOB03275 0090  ICH408I USER(RACFID  ) 
GROUP() NAME(??? ) 395
E 395 0090LOGON/JOB INITIATION 
- USER AT TERMINAL  NOT RACF-DEFINED

//* Peter Ten Eyck
//* Senior Systems Programmer
//* American National
//

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Confirm or deny existence of old masking password?

[Robert S. Hansel (RSH)]

Hi Dave,

This is most likely a masked password. If you know the password, simply reset 
the password for the ID to the same value. This will DES-encrypt it.

Alternatively, make the ID PROTECTED, remove the password from the JOB card, 
and permit the Started Task SURROGAT access to ID to submit it without a 
password.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - DEC 7-11, 2020
- RACF Level II Administration - NOV 16-20, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Fri, 10 Jul 2020 20:33:53 +
From:"Gibney, Dave" 
Subject: Confirm or deny  existence of old masking password?

  I believed hat all our passwords were at least DES. Recenly upgraded sandbox 
z/OS 2.1 to z/OS 2.3. Now getting:
IRR013I  VERIFICATION FAILED. INVALID PASSWORD GIVEN.
For an job submitted via an STC with userid and password on the JOB card. Works 
fine in z/OS 2.1

Is there some way I can confirm that z/OS 2.3 is failing this because the 
password is sill a "masking" password?

Cross-posted RACF-L and IBM-MAIN

Dave Gibney
Information Technology Services
Washington State University

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: JESSPOOL

[Robert S. Hansel (RSH)]

Hi Bill,

In general, users automatically get full ALTER access to their own output, so I 
doubt JESSPOOL is the issue. If they are attempting to delete output from 
within SDSF, they also need access to SDSF panels and operator commands. These 
are controlled by RACF profiles in the SDSF, GSDSF, and OPERCMDS classes, or if 
they are not protected by RACF, then by SDSF's ISFPARMS.

You can use SDSF's SECTRACE to help debug the problem. Have a user execute SET 
SECTRACE ON or WTP at the SDSF command line (ON sends the results to ULOG; WTP 
to SYSLOG). Have the user attempt to delete output. Then, assuming they 
specified ON, have the user execute the ULOG command to see the RACF calls and 
their results. This assumes the user has authority to use ULOG - SDSF class 
resource ISFCMD.ODSP.ULOG.jesname or the ISFPARMS equivalent.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Thu, 12 Mar 2020 20:09:24 +
From:Bill Johnson 
Subject: JESSPOOL

I’m not a RACF expert and need help giving a user the ability to delete their 
own SDSF output. Not really sure why they don’t have it. Not my setup. Is it an 
easy 1 command fix or more complex?
Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Restrict users to Purge Jobs in TSO

[Robert S. Hansel (RSH)]

Hi Gilson,

If the CONSOLE class is active, you can use conditional access permissions to 
limit users to cancelling jobs but only from within SDSF. This works in 
combination with JESSPOOL profiles, and a user requires ALTER access to the 
JESSPOOL profile for a job to cancel it.

PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF))

Users will always be allowed full ALTER access to their own output regardless 
of what the JESSPOOL profiles allow. You can use the Global Access Table to 
grant this access more efficiently.

RDEFINE GLOBAL  JESSPOOL ADDMEM(*.**/ALTER)
SETROPTS GLOBAL(JESSPOOL)

If the CONSOLE class is not active and you want to activate it to use this 
capability, you must activate it with care as it is a default return code 8 
class (no profile = no access). You could do the following.

SETROPTS GENERIC(OPERCMDS)
RDEFINE CONSOLE ** UACC(READ)   <- Optionally add AUDIT(ALL) for future 
remediation
SETROPTS CLASSACT(CONSOLE)
SETROPTS RACLIST(CONSOLE)   <- Optional, but recommended for 
performance


Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - OCT 19-23, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020
- RACF - Securing z/OS UNIX  - SEPT 28 - OCT 2, 2020
---

-Original Message-
Date:Tue, 18 Feb 2020 06:56:22 -0600
From:Gilson Cesar de Oliveira 
Subject: Restrict users to Purge Jobs in TSO

Hello:

  Does anyone know how to restrict the option to purge sysouts in JES2 Spool 
through TSO (SDSF) but only the jobs which the user is the owner?

 We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to 
restrict the purge option only for sysouts generated by userA. UserB should not 
have the permission to purge jobs from UserA.


  Thanks in advance for any help.

  Regards,

  Gilson Cesar

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Rexx or similar to clone a RACF user?

[Robert S. Hansel (RSH)]

Ituriel,

Very clever. However, I recommend using the 0203 record for group connections 
instead of the 0102 record. If the user is connected to a UNIVERSAL group, 
there won't be a 0102 record unless the user has an authority greater than USE.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAR 23-27, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020
- RACF - Securing z/OS UNIX  - FEB 10-14, 2020
---

-Original Message-
Date:Mon, 27 Jan 2020 17:39:29 +
From:ITURIEL DO NASCIMENTO NETO 
Subject: RES: Rexx or similar to clone a RACF user?

Hi,

In the past i've developed a small ICETOOL that uses output from IRRDBU00 to 
clone a USERID.
Here follows the JCL:

//TSL1USER JOB (),CLASS=S,MSGCLASS=T,MSGLEVEL=(1,1),
// COND=(0,NE),
// REGION=0M,NOTIFY=
//*
//*CLONE RACF USERID
//*
//*CHANGE "USERID" TO YOUR USERID TO BE COPIED
//*
//   EXEC RACFCLON,DBU=AT.UNLOAD.RACF
//SEPARA.SYSIN  DD   *
  OPTION COPY,VLSHRT,SPANINC=RC0
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0200',AND,
  010,8,CH,EQ,C'USERID'),FILES=1,
  CONVERT,OUTREC=(5,300),VLFILL=C' '
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0220',AND,
  010,8,CH,EQ,C'USERID'),FILES=2,
  CONVERT,OUTREC=(5,300),VLFILL=C' '
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0270',AND,
  010,8,CH,EQ,C'USERID'),FILES=3,
  CONVERT,OUTREC=(5,1100),VLFILL=C' '
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND,
  019,8,CH,EQ,C'USERID'),FILES=4,
  CONVERT,OUTREC=(5,300),VLFILL=C' '
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0404',AND,
  062,8,CH,EQ,C'USERID'),FILES=5,
  CONVERT,OUTREC=(5,300),VLFILL=C' '
  OUTFIL INCLUDE=(005,4,CH,EQ,C'0505',AND,
  266,8,CH,EQ,C'USERID'),FILES=6,
  CONVERT,OUTREC=(5,300),VLFILL=C' '


//RACFCLON  PROC DBU=
//*
//*FILTRA REGISTROS
//*
//SEPARAEXEC PGM=SORT
//SYSOUTDD   DUMMY
//SORTINDD   DSN=,DISP=SHR
//SORTOF1   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//SORTOF2   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//SORTOF3   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//SORTOF4   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//SORTOF5   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//SORTOF6   DD   DSN=&,DISP=(,PASS),
//  UNIT=(3390),SPACE=(CYL,(1,10),RLSE)
//*
//ADDUSER  EXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTFIL  OUTREC=(C' ADDUSER ',
  06,8,C' OWNER(',26,8,C') DFLTGRP(',096,8,C')   + ',
  /,
  C' PASSWORD(',06,8,C') ',
  C'NAME(''',75,20,C''')')
  END
//*
//ALTUTSO  EXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTFIL  OUTREC=(C' ALTUSER ',
  06,8,C' TSO(PROC(',150,8,C')) ',
  C' ACCTNUM(',15,8,C') + ',
  /,
  C' SIZE(',159,8,C') ',
  C' MAXSIZE(',172,10,C') ',
  C' UNIT(',205,8,C') )')
  END
//*
//ALTUOMVS EXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTREC  FIELDS=(C' ALTUSER ',
  06,8,C' OMVS(UID(',15,10,C') ',
  C' HOME(',26,10,C') ',
  C' PROGRAM(',1050,8,C') )')
  END
//*
//CONNECT  EXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTREC  FIELDS=(C' CONNECT ',
  15,8,C'GROUP(',06,8,C') ',
  C'OWNER(',06,8,C') ',
  C'AUTHORITY(',24,8,C') ')
  END
//*
//PERMITEXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTFIL  OUTREC=(C' PERMIT ',
  C' ',6,44,C'   GEN + ',
  /,
  C' CLASS(DATASET ) ',
  C'ID(',58,8,C') ',
  C'ACCESS(',67,8,C') ')
  END
//*
//PERMITEXEC PGM=SORT
//SYSOUTDD DUMMY
//SORTINDD DSN=&,DISP=SHR
//SORTOUT   DD SYSOUT=*
//SYSIN DD *
  SORTFIELDS=COPY
  OUTFIL  OUTREC=(C' PERMIT ',
  C' ',6,44,C'   + ',
   

Re: RACEOUTE REQUEST=RESUME ?

[Robert S. Hansel (RSH)]

Paul,

Is there a reason this has to be done in Assembler? Using TSO batch, you could 
simply execute command:ALTUSER userid RESUME 

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
---
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAR 23-27, 2020
- RACF Level I Administration - APR 27 - MAY 1, 2020
- RACF Level II Administration - APR 6-10, 2020
- RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020
- RACF - Securing z/OS UNIX  - FEB 10-14, 2020
---

-Original Message-
Date:Tue, 17 Dec 2019 21:39:01 GMT
From:"esst...@juno.com" 
Subject: RACEOUTE REQUEST=RESUME ?

Hello.I'm Not a RACF person.
.
I am looking at the RACROUTE macro, and don't see a RACROUTE REQUEST=RESUME 
option.
.
I would like to resume an end-users password by submitting a job.
Can this be accomplished by using RACROUTE macros or another Assembler 
interface ?
.
Any examples would be appreciated.
.
Paul D'Angelo
*.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Tracing RACF?

[Robert S. Hansel (RSH)]

Sean,

Deleting datasets from non-SMS managed volumes without dataset access authority 
(assuming the datasets are protected by DATASET profiles to which the users do 
not have ALTER access) may be DASDVOL authorization. See if your users have 
ALTER access to DASDVOL profiles corresponding to your DASD volsers. DASDVOL 
also honors OPERATIONS authority, so ensure the non-admin users don't have this 
authority.

See article "RACF SMF Tidbits" in the July 2016 edition of our RACF Tip 
newsletter.

https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2016.pdf


Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 1 Oct 2019 11:10:21 +0100
From:Sean Gleann 
Subject: Re: Tracing RACF?

Joao: yes, I have tried that, but it really doesn't give the information
that I want - I can see the monitored user creating and deleting file, but
I don't see anything about the RACF profiles that were used.

Having said that, I have managed to move things along.
The situation I now have is that an 'ordinary' user of my system(s) - as
opposed to an 'administrator' user (there are three of us at this site) -
cannot update the MCAT, so creating files that do not have the user's id as
the first qualifier is now impossible.
'Administrators', on the other hand, can create and delete files at will.
All of which is OK as far as I'm concerned.

But (there's always a 'but'...)
If an admin user creates a file named 'TEST' (for instance), the file is
not covered by my SMS rules, and so it gets placed on one of the 5
non-SMS-controlled disks that my PARMLIB(VATLSTxx) member identifies as
being mounted 'PRIVATE'. I'd rather that didn't happen, but we're talking
about an 'admin'-type user here, and they're supposed to know what they're
doing, so things are OK up to this point.
But now it appears that a non-admin user can delete the file, but not
uncatalog it. The file disappears from the selected disk's VTOC, but the
MCAT entry remains since the user is not allowed to update the MCAT. If
this is allowed to continue I'll end up with an MCAT full of orphan entries.

As I say, I've managed to move things along a bit, so my original query
about 'Tracing RACF' is no longer an issue.
Right now, I'm trying to improve my system's security so that users can
create/delete their own files, but cannot do that to anyone else's, nor to
files that are not covered by SMS.

Regards
Sean



On Tue, 1 Oct 2019 at 04:24, Jon Perryman  wrote:

>  On Wednesday, September 25, 2019, 07:34:05 AM PDT, Allan Staller <
> allan.stal...@hcl.com> wrote:
>
>  > That is not considered a good practice in RACF circles. The best
> practice would be:
>
> > MCAT  - UACC(NONE) READ(*)  ALTER(sysprogs) (note: No update access
> except via sysprogs)
>
> Any system where the master catalog is not tightly controlled is at great
> risk and could become unusable. Any user can delete any alias in this
> environment. Potentially DB2, CICS, IMS or any number of important aliases
> could be lost.
>
> It's been many years since I've done anything with security. I believe at
> that time, IDCAMS DELETE NOSCRATCH for non-sms datasets was not controlled
> because it was only catalog services and no actual I/O was occurring. Has
> this problem been fixed? If not, then anyone can uncatalog sys1.linklib or
> sys1.lpalib thus causing the IPL to fail.
>
> Why aren't aliases created at the same time as the User? Additionally,
> data is out of control on your system. The RACF admin has not reviewed the
> security implication for aliases.
>
> Jon.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Tracing RACF?

[Robert S. Hansel (RSH)]

Allan,

Replacing UACC with ID(*) access is not best practice in every case. If, as Tom 
suggested, you put entries in the Global Access Table (GAT) for the catalogs, 
as I too would recommend, such entries allow the equivalent of UACC access. To 
ensure consistency, I prefer to set profile UACCs to match the access granted 
by corresponding GAT entries.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Wed, 25 Sep 2019 14:33:40 +
From:Allan Staller 
Subject: Re: Tracing RACF?

That is not considered a good practice in RACF circles.
The best practice would be:

MCAT  - UACC(NONE) READ(*)   ALTER(sysprogs) (note: No update access except 
via sysprogs)
UCAT - UACC(NONE)  UPDATE(*)   ALTER(sysprogs)

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Conley
Sent: Wednesday, September 25, 2019 9:29 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Tracing RACF?

On 9/25/2019 9:57 AM, Joao Bentes wrote:
> Hi,
>
> If memory serves me right, as long as you have ALTER to the dataset,
> you need update to the catalog in order to create it, but you do not
> need any access to the catalog in order to delete it.
>
> Best Regards
>
>
> "Do the difficult things while they are easy and do the great things
> while they are small. A journey of a thousand miles must begin with a
> single step."
> Laozi
>
>
>
> From:   Sean Gleann 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date:   2019-09-25 12:06
> Subject:[EXTERNAL] Tracing RACF?
> Sent by:IBM Mainframe Discussion List 
>
>
>
> Following a set of somewhat distressing events here, I discovered -
> the hard way - that our master catalog was poorly protected, and so I
> now have to fix it. The situation is that all users of the my system
> can create, read, write, update, delete files that are cataloged in the 
> MasterCat.
>
> The original intention was that each user-id is defined in the MCat as
> an alias that points to one of several User Catalogs, depending on the
> user's 'department' within the company. That way, user id 'X1' creates
> 'X1.TEST', and it gets cataloged in a UCAT.
>
> So far, so good.
>
> Now I've found that if 'X1' creates file 'TEST1', it gets cataloged in
> the MCAT. In order to prevent this, I've used existing information to
> act as a model for permit 'MASTERV.CATALOG' generic id(X1)
> access(read) and specified that.
>
> Now, if user X1 tries to create 'X1.TEST', the result is a RACF
> authorisation failure.
>
> Again, so far, so good
>
> Taking the test a bit further though, I've now found that user X1 is
> allowed to delete file 'TEST1' from the MCat!
>
> My conclusion so far is that X1 must be getting the required access
> rights from another user id/group/etc, but I can't see anything
> apposite in any examination I do of the RACF rules (I use output from
> the DBSYNC Rexx procedure for this).
>
>
> So... Can anyone spot my error and suggest a different 'permit'
> command, please?
> Alternatively, I looked at the idea of tracing RACF activity on behalf
> of a specific user with SET TRACE(USERID(X1)) - but I can't see where
> generated output goes to nor how to interrogate it. I *have* seen
> mention of using GTF for this purpose, along with IPCS, but my
> experience with both those tools is so limited that I didn't look much
> further in those references - skipped on past them, looking for other
> possibilities but not finding any.
>
> Any help gratefully appreciated
> Sean
>

If you're the owner of the dataset, you will get the authority to delete the 
catalog entry.  You should have your master cat set up with
UACC(READ) and all your usercats with UACC(UPDATE).  Put them in the global 
access table for a nice performance boost.  Only allow update and alter to the 
master cat and alter for usercats to your catalog administrators.  Good luck.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

RSH Consulting - RACF Survey - June 2019 - Performance - ERV

[Robert S. Hansel (RSH)]

Greetings all,

Those of you who do not participate in RACF-L and are not familiar with
RSH's monthly RACF surveys might be interested in the results of our most
recent survey on PARMLIB(IEAOPTxx) ERV Enqueue Residency parameter settings
since it effects more than just RACF.

The results of our survey have been posted to our website. Go to the "RACF
Center" webpage, click on "RSH RACF Surveys", and then click on the survey
link itself. Many thanks to the 39 individuals who participated.

www.rshconsulting.com


Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"?

[Robert S. Hansel (RSH)]

Clark,

The answer to your original question is 'yes'. With regard to FDR, see the 
following article in our RACF Tips newsletter.

https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__January_2008.pdf


Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com
-
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 23-27, 2019
- RACF Level I Administration - DEC 9-13, 2019
- RACF Level II Administration - NOV 18-22, 2019
- RACF Level III Admin, Audit, & Compliance - NOV 4-8, 2019
- RACF - Securing z/OS UNIX  - SEPT 9-13, 2019
-


-Original Message-
Date:Tue, 7 May 2019 09:26:58 -0300
From:Clark Morris 
Subject: Can backup mechanisms be used to steal RACF database? was Re: 
mainframe hacking "success stories"?

[Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main
0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote:

>In most shops only 2 people have the required access to the RACF database. 
>
Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database
and then download the dump of the database?

Clark Morris
(snip)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Dancing around RMM

[Robert S. Hansel (RSH)]

Skip,

Rather than trying to read the tapes, since you are discarding them, use 
EDGINERS to erase them.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 20 Dec 2018 19:36:13 +
From:Jesse 1 Robinson 
Subject: Re: Dancing around RMM

By way of update, after studying everyone's suggestions, I ran the job with 
this DD:

//TAPEIN   DD UNIT=(TAPECR,,DEFER), 
//   LABEL=(EXPDT=98000),   
//   VOL=SER=(nn),  
//   DISP=(OLD,KEEP)   

and got pretty much the same result:

IEF403I TAPEANAL - STARTED - TIME=14.37.42  
IEC501A M , nn,BLP,,TAPEANAL,FATAR  
 
EDG4020I VOLUME nn REJECTED BY INSTALLATION REJECT DEFINITIONS  
EDG4006E VOLUME nn ON  REJECTED FOR USE BY TAPEANAL, FATAR, TAPEIN, 
OPEN REQUEST FAILED BY DFSMSrmm  
IEC502E R ,, ,,TAPEANAL,FATAR   
IEC145I 413-08,IFG0194K,TAPEANAL,FATAR,TAPEIN,,,  015   
SYS18353.T143742.RA000.TAPEANAL.R0161338
IEA995I SYMPTOM DUMP OUTPUT  016
SYSTEM COMPLETION CODE=413  REASON CODE=0008
 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Allan Staller
Sent: Thursday, December 20, 2018 5:48 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Dancing around RMM

IIRC, there is some RACF work needed to support BLP.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jesse 1 Robinson
Sent: Wednesday, December 19, 2018 3:54 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Dancing around RMM

We want to discard some very old tapes after making sure there's nothing of 
value on them. When we run Innovation FATAR to analyze them, the jobs fail with 
messages like those below using JCL like this:

//TAPEIN   DD  UNIT=TAPECR,LABEL=(,BLP),
// DISP=OLD,VOL=SER=(nn)

There's a whole slew of STGADMIN profiles in FACILITY class that allow the user 
to get around 'irregularities', but we can't seem to find one that would allow 
this usage. The tapes are not defined to RMM. We just want to know what's on 
the tapes before the trash truck pulls out of the loading dock.

EDG4025I VOLUME nn REJECTED. READING OF SCRATCH VOLUMES OR VOLUMES OBTAINED 
WITH GETVOLUME IS NOT PERMITTED EDG4006E VOLUME nn ON  REJECTED FOR USE 
BY FATARAN1, FATAR, TAPEIN, OPEN REQUEST FAILED BY DFSMSrmm
IEC502E R ,, ,,FATARAN1,FATAR
IEC145I 413-08,IFG0194K,FATARAN1,FATAR,TAPEIN,,,
SYS18352.T164910.RA000.FATARAN1.R0140502

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office <= NEW
robin...@sce.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Strange JES2 SPOOL Offload issue

[Robert S. Hansel (RSH)]

Todd,

In RACF, if the WRITER class is active, is the UACC set to READ for the profile 
protecting resource jesname.LOCAL.OFF2.ST, where 'jesname' is the name of your 
JES subsystem?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
- RACF Level I Administration - DEC 4-7, 2018
- RACF Level II Administration - NOV 5-9, 2018
- RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
- RACF - Securing z/OS UNIX  - OCT 22-26, 2018


-Original Message-
Date:Thu, 13 Sep 2018 09:05:40 -0500
From:Todd Burrell 
Subject: Strange JES2 SPOOL Offload issue

I'm playing around with JES2 SPOOL OFFLOAD on our test system and I want to be 
able to try and offload everything from the spool to test out timing.  I have 
changed both of my transmitters to have DISP=KEEP to make the offload 
no-destructive.  

However, once I start the offload it does not select anything, and when I try 
and do $TOFF2.ST,WS=(/), JES2 just ignores this and keeps the same selection 
criteria I had before I did the command?   I have everything else pretty much 
blanked out for selection criteria, but for some reason JES2 ignores my $TOFF 
command to change the WS settings?  

Has anyone else every seen this just get ignored?  I don't see any automation 
grabbing this, nor do I see any RACF error messages.  The command just simply 
is being ignored by JES2?   

We are on z/OS 2.2 around RSU1802.  

Here's the $DOFF2.ST command output:

OFF2.ST  STATUS=INACTIVE,CREATOR=,DISP=KEEP,  
 OUTDISP=(WRITE,HOLD,KEEP),HOLD=, 
 JOBNAME=,NOTIFY=NO,RANGE=(J1,99),
 ROUTECDE=(),START=YES,VOLUME=(,,,),  
 WS=(OUTD,Q/),BURST=,FCB=,FLASH=, 
 FORMS=(,,,),LIMIT=(0,*),PLIM=(0, 
 *),PRMODE=(),QUEUE=,UCS=,WRITER= 

Here's the attempt at the $TOFF2.ST,WS=(/) command:

$TOFF2.ST,WS=(/) 
$HASP886 OFF2.ST 694 
$HASP886 OFF2.ST  STATUS=INACTIVE,CREATOR=,DISP=KEEP,
$HASP886  OUTDISP=(WRITE,HOLD,KEEP),HOLD=,   
$HASP886  JOBNAME=,NOTIFY=NO,RANGE=(J1,99),  
$HASP886  ROUTECDE=(),START=YES,VOLUME=(,,,),
$HASP886  WS=(OUTD,Q/),BURST=,FCB=,FLASH=,   
$HASP886  FORMS=(,,,),LIMIT=(0,*),PLIM=(0,   
$HASP886  *),PRMODE=(),QUEUE=,UCS=,WRITER=   

Anyone have any ideas?  This one is puzzling to me? 
Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Yet Another Mainframe z10 Bites the Dust!

[Robert S. Hansel (RSH)]

Todd,
Unfortunately, ERASE only works on DASD datasets. It doesn't do tapes, even 
virtual ones. Clever idea nonetheless.

George,
Does your tape management product or VTL hardware vendor provide utilities for 
this task?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
- RACF Level I Administration - DEC 4-7, 2018
- RACF Level II Administration - NOV 5-9, 2018
- RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
- RACF - Securing z/OS UNIX  - OCT 22-26, 2018


-Original Message-
Date:Thu, 13 Sep 2018 15:32:31 +
From:"Burrell, Todd" 
Subject: Re: Yet Another Mainframe z10 Bites the Dust!

Not sure if turning on ERASE on SCRATCH in RACF - and then deleting the 
datasets would work?  Just a thought? 


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of George Rodriguez
Sent: Thursday, September 13, 2018 11:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Yet Another Mainframe z10 Bites the Dust!

The School District of Palm Beach County is finally shutting down the IBM
z10 and all its components.

I was wondering if any member the listserve can help me with "wiping out"
out VTL. Any help will be greatly appreciated.

Thanks!

*George Rodriguez*

*Specialist II - IT Security*
*PX - 47652*
*(561) 357-7652 (office)*
*(954) 415-7586 (mobile)*
*School District of Palm Beach County*
*3348 Forest Hill Blvd.*
*Room B-332*
*West Palm Beach, FL. 33406-5869*
*Florida's Only A-Rated Urban District*

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Filemanager and security

[Robert S. Hansel (RSH)]

Hi Rex,

It is beginning to appear as if it is WAD. You might try is putting UAUDIT on 
your ID and accessing a tape using FM to see if any other profiles are being 
checked that could provide a control point. Do you have a full set of CA-1 
profiles with external security turned on?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Mon, 16 Apr 2018 18:22:32 +
From:"Pommier, Rex" <rpomm...@sfgmembers.com>
Subject: Re: [External] Re: Filemanager and security

Hi Bob,

Sorry for the delay.  RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" .  
CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change 
it to something other than what is recorded in TMS.  ICHBLP is defined with 
UACC(NONE) and no users in the access list.  

Thanks,

Rex

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Robert S. Hansel (RSH)
Sent: Friday, April 13, 2018 5:30 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: Filemanager and security

Hi Rex,

How have you activated tape protection in your environment - SETROPTS, 
PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management 
product do you have?

Not that this may matter, but does your ID have READ access to FACILITY ICHBLP 
or your Tape Management product's equivalent? If it does, have you tried the 
function with an ID that does not have this access?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 12 Apr 2018 13:08:16 +
From:"Pommier, Rex" <rpomm...@sfgmembers.com>
Subject: Re: [External] Re: Filemanager and security

Hi Kolusu,

Unfortunately that doesn't do it.  According to the FileManager documentation - 
which I verified on my system - granting any kind of access (read, update, 
alter, it doesn't matter) either grants you access to the function or denies it 
(access=none).  For example, if I grant READ access to FILEM.TAPE.OUTPUT, I 
have access to update tapes.  Likewise if I grant ALTER access to 
FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions 
like tape browse and tape label display.  These are just toggles to the 
function within FileManager.  The problem that I am running into is that for 
example, if I have 2 production datasets on tape, one with GL information and 
the other with the payroll information on it, and I need to grant an accountant 
access to the GL information but not the payroll, it appears that I can't.  It 
looks like FileManager doesn't check dataset level access.  Once I grant access 
to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, 
regardless of whether they have access at a dataset level or not.  

I'm hoping I just have something set wrong, but I can't seem to get FileManager 
to look at dataset level RACF protection on tapes.  As I mentioned earlier, I 
have a mixed GDG, with some generations on disk and others on tape.  If I grant 
an ID access to the TB function, whether through FILEM.FUNCTION.TB or through 
the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even 
though I can't look at the other generation that's on disk through FileManager. 
 

Test I just reran this morning.  GDG with 5 generations, 4 on disk, 1 on tape.  

ISPF edit on one of the disk based generations I got RACF security violation, 
ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Filemanager option 2 edit on the same generation as ISPF:  ACCESS INTENT(READ   
)  ACCESS ALLOWED(NONE   )
Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS 
INTENT(READ   )  ACCESS ALLOWED(NONE   )
Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile
Filemanager option 4.1:  I got access to browse the data
Filemanager option 2 with the tape generation: I got access.

Looks like it's time for a question to IBM FM folks to see if this is WAD.  In 
my mind, this is a security hole.

Rex

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Sri h Kolusu
Sent: Monday, April 09, 2018 4:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: Filemanager and security

Pommier Rex,

I believe you need to update the following functions


FILEM.TAPE.INPUT
Tape input functions
FILEM.TAPE.OUTPUT
Tape output functions
FILEM.TAPE.DUPLICATE
Tape copy functions
FILEM.TAPE.UPDATE
Tape update functions

If you are only allowing browse function of the tape dataset then you need
to do something like this


PERMIT FILEM.TAPE.INT

Re: Filemanager and security

[Robert S. Hansel (RSH)]

Hi Rex,

How have you activated tape protection in your environment - SETROPTS, 
PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management 
product do you have?

Not that this may matter, but does your ID have READ access to FACILITY ICHBLP 
or your Tape Management product's equivalent? If it does, have you tried the 
function with an ID that does not have this access?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 12 Apr 2018 13:08:16 +
From:"Pommier, Rex" 
Subject: Re: [External] Re: Filemanager and security

Hi Kolusu,

Unfortunately that doesn't do it.  According to the FileManager documentation - 
which I verified on my system - granting any kind of access (read, update, 
alter, it doesn't matter) either grants you access to the function or denies it 
(access=none).  For example, if I grant READ access to FILEM.TAPE.OUTPUT, I 
have access to update tapes.  Likewise if I grant ALTER access to 
FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions 
like tape browse and tape label display.  These are just toggles to the 
function within FileManager.  The problem that I am running into is that for 
example, if I have 2 production datasets on tape, one with GL information and 
the other with the payroll information on it, and I need to grant an accountant 
access to the GL information but not the payroll, it appears that I can't.  It 
looks like FileManager doesn't check dataset level access.  Once I grant access 
to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, 
regardless of whether they have access at a dataset level or not.  

I'm hoping I just have something set wrong, but I can't seem to get FileManager 
to look at dataset level RACF protection on tapes.  As I mentioned earlier, I 
have a mixed GDG, with some generations on disk and others on tape.  If I grant 
an ID access to the TB function, whether through FILEM.FUNCTION.TB or through 
the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even 
though I can't look at the other generation that's on disk through FileManager. 
 

Test I just reran this morning.  GDG with 5 generations, 4 on disk, 1 on tape.  

ISPF edit on one of the disk based generations I got RACF security violation, 
ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
Filemanager option 2 edit on the same generation as ISPF:  ACCESS INTENT(READ   
)  ACCESS ALLOWED(NONE   )
Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS 
INTENT(READ   )  ACCESS ALLOWED(NONE   )
Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile
Filemanager option 4.1:  I got access to browse the data
Filemanager option 2 with the tape generation: I got access.

Looks like it's time for a question to IBM FM folks to see if this is WAD.  In 
my mind, this is a security hole.

Rex

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Sri h Kolusu
Sent: Monday, April 09, 2018 4:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [External] Re: Filemanager and security

Pommier Rex,

I believe you need to update the following functions


FILEM.TAPE.INPUT
Tape input functions
FILEM.TAPE.OUTPUT
Tape output functions
FILEM.TAPE.DUPLICATE
Tape copy functions
FILEM.TAPE.UPDATE
Tape update functions

If you are only allowing browse function of the tape dataset then you need
to do something like this


PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ)

Check this link which explains in detail about the function

https://www.ibm.com/support/knowledgecenter/en/SSXJAV_13.1.0/com.ibm.filemanager.doc_13.1/cust/secracf.html

Thanks,
Kolusu

IBM Mainframe Discussion List  wrote on
04/09/2018 12:10:19 PM:

> From: " SH19-8163-00, Rex" 
> To: IBM-MAIN@LISTSERV.UA.EDU
> Date: 04/09/2018 12:11 PM
> Subject: Filemanager and security
> Sent by: IBM Mainframe Discussion List 
>
> Hello list,
>
> I've been poring through the FileManager manuals and either am
> missing something or it doesn't exist regarding security.  We're
> running FM 13.1 under ISPF so non-APF authorized.  I needed to grant
> the capability for browsing tape datasets to a developer.  I did
> this granting READ access to FILEM.FUNCTION.TB.  This granted the
> access to the tape browse function.  However, it appears that
> FileManager bypasses dataset name SAF checking if the user has
> access to the TB function.  To wit: a particular GDG has a mix of
> tape and disk generations.  I specifically denied access to this GDG
> to my ID.  I get a RACF violation when trying to browse the disk
> based generation, but FileManager allows me to use 

Re: Problem with dataset authorization

[Robert S. Hansel (RSH)]

Hi Keith,

No REFRESH should be necessary. The developers are running batch jobs, and 
every job will get a fresh copy of the Generic dataset profiles.

Others raised the issue of Enhanced Generic Naming (EGN). It appears Ron's 
system has NOEGN. I don't believe this is a factor in this case as it has no 
effect on the behavior of a fully-qualified Generic dataset profile.

Regards, Bob

-Original Message-
Date:Thu, 15 Mar 2018 07:00:31 -0400
From:Keith Smith <keith.sm...@shawinc.com>
Subject: Re: Problem with dataset authorization

Replies are, of course, assuming that a REFRESH was done. If you are new to
RACF some changes require the "in memory" copy to be refreshed before the
change takes effect.

On Thu, Mar 15, 2018 at 6:05 AM, Robert S. Hansel (RSH) <
r.han...@rshconsulting.com> wrote:

> Hi Ron,
>
> Here are a couple of thoughts.
>
> When you created the profile MAC.JSF40.TEMP.JOBHIST, did you define it as
> a Discrete profile (protects a single dataset by this name on a specific
> VOLSER) or as a full-qualified Generic profile (protects any dataset by
> this name on any VOLSER)? If the later, a (G) will appear next to the
> profile when you list it. If it's a Discrete, try deleting and recreating
> it as a Generic. To do so, you'll need to add the keyword GENERIC to the
> ADDSD command.
>
> Are the developers attempting to access the dataset via a z/OS system that
> has a different RACF database than the one where you created the profile?
>
> Regards, Bob
>
> Robert S. Hansel
> Lead RACF Specialist
> RSH Consulting, Inc. *** Celebrating our 25th Year ***
> 617-969-8211
> www.linkedin.com/in/roberthansel
> https://urldefense.proofpoint.com/v2/url?u=https-3A__
> twitter.com_RSH-5FRACF=DwIFaQ=7f1YSuqIGbgL_Gzm5POfng=unuy1IauTT8_
> BnXaEWJu99tLgShEyROqbi1xNCvlPGQ=hGjSKRhcHOylV0rl6qrThdZRFx_
> nQ2nWkFuOU9yUkw4=_4bxIlGFU_Xdqti9jvaqNq_hqTjXZRWgB_JGyAyeYts=
> www.rshconsulting.com
> 
> 
> Upcoming RSH RACF Training - WebEx
> - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
> - RACF Level I Administration - APR 10-13, 2018 ** Date Change **
> - RACF Level II Administration - JUN 4-8, 2018
> - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
> - RACF - Securing z/OS UNIX  - APR 23-27, 2018
> 
> 
>
> -Original Message-
> Date:Wed, 14 Mar 2018 23:32:49 +
> From:"McCabe, Ron" <rmcc...@mutualofenumclaw.com>
> Subject: Problem with dataset authorization
>
> Hello List,
>
> I'm having a problem where one of my developers is getting "INSUFFICIENT
> ACCESS AUTHORITY" on a dataset that I have defined in RACF and the issue is
> that it is reporting on the generic definition.
>
> I have defined in RACF a generic dataset definition of MAC.* (this
> definition has a UACC of READ and only a couple of groups have update
> access), I also have defined a complete dataset name of
> MAC.JSF40.TEMP.JOBHIST (this definition has a UACC of READ and allows
> update access for my developers).  When my developers run a job that wants
> to update the MAC.JSF40.TEMP.JOBHIST dataset they get the "INSUFFICIENT
> ACCESS AUTHORITY" FROM MAC.* (G).
>
> Why isn't the system checking for the complete dataset which is the way I
> thought RACF was supposed to work?
>
> Thanks,
> Ron McCabe
> Mutual of Enumclaw
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
Keith Smith
Engineer-Enterprise Sys Sr.-IT Capacity & Performance
Shaw Industries Inc.
Subsidiary of Berkshire Hathaway
616 E Walnut Ave
Mail Drop 072-04
Dalton, GA 30721
Email: keith.sm...@shawinc.com  Office: 706.532.3244

Please consider the environment before printing.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Problem with dataset authorization

[Robert S. Hansel (RSH)]

Hi Ron,

Here are a couple of thoughts.

When you created the profile MAC.JSF40.TEMP.JOBHIST, did you define it as a 
Discrete profile (protects a single dataset by this name on a specific VOLSER) 
or as a full-qualified Generic profile (protects any dataset by this name on 
any VOLSER)? If the later, a (G) will appear next to the profile when you list 
it. If it's a Discrete, try deleting and recreating it as a Generic. To do so, 
you'll need to add the keyword GENERIC to the ADDSD command.

Are the developers attempting to access the dataset via a z/OS system that has 
a different RACF database than the one where you created the profile?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
- RACF Level I Administration - APR 10-13, 2018 ** Date Change **
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
- RACF - Securing z/OS UNIX  - APR 23-27, 2018


-Original Message-
Date:Wed, 14 Mar 2018 23:32:49 +
From:"McCabe, Ron" 
Subject: Problem with dataset authorization

Hello List,

I'm having a problem where one of my developers is getting "INSUFFICIENT ACCESS 
AUTHORITY" on a dataset that I have defined in RACF and the issue is that it is 
reporting on the generic definition.

I have defined in RACF a generic dataset definition of MAC.* (this definition 
has a UACC of READ and only a couple of groups have update access), I also have 
defined a complete dataset name of MAC.JSF40.TEMP.JOBHIST (this definition has 
a UACC of READ and allows update access for my developers).  When my developers 
run a job that wants to update the MAC.JSF40.TEMP.JOBHIST dataset they get the 
"INSUFFICIENT ACCESS AUTHORITY" FROM MAC.* (G).

Why isn't the system checking for the complete dataset which is the way I 
thought RACF was supposed to work?

Thanks,
Ron McCabe
Mutual of Enumclaw

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Health Check JES_NJE_SECURITY

[Robert S. Hansel (RSH)]

Hi Skip,

If you define  and add the name of a node to it, JES will 'trust' and 
accept any job coming from that node and propagate the submitter's ID and group 
as is. Adding a node to  is the equivalent of creating NODES profiles 
of node.USERJ.* UACC(UPDATE), node.GROUPJ.* UACC(READ), and node.SECLJ.* 
UACC(READ). Note that NODES profiles are ignored for nodes listed in , 
so you can't do any submitting user or group translations using NODES profiles. 
 is very powerful, and nodes should only be defined to it that are 
under your control.

If a job is received from an  trusted node, and on the receiving system 
(a) the submitting user isn't defined, (b) the submitter's group isn't defined, 
or (c) the submitting user isn't connected to the group, the submitter is 
treated as an undefined user and the job may fail. This is why, as Walt 
indicated, you should only define nodes to  whose RACF databases are 
aligned for users, groups, and connects. For systems that aren't so aligned, 
don't include their nodes in  and use NODES profiles instead.

I recommend you define  in each of your RACF databases and in each such 
profile include only the nodes for the systems sharing that particular 
database. Do so even on standalone systems or Multi-Access Spool 
configurations. This will facilitate spool reloads.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 10-14, 2018
- RACF Level I Administration - APR 10-13, 2018 ** Date Change **
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018
- RACF - Securing z/OS UNIX  - APR 23-27, 2018


-Original Message-
Date:Wed, 28 Feb 2018 19:38:33 +
From:Jesse 1 Robinson 
Subject: Health Check JES_NJE_SECURITY

APAR  OA49171 introduces a new health check called 

Date:Thu, 1 Mar 2018 03:14:36 +
From:Jesse 1 Robinson 
Subject: Re: Health Check JES_NJE_SECURITY

Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all 
totally under our control. However each node (sysplex) constitutes a different 
business environment supported by a different RACF data base. A person may have 
the same userid on sandbox and on production, but they do not necessarily have 
the same authority on both. Both represent the same person but not necessarily 
the same role. 

We need to reassess our goal here.

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Walt Farrell
Sent: Wednesday, February 28, 2018 5:21 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Health Check JES_NJE_SECURITY

On Wed, 28 Feb 2018 18:21:03 -0500, Tom Conley  
wrote:

>I ran these on 1/5/18 to fix this check:
>
>RDEFINE RACFVARS  UACC(NONE) OWNER() RALTER  
>RACFVARS  ADDMEM()  (add one for each
>node)
>SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS)

You should be careful with that, Tom.  should only contain the names of 
nodes whose RACF databases are identical to each other, at least with respect 
to the users, groups, and user-group connections that are defined. Having a 
node listed in  will have a strong effect on security processing 
(mainly the propagation of submitter identity) for jobs submitted from that 
node to other nodes in your JES2 network.

--
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to find what performed an OMVS unmount?

[Robert S. Hansel (RSH)]

Peter,

There are multiple RACF audit options that might come into play as discussed in 
our presentation on this topic. See (beware the line wrap):

http://www.rshconsulting.com/RSHpres/RSH_Consulting__RACF_Monitoring_&_Reporting__August_2017.pdf

Event Code 55 (UMNTFSYS) comes under Unix audit class FSOBJ.

Use caution in auditing Unix events because of the potential high volume of SMF 
records.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Thu, 28 Dec 2017 09:37:17 -0600
From:Peter Ten Eyck 
Subject: Re: How to find what performed an OMVS unmount?

Thanks for setting me straight on the difference between sub type and event 
code in the context of RACF. I will look into if there is a RACF unload for 
that time period and perhaps check with MXG about the handling of event codes 
as opposed to sub types.

You mentioned RACF auditing options that would control which RACF event codes 
are cut? Where is that controlled?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to find what performed an OMVS unmount?

[Robert S. Hansel (RSH)]

Peter,

The type 80 record doesn't have subtypes. 55 is an event code, and event code 
is a field in the 80 record. I do not know if MXG is aware of and can select 
records based on type 80 event codes. If your RACF team converts SMF 80 records 
to text format using RACF's SMF unload utility, you can try searching the 
unload file for UMNTFSYS events - the text equivalent of event code 55.

Various RACF auditing options determine whether such an event would be logged, 
and such options may not have been in effect when the event occurred, hence no 
record.

Since the NOTYPE ranges do not exclude 80 records, you are correct that they 
are being collected. Also look for SUBSYS settings that might be excluding them 
for certain subsystems.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Wed, 27 Dec 2017 13:03:41 -0600
From:Peter Ten Eyck 
Subject: Re: How to find what performed an OMVS unmount?

Thanks for the suggestion on this topic. I have discovered that the LPAR that 
this un-mount occurred on does not cut type 92 (USS) records so I will be 
unable to use them to figure what un-mounted my file.

Setting: SYS(NOTYPE(16:19,62:69,92)

With the help of MXG staff, I was able to run a MXG report looking for type 80 
(RACF) sub type 55 records, I did not find any. To me this means that either 
there were no un-mounts during the time period of the input or no sub type 55 
records are cut. Is the above setting what controls the sub type records cut? 
Type 80 is not excluded so it’s being cut, is the default all 80 sub types?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to find what performed an OMVS unmount?

[Robert S. Hansel (RSH)]

Peter,(Resending with a proper Subject)

If this is a RACF protected system and depending on what audit settings were in 
effect, you might see an SMF 80 record for the unmount. The event code is 55. 
If you have SMF unload records available, look for event UMNTFSYS.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 19 Dec 2017 18:10:10 -0600
From:Peter Ten Eyck 
Subject: How to find what performed an OMVS unmount?

I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR:

//SYSTSPRT DD   SYSOUT=* 
//SYSTSIN  DD   *
  PROF MSGID WTPMSG  
  MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') +
MODE(RDWR) TYPE(ZFS) NOAUTOMOVE +
MOUNTPOINT('/usr/lpp/cicsts53')  

This job was run after the CICS region was already up and is used for CICS TS 
5.3 web services. The web services were dynamically installed from this 
successfully mounted dataset and worked fine.

Sometime over night the dataset (file) became un-mounted. How can I determine 
what un-mounted the file? I do not see anything in the syslog or the CICS log. 
Can I use SMF to determine this, what record type would be used?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IBM-MAIN Digest - 18 Dec 2017 to 19 Dec 2017 (#2017-353)

[Robert S. Hansel (RSH)]

Peter,

If this is a RACF protected system and depending on what audit settings were in 
effect, you might see an SMF 80 record for the unmount. The event code is 55. 
If you have SMF unload records available, look for event UMNTFSYS.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 19 Dec 2017 18:10:10 -0600
From:Peter Ten Eyck 
Subject: How to find what performed an OMVS unmount?

I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR:

//SYSTSPRT DD   SYSOUT=* 
//SYSTSIN  DD   *
  PROF MSGID WTPMSG  
  MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') +
MODE(RDWR) TYPE(ZFS) NOAUTOMOVE +
MOUNTPOINT('/usr/lpp/cicsts53')  

This job was run after the CICS region was already up and is used for CICS TS 
5.3 web services. The web services were dynamically installed from this 
successfully mounted dataset and worked fine.

Sometime over night the dataset (file) became un-mounted. How can I determine 
what un-mounted the file? I do not see anything in the syslog or the CICS log. 
Can I use SMF to determine this, what record type would be used?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSORT: RACFICE query - how to extract all commands containing some text value

[Robert S. Hansel (RSH)]

Kolusu,
I would not recommend the use of RACFRW. It was stabilized in 1992 and won't 
report on the use of newer command operands such as NOEXPIRE. Bruce is better 
off using ICETOOL.

Bruce,
Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. 
You'll find it on our "RACF Center" webpage along with other useful RACF 
information.

http://www.rshconsulting.com/racfres.htm

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 5-9, 2018
- RACF Level I Administration - APR 3-6, 2018
- RACF Level II Administration - JUN 4-8, 2018
- RACF Level III Admin, Audit, & Compliance - FEB 26-MAR 2, 2018
- RACF - Securing z/OS UNIX  - APR 23-27, 2018


-Original Message-
Date:Wed, 13 Dec 2017 10:20:41 -0700
From:Sri h Kolusu 
Subject: Re: DFSORT: RACFICE query - how to extract all commands containing 
some text value

Bruce,

You extract the SMF80 records and process it thru DFSORT.  You can also 
use RACFRW to report 

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm

Example : 

This file produces a report of failed logons for user Smith. 

RACFRW TITLE('REPORT ON FAILED LOGONS FOR USER SMITH')
 SELECT PROCESS  USER(DUMMY)
  EVENT LOGON
SUMMARY USER NEWPAGE
END

You can use EVENT to list all of your event and generate a report

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm#racfrw__eventsub

If you still need help please feel free to send your questions to DFSORT 
hotline (dfs...@us.ibm.com) along with a sample input file and desired 
output report.

Thank you Lizette for directing the users to our hotline

Thanks,
Kolusu
DFSORT Development
IBM Corporation



From:   Bruce Hewson 
To: IBM-MAIN@LISTSERV.UA.EDU
Date:   12/13/2017 02:50 AM
Subject:DFSORT: RACFICE query - how to extract all commands 
containing some text value
Sent by:IBM Mainframe Discussion List 



A query for the ICETOOL/RACFICE experts,

I have been asked to extract all RACF commands issued relating to a 
specific USERID.

I am not knowledgable enough with ICETOOLS  to code this myself quickly.

The current RACFICE examples do not provide a sample for this.

example.

Extract and report all commands,  ADDUSER/ALTUSER/PASSWORD/PERMIT that 
reference USER(xyzzy)


Hopefully someone can help.

Thanks
Bruce Hewson

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Finding OMVS Files with Owner IDs for Deleted Owners?

[Robert S. Hansel (RSH)]

Hi Lionel,(cross-posted IBM-MAIN and MVS-OE)

Here are a couple of things to keep in mind.

1) I've found it necessary to specify the path as /* with the find command.

2) Check the extended ACLs too if there are any.
find path -acl_nouser
find path -acl_nogroup

3) As an alternative to the find command, consider using IBM's IRRHFSU utility 
for this task. Our presentation on this utility, which includes a sample 
ICETOOL job for this very task, is available on our website.

http://www.rshconsulting.com/racfres.htm

4) If there is a USERID assigned an Owner or ACL UID, but the USERID's Default 
Group does not have a GID, find will consider the UID as being unassigned. Same 
with the ls command and IRRHFSU. Verify a UID is truly unassigned before 
changing it.

2) If this is a RACF installation, to avoid an SMF tsunami do not execute find 
or IRRHFSU for the entire file system with a USERID having the UAUDIT attribute.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 5-9, 2018
- RACF Level I Administration - DEC 5-8, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017





-Original Message-
Date:Fri, 1 Dec 2017 15:51:02 +
From:"Dyck, Lionel B. (TRA)" 
Subject: Re: Finding OMVS Files with Owner IDs for Deleted Owners?

Thank you - that is just what I need.

--
Lionel B. Dyck <
Mainframe Systems Programmer - TRA

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Styles, Andy (ITS zPlatform Services)
Sent: Friday, December 01, 2017 9:49 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Finding OMVS Files with Owner IDs for Deleted Owners?

Classification: Public
Assuming their id has been deleted:

find . -nouser

-rw-r--r--1 5  10 Jul 17 09:09 test.txt

Where '5' is the id of the deleted user (actually just me issuing chown 5 
test.txt - but users without ids show up as numerics in ls).

01/12/17 15:45:50 /u/xxx $ find . -nouser 
./test.txt

There's a -nogroup equivalent too. 

Andy Styles
z/Series Systems Programmer

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Dyck, Lionel B. (TRA)
Sent: 01 December 2017 15:33
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Finding OMVS Files with Owner IDs for Deleted Owners?

-- This email has reached the Bank via an external source --
 

Is there a tool that can find and report out all files that are owned by users 
who have departed?

Just ran into a few that were owned by someone who left several years ago.

Thank you

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Batch TSO command (ADDUSER) tracing and diagnostics

[Robert S. Hansel (RSH)]

Hi Nick,

As a way to avoid problems to begin with, does your routine first check to see 
if there is an existing user ID or group that matches the ID it is about to 
create, that the ID is syntactically correct, and that the default group exists?

What RACF authority is the IMS address space using to create IDs? What if any 
segments is it creating along with the ID? There may be other pre-command 
checks we can recommend.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc. *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - FEB 5-9, 2018
- RACF Level I Administration - DEC 5-8, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


-Original Message-
Date:Thu, 26 Oct 2017 07:30:07 +
From:"Baguley, Nicholas: Absa" 
Subject: Batch TSO command (ADDUSER) tracing and diagnostics

Hi List

We need to echo or trace the TSO commands processed in a batch TSO process...
We are issuing an ADDUSER command under TSO and it returns a RC=8.
In itself not a "biggie". We run TSO via an ATTACH of IKJEFTnn(1B in this case) 
so it is a subtask of an IMS address space.
The ADDUSER command is passed to IKJEFT as a PARM on the attach svc/macro as 
opposed to SYSTSIN.

We don't see the command "echoed" to SYSTSPRT as you "normally" do when using 
SYSTSIN.
Is anyone aware of a mechanism of switching on tracing or diagnosing PARM= 
input to IKJ?

NB - this works fine in 99% of cases. We suspect either we are not building up 
the ADDUSER command correctly(syntax error) or we have a RACF issue.
Unfortunately my next opportunity to make a program change and  the 
command to the syslog is a couple of weeks away.
Maybe the assumption within the the bowels of TSO was that if input is via PARM 
then there would be a jcl deck or job output to inspect.

TIA

Nick

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Database

[Robert S. Hansel (RSH)]

Hi Skip,

I usually assign a group as the owner of a profile. In the case of datasets, I 
typically assign the user or group matching the dataset's high level qualifier 
as the owner. There are exceptions such as when you specifically want a user to 
be able to administer a particular profile or you want to exclude groups or 
users from a Group-SPECIAL administrator's scope-of-groups.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Wed, 24 May 2017 19:22:23 +
From:Jesse 1 Robinson 
Subject: Re: RACF Database

A fallout of this thread is that we're looking to assign a new owner to 
profiles that cover the RACF data sets. I'd like something truly permanent. The 
RACF STC runs with user SYSRACF, which is a valid userid that no one could log 
on to. Does that seem reasonable? Then only someone with RACF SPECIAL could 
make profile changes. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Database

[Robert S. Hansel (RSH)]

Hi Skip,

Point of clarification. IRRDBU00 no longer required UPDATE access with 
NOLOCKINPUT as of z/OS 2.2.

Regards, Bob

-Original Message-
From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com] 
Sent: Wednesday, May 24, 2017 6:07 AM
To: 'IBM Mainframe Discussion List'
Subject: RE:RACF Database

Hi Skip,

I very much doubt the security folks need UPDATE access. At one time, the 
database unload utility IRRDBU00 required UPDATE, but this is no longer the 
case if using PARM NOLOCKINPUT, and besides, they should only be creating 
unloads from an offline IRRUT200 copy of the database and not the live one. 
READ access to generate IRRUT200 copies is the most they should need.

Other utilities that require UPDATE access, which I would not expect them to be 
using, are IRRMIN00 to apply template updates, IRRIRA00 for converting the 
database to the AIM structure, IRRUT400 to copy/reorg the database, and BLKUPD 
to repair the database.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 23 May 2017 21:57:21 +
From:Jesse 1 Robinson <jesse1.robin...@sce.com>
Subject: Re: RACF Database

So it turns out that the number of folks here with ALTER access to RACF data 
sets is way smaller than I expected. There are however several userids with 
UPDATE access; they seem to be mostly in the 'security management' department. 
Do the standard RACF utilities require UPDATE for housekeeping? 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Database

[Robert S. Hansel (RSH)]

Hi Skip,

I very much doubt the security folks need UPDATE access. At one time, the 
database unload utility IRRDBU00 required UPDATE, but this is no longer the 
case if using PARM NOLOCKINPUT, and besides, they should only be creating 
unloads from an offline IRRUT200 copy of the database and not the live one. 
READ access to generate IRRUT200 copies is the most they should need.

Other utilities that require UPDATE access, which I would not expect them to be 
using, are IRRMIN00 to apply template updates, IRRIRA00 for converting the 
database to the AIM structure, IRRUT400 to copy/reorg the database, and BLKUPD 
to repair the database.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 23 May 2017 21:57:21 +
From:Jesse 1 Robinson 
Subject: Re: RACF Database

So it turns out that the number of folks here with ALTER access to RACF data 
sets is way smaller than I expected. There are however several userids with 
UPDATE access; they seem to be mostly in the 'security management' department. 
Do the standard RACF utilities require UPDATE for housekeeping? 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-543-6132 Office ⇐=== NEW
robin...@sce.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP)

[Robert S. Hansel (RSH)]

Todd,

Restricting access to the RACF database is essential, but it isn't enough to 
save you if the database is not allocated as unmovable. DFSMSdss' data 
management utility ADRDSSU, when used with the ADMINISTRATOR keyword, ignores 
dataset profiles and can perform functions such as compress on any dataset.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 23 May 2017 18:36:52 +
From:"Burrell, Todd" 
Subject: Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP)

Wouldn't a simpler solution to protecting the RACF database simply be to give 
pretty much no one ALTER access to it?   I know that at most shops only one or 
two folks had ALTER or UPDATE to the actual file and that seems like the best 
course of action to avoid accidental deletion? 
And we backed up the RACF DB 4 times a day as well - just in case.  

Todd Burrell | Sr. Mainframe Systems Administrator 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP)

[Robert S. Hansel (RSH)]

Gil,

The RACF database is BDAM (Basic Direct Access Method) and has, to my 
knowledge, always been so since it was first released in 1976. The index 
records are stored in the database with the profile (data) records, so it is 
completely self-contained. I know of no other product using this structure.

Live databases should be allocated as PSU. Unmovable prevents the database from 
being moved while in use. RACF is weird. It opens its databases at IPL and then 
immediately closes them. RACF uses direct disk address I/O to read and update 
its databases thereafter. If databases are not allocated as U, a data 
management utility, seeing they are not "open", might compress or move the 
databases, unaware they are in use - with disastrous results.

Live databases should be copied/backed up using the IRRUT200 utility. This 
utility freezes update activity to the database before making a copy. The 
offline copy can be copied using IEBGENER or the like, or it can be FTPed. I 
haven't tried FTPing a RACF database, but I suspect you would want to do so 
using BIN. It is generally best to pre-allocate the disk dataset to which the 
database it is to be copied, and it must have exactly the same UNIT, SPACE, and 
DCB characteristics as the source database, including CONTIG. The copy needn't 
be PSU unless you plan to RVARY SWITCH to it so that it becomes live.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 11-15, 2017
- RACF Level I Administration - DEC 5-8, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


-Original Message-

Date:Sun, 21 May 2017 14:19:39 -0500
From:Paul Gilmartin 
Subject: Re: Sample JCL for file transfer using NJE/TCPIP

On Sun, 21 May 2017 05:12:00 -0500, Elardus Engelbrecht wrote:
>
>>RACF (I'm less sure) is VSAM. 
>
>No, it is PSU (PS and Unmovable). Other attributes are mandated by IBM.
> 
"Unmovable" would seem to imply uncopyable; the copy would have to go
in a different place.  But there must be some provision for backing it up,
and little point in trying to move it to another system with such as FTP.

Why not VSAM?  Performance?  Antiquity?  It feels as if RACF has a
built-in DB engine.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Issue with SK4T-4949-13 - IBM Online Library: z/OS V2R2 Collection, March 2017

[Robert S. Hansel (RSH)]

Greetings all,

In the past, the SK4T-4949 online library could be downloaded as a single
zip file with manuals for all the z/OS components in one set. Not so with
this newest release -13. It appears you now have to download the manuals for
each and every component individually. This is horribly inconvenient. I'm
hoping the IBMers monitoring this list will take note and have this
rectified. I complained through the website, but got no response.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Erase on Scratch

[Robert S. Hansel (RSH)]

Bill,

Here are the results of a survey I did on RACF ERASE a few years ago.

http://www.rshconsulting.com/surveys/RSH_Consulting__RACF_Survey_019__ERASE.pdf

Most installations don't use ERASE because they think there will be performance 
problems. There have been significant improvements in the performance of ERASE 
in z/OS 2.1 and 2.2.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


-Original Message-
Date:Fri, 21 Apr 2017 05:14:38 -0500
From:Bill Wilkie 
Subject: Erase on Scratch

I have been looking into the Erase on Scratch capability to erase all extents 
of a data set but much of my research indicates that:

1. You must set up the data set names individually.
2. It will not erase &Temp data set names unless you:
 a. Make the &TEMP name a permanent name.
 b. Map the temp name to a permanent name already being erased.
 c. SETROPS ERASE(ALL) to erase all deleted data sets, which is very slow.

My question is "Is anyone using it" and if so how is it working out?
If you are not using it Why not?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF TEMPDSN improvement with the zOS 1.13

[Robert S. Hansel (RSH)]

HI Roger,

Beginning with z/OS 1.13, the activation of TEMPDSN no longer interferes with 
currently running processes, and it is safe to activate TEMPDSN without waiting 
for an IPL. If you compare the description of TEMPDSN in the 1.12 version of 
the RACF Security Administrator's Guide with its description in the 1.13 
version, you'll find following verbiage has been dropped from the 1.13 version.

(quote)
Avoid activating the TEMPDSN class when current users or jobs are using 
temporary data sets. Otherwise, you could cause users or jobs to receive an 
ABEND, as shown in the following scenario:
1. The job or user allocates a temporary data set.
2. You activate the TEMPDSN class.
3. The job or user opens the data set.
4. Because activating the TEMPDSN class restricts the authority to open a 
temporary data set, the user or job receives an abend.
(end-quote)

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


-Original Message-
Date:Tue, 18 Apr 2017 20:25:30 +
From:Rogério Camargo 
Subject: RACF TEMPDSN improvement with the zOS 1.13

Hello!
I've heard about improvements with the zOS 1.13 (some year ago) related to the 
RACF TEMPDSN, however it is being just impossible to me to find that 
information in any 1.13 manual/migration guide... I've just read and searched 
several of these manual, but I simply could not find it.

Would any of you have any material about it that could share with me ?!
Tks

Roger

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF Non-expiring passwords

[Robert S. Hansel (RSH)]

Hi Elaine,

When you reset the password, be sure to use the NOEXPIRED operand on your ALU 
command like so:

ALU userid PASSWORD(password) NOEXPIRE

This will require the password to conform to your current password syntax 
rules. If the former password no longer conforms to your rules, you'll need to 
temporarily remove the rules in order to reinstate the former password.

After successfully reinstating the prior password, try logging on with the ID 
and password to confirm they work. I usually use FTP for this purpose.

Since this involves a non-expiring password, I assume this ID is being used to 
log on from another platform for a task like file transfer or remote DB2 calls. 
It has been my experience that when a non-expiring password stops working, it 
is never RACF's fault. Instead, it is because the person responsible for the 
process on the other platform from which the logons are originating has 
inadvertently changed the password or tried installing the same ID from yet 
another platform and didn't enter the password correctly. I suggest you look at 
RACF SMF records for JOBINIT events related to this ID to see where these 
logons are originating from and verify it is the correct source for these 
logons.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


-Original Message-
Date:Mon, 20 Mar 2017 11:44:01 -0500
From:Elaine Beal 
Subject: RACF Non-expiring passwords

We have a non-expiring password that we've used for years and somehow failed 
the other night. I reset with an alu line command but the new password doesn't 
work. When I go through the panels it says the current password isn't valid.
We have changed password rules but I don't see where that matters. I set the 
new password to existing rules and do not get any errors on the alu.

Thanks,
Elaine

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output

[Robert S. Hansel (RSH)]

Hi Jeffrey,

I did read the documentation, several times, but unbeknownst to me at the time, 
it was the wrong version - v11.3. Your reply prompted me to look for more 
recent documentation, and in the documentation for v12, CA added the following 
sentence to the description of DSNPFX='batch.dsn.prefix.': "This hlq must match 
the hlq for the BATCHI#x and BATCHO#x data sets that are defined to the CA 7 
started task."

IMHO, it seems nonsensical that the program would let you specify a prefix that 
didn't match the started tasks ones and not give some sort of a warning or 
error message. Why else would you have such an option if not to specify your 
own datasets (and perhaps this is how it worked prior to v12).

Regards, Bob

-Original Message-
Date:Wed, 8 Mar 2017 10:43:15 -0600
From:Jeffrey Holst <jeffrey.ho...@pnc.com>
Subject: Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output

If you read the documentation, DSNPFX must match the DSNPFX for the BATCHI#n 
and BATCHO#n datasets that are defined to the CA7 started task. If DSNPFX is 
not specified, the prefix specified for the COMMDS is used. DSNPFX need only be 
specified if those prefixes do not match. There is no intent that one can 
create his own BATCHI#n and BACTHO#n datasets.

That it gives RC=0 shows it is probably working as designed, What is documented 
is that it copies the SYSIN to the BATCHI#n dataset that you specified, and 
puts something in the COMMDS to tell CA-7 to process the BATCHI#n that it has 
defined. There is nothing there, so it quickly writes something to its BATCHO#n 
and puts something in COMMDS to tell your BTI that it is done processing, and 
with what return code. (It is documented that unless there is a message table 
defined, most results produce RC=0). Finally BTI reads your BATCHO#n (which is 
empty) and writes it contents to SYSPRINT. 

Jeffrey Holst

On Tue, 7 Mar 2017 14:14:37 -0500, Robert S. Hansel (RSH) 
<r.han...@rshconsulting.com> wrote:

>Greetings all,
>
>I was able to get SASSBSTR running successfully, but in the process may have
>discovered a bug in the program. SASSBSTR allows you to specify your own
>pair of BATCHIN DD and BATCHOUT DD datasets using PARM DSNPFX. SASSBSTR
>allocates datasets for BATCHIN and BATCHOUT using the prefix specified by
>DSNPFX and appending .BATCHI#n and BATCHO#n ('n' is a pseudo terminal ID
>number). If you don't specify DSNPFX, SASSBSTR by default uses the BATCHIN
>and BATCHOUT datasets specified in CA7's configuration. When I run the job
>with my own DSNPFX, I get no output. When I use the ones in CA7's
>configuration, I get output as expected. Yet, the job runs successfully with
>RC=0 in both cases, and there are no error messages of any sort.
>
>Thank you to all who offered suggestions and advice.
>
>Regards, Bob
>
>Robert S. Hansel  *** Celebrating 30 years working with RACF ***
>Lead RACF Specialist
>RSH Consulting, Inc.
>617-969-8211
>www.linkedin.com/in/roberthansel
>http://twitter.com/RSH_RACF
>www.rshconsulting.com
>
>-Original Message-
>From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com]
>Sent: Friday, March 03, 2017 3:16 PM
>To: IBM-MAIN (ibm-m...@bama.ua.edu)
>Subject: Problem Generating CA-7 SASSBSTR Batch LJOB Output
>
>Greetings all,
>
>I am trying to generate listings of job information from CA-7 with the LJOB
>command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC
>CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows
>the LJOB command I executed and not, as I'd hoped, the output from the LJOB
>command. I've searched the manuals and cannot figure out how to the get the
>output I desire and was hoping someone could be of assistance. TIA.
>
>Regards, Bob
>
>Robert S. Hansel  *** Celebrating 30 years working with RACF ***
>Lead RACF Specialist
>RSH Consulting, Inc.
>617-969-8211
>www.linkedin.com/in/roberthansel
>http://twitter.com/RSH_RACF
>www.rshconsulting.com
>
>Upcoming RSH RACF Training - WebEx
>- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
>- RACF Level I Administration - APR 25-28, 2017
>- RACF Level II Administration - FEB 27 - MAR 3, 2017
>- RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017
>- RACF - Securing z/OS UNIX  - OCT 23-27, 2017
>
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output

[Robert S. Hansel (RSH)]

Greetings all,

I was able to get SASSBSTR running successfully, but in the process may have
discovered a bug in the program. SASSBSTR allows you to specify your own
pair of BATCHIN DD and BATCHOUT DD datasets using PARM DSNPFX. SASSBSTR
allocates datasets for BATCHIN and BATCHOUT using the prefix specified by
DSNPFX and appending .BATCHI#n and BATCHO#n ('n' is a pseudo terminal ID
number). If you don't specify DSNPFX, SASSBSTR by default uses the BATCHIN
and BATCHOUT datasets specified in CA7's configuration. When I run the job
with my own DSNPFX, I get no output. When I use the ones in CA7's
configuration, I get output as expected. Yet, the job runs successfully with
RC=0 in both cases, and there are no error messages of any sort.

Thank you to all who offered suggestions and advice.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com] 
Sent: Friday, March 03, 2017 3:16 PM
To: IBM-MAIN (ibm-m...@bama.ua.edu)
Subject: Problem Generating CA-7 SASSBSTR Batch LJOB Output

Greetings all,

I am trying to generate listings of job information from CA-7 with the LJOB
command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC
CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows
the LJOB command I executed and not, as I'd hoped, the output from the LJOB
command. I've searched the manuals and cannot figure out how to the get the
output I desire and was hoping someone could be of assistance. TIA.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - FEB 27 - MAR 3, 2017
- RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Problem Generating CA-7 SASSBSTR Batch LJOB Output

[Robert S. Hansel (RSH)]

Greetings all,

I am trying to generate listings of job information from CA-7 with the LJOB
command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC
CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows
the LJOB command I executed and not, as I'd hoped, the output from the LJOB
command. I've searched the manuals and cannot figure out how to the get the
output I desire and was hoping someone could be of assistance. TIA.

Regards, Bob

Robert S. Hansel  *** Celebrating 30 years working with RACF ***
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - MAY 15-19, 2017
- RACF Level I Administration - APR 25-28, 2017
- RACF Level II Administration - FEB 27 - MAR 3, 2017
- RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

[Robert S. Hansel (RSH)]

Hi Skip,

OPERATIONS users actually can grant privileges because they can create dataset 
profiles for any group. And if they own a profile they create, they can permit 
access to it.

In z/OS 2.2, you will be able to replace the assignment of AUDITOR authority 
with ROAUDIT, which truly is benign because it allows a user to look at all 
profiles and SETROPTS options without changing any audit settings.

Just curious, in your 'elevated access' report, do you include users with UID 0 
or access to BPX.SUPERUSER?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - DEC 5-9, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration - SEPT 19-23, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Tue, 17 May 2016 16:37:50 +
From:Jesse 1 Robinson 
Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

An interesting take on ADDSD. We produce a periodic report here on userids with 
'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign 
type). OPERATIONS cannot grant privileges but could do a lot of damage. I 
consider AUDITOR vital for sysprogs in order to diagnose--not necessarily 
fix--security problems at odd hours. It's been pointed out to me that AUDITOR 
allows someone to change RACF audit rules. A far-fetched but not inconceivable 
exposure. 

I think that managers here are required now and again to 'confirm' the need for 
elevated access, but no major battles have ensued within my earshot. ;-)

.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John McKown
Sent: Tuesday, May 17, 2016 8:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

On Tue, May 17, 2016 at 9:41 AM, Mike Schwab 
wrote:

> Any ID that can grant privileges to another ID.
>

​By the above definition, _every_ id in RACF which has TSO capability is an 
administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the
commands:

ADDSD MY.DATASET UACC(NONE)
PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE)

I have granted priviliges to another ID, therefore I am an Admin user. I would 
really hope that what the auditor might be satisfied with would be people who 
are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on 
​this list know how to make a joke of any security, short of encrypted data to 
which they don't have the key.


--
The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OA49446 on RSU1603 - RACF / DFSMS change

[Robert S. Hansel (RSH)]

(Cross-posting to RACF-L)

Mark,

I have not worked with this APAR and PTF. Below is my interpretation of it. I 
agree this is a huge change. I think careful testing is needed to confirm this, 
and as I don't have access to a system with the change, I would be happy to 
help you with the test out of curiosity.

This 'enhancement' appears to address an oft heard desire to be able to grant 
access to an alias, as these tend to be permanent, as an alternative to having 
to granting access to the underlying dataset, which tends to change, with the 
goal of simplify security administration. With this change, one will now be 
able to permit access to alias PRODUCT.LINKLIB instead of the related dataset 
PRODUCT.VERSION1.LINKLIB. Then, whenever a new version arrives, you simply 
point alias PRODUCT.LINKLIB at PRODUCT.VERSION2.LINKLIB and everyone will have 
access to the new version without you having to create a new profile for 
PRODUCT.VERSION2.LINKLIB. It might be possible to permit ordinary users access 
only to aliases and never permit them access to the underlying datasets. This 
might enable you to consolidate and streamline existing profiles.

As for 'required action 1.' , I believe what they are alluding to is that if 
your aliases are currently named something like PRODVER.PRODUCT.LINKLIB and 
there are no RACF profiles for PRODVER, you will experience denial of access if 
RACF's SETROPTS PROTECTALL is in FAILURE mode (as is generally the case). If 
your aliases use existing High Level Qualifiers, and most likely they use the 
same HLQ as the related datasets, then you may not experience access problems 
because they'll already be covered by a profile. However, even if the latter is 
true, an existing alias might be covered by a profile like PRODUCT.** while the 
real dataset might be protected by profile PRODUCT.V*.**, and they could have 
very different access permissions. An exhaustive analysis of profiles and 
permissions is in order to ensure that the sudden switch in access authority 
checking from the dataset to the alias doesn't result in a loss of access. When 
first applying this PTF, I'd also be tempted to temporarily change PROTECTALL 
from FAILURE to WARNING just in case I'd missed something.

If this works as per my interpretation, then I think the concerns raised by 
others are valid. If I can create an alias with a name to which I have access 
that points to a dataset to which I do not have access, I've now circumvented 
access controls for the latter. This is somewhat akin to having ALTER access to 
a catalog which lets you delete VSAM and SMS datasets without having ALTER to 
the dataset profiles. It appears, however, that IBM has addressed this concern. 
Googling APAR OA47269 (APAR OA49446 is essentially an addendum to this APAR) 
brings up links discussing new restrictions on DFSMSdfp DEFINE. To create an 
ALIAS, PATH, OR ALTERNATEINDEX, you will need ALTER access to the related 
dataset.

This is going to make protecting sensitive datasets more complicated. I wonder 
if IBM's Health Check for APF library protection will now include aliases as 
well.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - DEC 5-9, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration -MAY 3-5, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Thu, 28 Apr 2016 12:01:17 -0500
From:Mark Zelden 
Subject: OA49446 on RSU1603 - RACF / DFSMS change

I'm applying z/OS 2.1 RSU1603 and came across this PTF.   Is anyone running with
it in production and has it caused you any grief?   This seems to change a 
behavior
that has been around "forever", so it concerns me a bit even though there 
is a work around by defining a special RACF profile in the Facility class.


++ HOLD(UA80146) SYS FMID(HDZ2210) REASON(ACTION) DATE(15356)  
   COMMENT 
(  
 * FUNCTION AFFECTED: DFSMS   (OA49446) *  
   
 * DESCRIPTION  : Update security definition*  
   
 * TIMING   : Pre-APPLY *  
   
   
 This service 

Re: List user's

[Robert S. Hansel (RSH)]

Hi Hilario,

What security software product is implemented on your system? If it's RACF, 
others have given you the answers you need. If it is CA's ACF2 or Top Secret, 
you will need to use their access activity reporting facilities to create your 
report. If you send your SMF data to a SIEM product, you may be able to use its 
capabilities to generate your report.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - APR 11-15, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration -MAY 3-5, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Fri, 15 Apr 2016 07:39:09 -0500
From:Hilario Garcia 
Subject: List user's

Hello,

I need to obtain a list of users that access to the Z/OS (CICS, TSO, Batch) in 
a specific date.

¿  Is there any job to obtain this data from RACF or SMF ?

Thanks in advance.

Hilario

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: How to log or trace BCPII activity on the SE?

[Robert S. Hansel (RSH)]

Hi Thomas,

Is the FACILITY class RACLISTed on the system where you are having the problem? 
Look for it in the section titled "SETR RACLIST CLASSES" in the output from a 
RACF "SETROPTS LIST" command.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - APR 11-15, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration -MAY 3-5, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Fri, 18 Mar 2016 13:15:01 +
From:"Ambros, Thomas" 
Subject: How to log or trace BCPII activity on the SE?

I have a puzzling situation.  Receiving HWI022I with APPLDATA matching SE SNMP 
community name when HWIBCPII attempts to start at IPL.  Machine has one 
standalone partition with its own RACF DB, this one fails.  The other 
partitions on the machine work fine, with their own RACF DB.  RLIST of the 
profile involved shows that it appears to be identical on the two RACF DB.  
Userids appear identical.  Cross partition authority etc etc is validated.  PMR 
open, a couple of dumps taken show that the resource requested and returned 
have all the right lengths and so on.  Suggestion is to check logs at the SE 
but the default logs don't appear to capture the BCPII traffic or API 
information.  I am searching for documentation because I believe I have all the 
admin authority on that machine to enable detailed information myself but will 
be contacting my hardware support team for their advice as well.  

Anybody happen to know how to enable detailed logging or tracing of the BCPII 
traffic?  I would be grateful for advice because I haven't turned up any decent 
info in searches yet.  Thanks... 

Thomas Ambros
zEnterprise Operating Systems
zEnterprise Systems Management
518-436-6433

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Outsourcing Stories Good or Bad!

[Robert S. Hansel (RSH)]

Hi Mark,

See the article "Outsource Risk" in the October 2014 edition of our RACF Tips 
newsletter.

http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__October_2014.pdf

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - APR 11-15, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration -MAY 3-5, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Wed, 24 Feb 2016 10:31:14 +
From:Mark Wilson 
Subject: Outsourcing Stories Good or Bad!

I am working with a client in Europe that is being requested by his senior 
management team to look at outsourcing their IT systems, including their system 
z platform.

Would anyone be willing to share any war stories of their experiences with 
Outsourcing good or bad?

Offline from the list via email or for anyone attending Share in Texas willing 
to have a coffee/beer and discuss face to face.

Mark

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)

[Robert S. Hansel (RSH)]

Hi Radoslaw,

It is fine to copy an off line RACF database using the tools you named. For a 
live RACF database, however, by not using IRRUT200, you risk copying the 
database while RACF is in the midst of updating it, in which case the copy may 
have integrity errors. A copy of a live database made using some other tool 
will be fine as long as no updates were being made at that particular point in 
time. IRRUT200 is much safer because it ensures no updates are in progress when 
making its copy. I wouldn't recommend using anything other than IRRUT200 
(preferably) or IRRUT400 for making backups or copies of a live RACF database.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-Original Message-
Date:Tue, 16 Feb 2016 21:48:37 +0100
From:"R.S." <r.skoru...@bremultibank.com.pl>
Subject: Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)

W dniu 2016-02-15 o 12:48, Robert S. Hansel (RSH) pisze:
> I wholeheartedly agree with Joel's recommendation for having a backup copy of 
> the RACF database readily available for recovery. I just want to add that it 
> is crucial to use RACF utilities to create the backup and to allocate it with 
> the proper characteristics. The preferred utility to use to create the backup 
> is IRRUT200 which momentarily serializes the database, thereby preventing 
> updates, while it copies the database. IRRUT400 can also be used, but it 
> locks the database which you then have to unlock. The backup should be 
> allocated as one extent, contiguous, and non-movable and, if using IRRUT200, 
> with the exact same size as the source.

While I still support to use UT200 to perform copy of RACF db, I have to 
admit I did many tests in the past when I intentionally used RACF db 
done by ICEGENER, IEBGENER or ADRDSSU DUMP. With no "luck", that mean I 
never got inconsistent result. At least none of RACF utilities detected 
the inconsistency. In other words even such copy was usable.
Of course I still recommend to use proper tool for that.

BTW: all my tests were done against monoplex configurations.
BTW2: the tests had some reason behind, it wasn't just "hey, let's put 
egg to microwave owen and see". ;-)


-- 
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)

[Robert S. Hansel (RSH)]

I wholeheartedly agree with Joel's recommendation for having a backup copy of 
the RACF database readily available for recovery. I just want to add that it is 
crucial to use RACF utilities to create the backup and to allocate it with the 
proper characteristics. The preferred utility to use to create the backup is 
IRRUT200 which momentarily serializes the database, thereby preventing updates, 
while it copies the database. IRRUT400 can also be used, but it locks the 
database which you then have to unlock. The backup should be allocated as one 
extent, contiguous, and non-movable and, if using IRRUT200, with the exact same 
size as the source.

As determine by one of our RACF surveys and as found in our numerous RACF 
reviews, many organizations are not using RACF utilities to back up their 
databases and risk having a corrupted backup. If you are interested, the survey 
"RACF Database Backup" can be found on the RACF Center webpage of our website 
at the following URL. For those unfamiliar with our website, you'll find lots 
of other useful RACF information there as well.

http://www.rshconsulting.com/racfres.htm

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - APR 11-15, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration -MAY 3-5, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016


-Original Message-
Date:Sun, 14 Feb 2016 15:53:07 -0600
From:"Joel C. Ewing" 
Subject: Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)

But the only way to "fix"an unusable RACF database is to have a fairly
recent backup copy of the RACF data base that can be restored.  I would
contend that is easier, and possibly safer, to do this from a fully
functional "one-drive" tech support emergency z/OS system accessing
production drives than to do it from a UADS-defined TSO user on a
crippled production system without RACF or with a known-damaged database
-- and there are so many other unanticipated problems such an emergency
system can address that it doesn't make sense to be without one. 

If the only problem that can be solved by having a UADS-defined TSO user
can be better addressed by a "must have" alternative, why persist with
any UADS-defined TSO users once the alternative is available?
Joel C. Ewing

On 02/14/2016 01:04 PM, Skip Robinson wrote:
> This problem occurs so seldom that I never thought of automating a response. 
> As of R12 or so, we now have AUTORxx, which can reply to WTORs very early in 
> the IPL. Not sure who here would have to approve such a change. The chances 
> of mischief being perpetrated are minimal, but it does open a very small 
> window for a clever miscreant. 
>
> .
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler 
> SHARE MVS Program Co-Manager
> 323-715-0595 Mobile
> jo.skip.robin...@att.net
>
>
>> -Original Message-
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
>> On Behalf Of Ed Jaffe
>> Sent: Sunday, February 14, 2016 07:37 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)
>>
>> On 2/13/2016 8:04 PM, Skip Robinson wrote:
>>> This opinion is based on (thankfully) limited experience. If you are
>>> forced to IPL without a usable RACF data base, you are totally
>>> scr*wed. During IPL, operator will be prompted to allow even READ
>>> access to *every* data set opened by *every* task except for a tiny
>>> handful like JES that bypass integrity. By the time you get to the
>>> point of actually logging on to TSO, operator's fingers will be
>>> bleeding profusely. If at any time during this process, you are
>>> god-forbid required to start over, yet more finger tips will have to 
>>> sacrificed.
>> We solved this with an MPF exit that would always reply 'Y' to each of those
>> prompts (except for the first few IIRC).
>>
>> --
>> Edward E Jaffe
>> Phoenix Software International, Inc
>> 831 Parkview Drive North
>> El Segundo, CA 90245
>> http://www.phoenixsoftware.com/


-- 
Joel C. Ewing,Bentonville, AR   jcew...@acm.org 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF reporting tool

[Robert S. Hansel (RSH)]

Sharon,

In addition to the products others have mentioned, also consider EKC's products 
- www.ekcinc.com 

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
---
2015 RACF Training
- Securing z/OS UNIX  - WebEx - SEPT 22-25, 2015
- Audit  Compliance Roadmap - Boston - NOV 10-13, 2015
- Intro  Basic Admin - WebEx - DEC 7-11, 2015
---

-Original Message-
Date:Tue, 14 Jul 2015 19:18:19 +
From:Lopez, Sharon sharon.lo...@nc.gov
Subject: RACF reporting tool

What do most companies use for their RACF reporting/analysis tool?  Are there 
any others that are comparable to Vanguard?

Thank you.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OMVS segments created on demand

[Robert S. Hansel (RSH)]

Dave,

You've touched on the one concern I have with using BPXMODEL to automatically 
set up a HOME for every user coupled with an automount policy that 
automatically creates the home file system. While it certainly is convenient, 
it potentially turns every ordinary CICS and IMS user into a telnet, ssh, or 
putty user. For this reason, the installations we've been working with to 
implement BPX.UNIQUE.USER have chosen to create a BPXMODEL user having an OMVS 
segment with PROGRAM(/bin/echo -or- /bin/false) and/or HOME that specifies a 
non-existing directory so as to deny use of telnet. A proper PROGRAM and HOME 
are assigned only to those relatively few individuals who need to access Unix 
files and directories, and this is done either manually or via ID provisioning 
scripts.

While this technique blocks use of telnet and the like, it does not address use 
of other TCPIP applications such as FTP. FTP does not use PROGRAM or HOME. Most 
installations have not been aware that BPX.DEFAULT.USER made every ordinary 
CICS and IMS user an FTP user, and this realization has only come about as a 
result of its replacement. To restrict use of FTP and other such applications, 
you need to employ APPL and/or SERVAUTH profiles.

I do not think it necessary to assign OMVS(NOUID) to all your ordinary users. 
This would simply trip them up and add to your administrative burden if they 
need legitimate access to a Unix service. Besides, they'd previously been 
getting such assess all along via BPX.DEFAULT.USER. But you don't want them all 
to be telnet users either. Properly securing both the data (as John McKown 
wisely points out) and system entry points is the better way to go.

P.S. While we're on the subject of FTP, now is a good time to review its 
JESINTERFACELEVEL configuration parameter and related RACF controls. See our 
RSH RACF Tips article on this topic:
http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__April_2010.pdf

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
---
2015 RACF Training
- Intro  Basic Admin - WebEx - JUN 22-26, 2015
- Securing z/OS UNIX  - WebEx - SEPT 22-25, 2015
- Audit  Compliance Roadmap - Boston - NOV 10-13, 2015
- Intro  Basic Admin - WebEx - DEC 7-11, 2015
---

-Original Message-
Date:Fri, 5 Jun 2015 08:27:24 -0500
From:David Magee david.ma...@dillards.com
Subject: OMVS segments created on demand

Environment: running z/OS V2R1,  using profiles BPX.NEXT.USER and 
BPX.UNIQUE.USER, the BPXMODEL profile is set up correctly (with HOME as 
/u/racuid), and all users are automount manged under /u/ and the system 
dynamically creates and mounts the OMVS user's file system.

New userid is added to RACF with no OMVS segment and neither it nor its GROUP 
is in any access list. 

Using an ssh client, I attempt to sign in to my z/OS host and it succeeds.  The 
userid now has an OMVS segment and a mounted file system. 

That's great for adding new users that are members of our IT department, etc. 
But there are thousands of non-IT userids that exist in RACF for business 
purposes (users of CICS or IMS, etc.) and they have been in RACF for years with 
no OMVS segment. These days, a lot of that access is via browser or TN3270 
clients on a PC of some type. A PC where an ssh client or putty could be used 
to attempt to access the z/OS host. 

Have I missed something? This seems to be a security issue to me. Other than 
going out and adding OMVS(NOUID) to a LOT of RACF USER profiles (which disables 
the dynamic creation of a new OMVS segment), what else is available to control 
this? 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: A Total Eclipse of the Spool

[Robert S. Hansel (RSH)]

Hi Ed,

If you will be using the FTP JES interface, I suggest you review our RACF Tips 
newsletter article on this topic.

http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__April_2010.pdf

Regards, Bob

-Original Message-
Date:Fri, 17 Apr 2015 01:34:16 -0400
From:Rob Schramm rob.schr...@gmail.com
Subject: Re: A Total Eclipse of the Spool

AFAIK z/OS explorer uses ftp to interface with JES for retrieving output.

Rob Schramm
On Apr 13, 2015 6:56 AM, Steve Austin steve.aus...@macro4.com wrote:

 Hello Ed,
 Do you use any Macro 4 products (Tubes, DumpMaster, TraceMaster, InSync,
 to name a few)?
 If you do then our z/Explorer Eclipse offering is free to use. It
 provides access to z/OS datasets and Unix files, allows jobs to be
 submitted and the JES spool to be viewed without SDSF as a pre-req, and
 it even has a 3270 emulator. Please contact your local Macro 4 or UNICOM
 rep who will be only too happy to assist. If you don't use any of our
 products then I am sure they can help you if you cannot find an
 alternative resolution.
 Regards
 Keith Banham
 RD Manager
 Macro 4 Ltd


 Thanks
 Keith Banham
 Manager and Lead Engineer
 Research and Development
 Macro 4 Limited

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
 Behalf Of Ed Long
 Sent: 12 April 2015 03:47
 To: IBM-MAIN@LISTSERV.UA.EDU
 Subject: A Total Eclipse of the Spool

 I have been tasked with deploying Data Studio, the DB2 no charge
 offering in the IBM Eclipse product set. z/OS, CICS and IMS explorers
 round out the no charge offerings.
 The target audience is not the long time, old time, 3270 types, but the
 short time, new time Java, C# types who need to access z/OS data or
 resources sometimes. They are not going to go through a 12 week master
 the mainframe course since 90% of their work is off host.
 I can get Data Studio working, even sort of compatibly with z/OS
 explorer. At least both of these 2 will be deployed together.
 I can get z/OS explorer to submit jcl, a requirement for some database
 activities envisioned. Its builtin sysout retrieval function requires
 SDSF and fairly heavy RACF configuration work.
 However, we don't have SDSF; we have IOF. None of the necessary JES/RACF
 stuff has been set up, even if IOF supports the function, to get z/OS
 explorer to download the sysout. While SDSF and doing the configuration
 stuff is the obvious answer, getting there would take an unplanned major
 effort.
 My question: What other options do I have to be able to retrieve
 listings from within Eclipse?
 For specific use cases, we could write reports to datasets and then use
 the z/OS explorer to browse the dataset. This approach would mean the
 listing would be unavailable but any reports would be.
 We can assume that their jcl will be comparatively simple (Less than 10
 steps and much of it generated and heavily reliant on procedures).
 I've been considering FTP which has a JES interface.
 For phase 1 of this activity we assume there might be 100 target
 developers.
 Comments and suggestions most appreciated.

 Edward Long

 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send
 email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 This e-mail message has been scanned and cleared by Postini / Google
 Message Security and the UNICOM Global security systems. This message is
 for the named person's use only. If you receive this message in error,
 please delete it and notify the sender.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: APF-authorized calling non-authorized

[Robert S. Hansel (RSH)]

Charles,

What we did in a similar situation was have the front-end program perform only 
those tasks that needed to be APF-authorized and then turn off its 
APF-authorization and call the remaining programs that did not need 
authorization.

I believe the latest version of MVS Planning: Security is circa 1984.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
---
2014-2015 RACF Training
- Audit  Compliance Roadmap - Boston - APR 21-24, 2015
- Intro  Basic Admin - WebEx - JUN 22-26, 2015
---

-Original Message-
Date:Sun, 15 Mar 2015 11:37:30 -0700
From:Charles Mills charl...@mcn.org
Subject: Re: APF-authorized calling non-authorized

Okay. I hear you. Here is the business problem.

I need to develop program X. It must run APF-authorized to do one of the
things it needs to do. I have written APF-authorized programs before and I
more or less know what I am doing. I know enough to ask (some of?) the right
questions and have the proper concerns.

It also needs to do something we will call processing A. It just so
happens that there is an IBM program Y that does exactly A. (In fact, the
real purpose of program X is front-ending program Y and doing some
additional things, one of which requires authorization). The IBM program is
AC=0 in an authorized library. I of course do not have the source for Y and
so cannot inspect it for potential integrity issues.

What do you suggest? Must I re-write Y from scratch so I may be relatively
certain of its integrity?

The only alternative I see is calling (LINK, etc.) Y from X.

I agree with you. While we can be relatively confident that Y does nothing
bad intentionally its authors presumably never intended it to run
authorized. They may have said oh, don't worry about that -- it will ABEND
if anyone tries to do THAT and that assumption will no longer be valid.

Suggestions?

No, there does not appear to be a V2R1 manual called MVS Planning: Security.

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Has Anyone Seen this in ISPF before?

[Robert S. Hansel (RSH)]

Unfortunately, IRRDBU00 does not unload PROFILE options, including PREFIX, and 
therefore, it is unlike to detect an error in this field. I doubt any of the 
RACF utilities would detect this error. IRRUT200 performs checks on the 
integrity of the index and block availability masks but not on the content of 
the profiles. My advice to the OP would be to delete the TSO segment and 
recreate it just in case there are other problems with the information stored 
in RACF for this user.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
---
2014-2015 RACF Training
- Intro  Basic Admin - WebEx - DEC 8-12, 2014
- Securing z/OS UNIX  - WebEx - FEB 3-6, 2015
- Intro  Basic Admin - WebEx - MAR 23-27, 2015
- Audit  Compliance Roadmap - Boston - APR 21-24, 2015
---

-Original Message-
Date:Wed, 29 Oct 2014 11:45:35 -0400
From:Thomas Conley pinnc...@rochester.rr.com
Subject: Re: Has Anyone Seen this in ISPF before?

On 10/29/2014 11:35 AM, parke...@gmail.com wrote:
 OK. Thanks. We are using RACF. What would dump? I will forward this to my 
 boss to see what he wants to do.



IRRDBU00 will unload your RACF database to a flat file.  Also, look at 
the IRRUT100, IRRUT200, and IRRUT400 utilities.  One of them has a 
function to test the integrity of your RACF database.  Good luck.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Handle RACF abend in LE C

[Robert S. Hansel (RSH)]

Gabor,

It may be crashing because your ID apparently has access to FACILITY resource 
BPX.SERVER, which requires a 'clean' program environment (i.e., all programs 
must either be in LPA or defined by a PROGRAM class profile), and it is trying 
to load undefined programs. See the ICH422I messages. You'll either need to 
define the programs with their associated libraries to RACF or, unless you are 
specifically trying to create a daemon that needs BPX.SERVER authority, remove 
your access to the latter.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
---
2014 RACF Training
- Audit  Compliance Roadmap - Boston - OCT 27-30, 2014
- Intro  Basic Admin - WebEx - JUN 9-13, 2014
- Intro  Basic Admin - WebEx - DEC 8-12, 2014
- Securing z/OS UNIX  - WebEx - SEPT 30 - OCT 3, 2014
---

-Original Message-
Date:Sat, 10 May 2014 13:27:28 +0200
From:Gabor Hoffer gabor.hof...@gmail.com
Subject: Handle RACF abend in LE C

Hello,

I have a LE C program that crashes if I try to open a dataset that is not
allowed to read with my user. How can I catche and ( handle in C) this type
of error?

13.19.56 JOB08022  ICH408I USER(GAH2) GROUP(SYS1) NAME(GAH2
   064   GAH.NOACCESS.PDS CL(DATASET ) VOL(DSK30E)
   064   INSUFFICIENT ACCESS AUTHORITY
   064   FROM GAH.NOACCESS.PDS (G)
   064   ACCESS INTENT(READ   )  ACCESS ALLOWED(NONE   )
13.19.56 JOB08022  IEC150I
913-38,IFG0194E,GEX1,AGENT,SYS00079,030E,DSK30E,GAH.N
13.19.56 JOB08022  CEE0374C CONDITION = CEE3250C TOKEN = 00040CB2 61C3C5C5
0
   066  WHILE RUNNING PROGRAM UCXJM25
   066  AT THE TIME OF INTERRUPT
   066  PSW 078D0400 800A3FCC
   066  GPR 0-3 00166D14 001667D8 00166A98 
   066  GPR 4-7  0008 0004 0BA47038
   066  GPR 8-B 0D02E220 000207F0 0D02E220 000A3650
   066  GPR C-F 00166D20 00166760 800A3F74 
   066  FLT 0-2 4E81536E0B5C  
   066  FLT 4-6   
13.19.56 JOB08022  BPXP011I THREAD 0BD5D9B80003, IN PROCESS 50397294,
WAS  0
   072 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2.
13.19.56 JOB08022  BPXP011I THREAD 0BD5E644, IN PROCESS 50397294,
WAS  0
   073 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2.
13.19.56 JOB08022  BPXP011I THREAD 0BD5F2C80005, IN PROCESS 50397294,
WAS  0
   074 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2.
13.19.56 JOB08022  BPXP011I THREAD 0BD5A7980002, IN PROCESS 50397294,
WAS  0
   075 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2.
13.19.56 JOB08022  BPXP011I THREAD 0BD59B11, IN PROCESS 50397294,
WAS  0
   076 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2.
13.19.56 JOB08022  ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED.
13.19.56 JOB08022  CSV042I REQUESTED MODULE IEAVTRP2 NOT ACCESSED. THE
MODULE IS
13.19.56 JOB08022  BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR SERVER
(BPX.S
13.19.56 JOB08022  CSV042I REQUESTED MODULE IEAVTRF4 NOT ACCESSED. THE
MODULE IS
13.19.56 JOB08022  ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED.
13.19.56 JOB08022  BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR SERVER
(BPX.S

Thanks and reagrds,
Gabor

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: OMVS UID display

[Robert S. Hansel (RSH)]

Venkat,

Does this system have its own RACF database or does it share its database with 
other systems? If it shares its database, do commands like id display properly 
on those other systems?

What is the AIM level of this database? Run the following job to find out.
//jobname JOB (account),'username',CLASS=x,MSGCLASS=x
//STEP EXEC PGM=IRRIRA00
//SYSPRINT DD SYSOUT=*

If AIM is at level 0 or 1, is the UNIXMAP class active? Check SETROPTS LIST. If 
it is active, are there any UNIXMAP profiles? Execute SEARCH CLASS(UNIXMAP) to 
find out. Specifically, is there a profile U12345 in which your USERID is in 
the access list? Execute RLIST UNIXMAP U12345 ALL to check.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
-
2013-2014 RACF Training
- Audit  Compliance Roadmap - Boston - APR 22-25, 2014
- Intro  Basic Admin - WebEx - FEB 3-7, 2014
- Intro  Basic Admin - WebEx - JUN 9-13, 2014
- Securing z/OS UNIX  - WebEx - MAR 4-7, 2014
-

-Original Message-
Date:Sun, 15 Dec 2013 09:35:30 +0530
From:venkat kulkarni venkatkulkarn...@gmail.com
Subject: Re: OMVS UID display

Issue is only with this LPAR. I tried checking on other LPAR, all are fine.




On Sun, Dec 15, 2013 at 9:04 AM, venkat kulkarni venkatkulkarn...@gmail.com
 wrote:

 This issue is not with single user. I am facing this with all RACF users.



 On Sun, Dec 15, 2013 at 9:02 AM, Jon Perryman jperr...@pacbell.netwrote:

 I think that the first user assigned to OMVS UID 12345 was deleted, or
 it's OMVS segment was deleted or it was assigned to a new UID. My
 suggestion is that you modify the user to which you want displayed.

 Jon Perryman.

 
  From: venkat kulkarni venkatkulkarn...@gmail.com
 
 
 Hello,
  I have RACF id  associated with all UID and this problem is with
 all users anf getting *Error for uid.*
 I tried with many of the RACF user having diff access level and getting
 same issue even with UID 0 . I really don't think that my RACF is
 corrupted.
 
 
 Is there any other possibility.  Who am i command gives me
 RACFID@SYSNAME. I tried looking at many of the manual for this error
 but somehow failed.
 Still looking into maual.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS 2.1 DVD Collection - Software Products

[Robert S. Hansel (RSH)]

Greetings all,

In recent years, IBM provided a z/OS DVD Collection download which contained
copies of both z/OS and software product manuals (e.g., SK3T-4271-31). Prior
to z/OS 1.11, these were provided as two separate collections. The newest
collection for 2.1 (SK4T-4949-00) only contains the z/OS manuals and not
those for software products. I haven't been able to find an updated
collection for software products. Is IBM still providing such a collection
and what is the publication number is?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
-
2013-2014 RACF Training
- Audit  Compliance Roadmap - Boston - APR 22-25, 2014
- Intro  Basic Admin - WebEx - FEB 3-7, 2014
- Intro  Basic Admin - WebEx - JUN 9-13, 2014
- Securing z/OS UNIX  - WebEx - MAR 4-7, 2014
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RACF User ID resumed without an SMF record?

[Robert S. Hansel (RSH)]

Greg,

If the RACF database is shared across several LPARs, does the input to your 
daily RACFRW report include SMF data from all the LPARs?

If SETROPTS AUDIT is not active for class USER and the OWNER of this CICS ID is 
a non-SPECIAL USERID, the later could execute an ALTUSER that wouldn't be 
logged.

Another possibility is this ID was being listed as REVOKED by LU because it had 
crossed the threshold set by SETROPTS INACTIVE but was able to logon via some 
mechanism that circumvented the INACTIVE limit. Here are some related questions.
1) Do you have SETROPTS INACTIVE set and to what number of days?
2) Was this ID listed as REVOKED prior to July 8?
3) Do you have a backup copy of the RACF database prior to July 8 from when the 
ID was showing up as REVOKED, and if you generate an IRRDBU00 database unload 
from this copy, does it show the ID as REVOKED? (An ID displayed as REVOKED by 
LU due to INACTIVE will not show up as REVOKED in the unload.)
4) What is the nature of this ID and how is it likely to be used? Is it 
hardcoded in any CICS CSD resource definitions such as those for SESSION, 
CONNECTION, TDQUEUE, or TERMINAL? Is it coded as the USERID in any EXEC CICS 
START commands within a program? Might Digital Certificates or PassTickets be 
involved in logging it on?
5) Do you have multiple RACF databases and is this ID defined and active on 
these other databases? Was it active on another system around the time of this 
logon?
6) What are the full details of its logon on the 9th. Does it show an 
associated TERMINAL, APPL, or JESINPUT node? (If it shows JESINPUT, then we 
might want to explore your RACFVARS RACLNDE profile and NODES profiles.)

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
https://twitter.com/RSH_RACF
www.rshconsulting.com
-
2013 RACF Training
- Audit  Compliance Roadmap - Boston - NOV 5-8
- Intro  Basic Admin - WebEx - OCT 21-25
- Securing z/OS UNIX  - WebEx - SEPT 17-20
- Securing z/OS UNIX  - WebEx - DEC 3-6
-

-Original Message-
Date:Wed, 7 Aug 2013 11:33:24 -0500
From:Greg Shirey wgshi...@benekeith.com
Subject: RACF User ID resumed without an SMF record?

Hello group,

Does anyone know of a method to resume a RACF revoked ID without having an SMF 
record be written?  

We produce a daily listing of RACF commands from our SMF type 80s (using 
RACFRW) and we list ADDUSER ADDGROUP ALTUSER ALTGROUP CONNECT DELUSER DELGROUP 
PASSWORD PERMIT RALTER RDEFINE REMOVE.  

We also produce a daily listing of our CICS user IDs and their RACF status.  On 
July 8 we had a user ID on our report that was listed as REVOKED and a 
LAST-ACCESS date and time of 07/17/07 17:01:28. 

On July 9, the report showed the ID was no longer revoked and the LAST-ACCESS 
reported as 07/08/13   19:24:14.  However, our SMF report listed no ALTUSER 
command or any other command against this ID.  (No DELUSER or ADDUSER, for 
instance).  

I dumped the SMF records for both July 7 and July 8 and ran a RACFRW to list 
all the records and there is no reference to this User ID.   

I'm a sysprog, so I can't blame it on magic or elves - I could try blaming it 
on the software, but I'm finding that hard to believe - so I have to think 
there's something I'm missing.  I've just looked at everything I know to look 
at.  (Did someone modify SMF for a period?  No.  Does the COBOL program that 
lists the RACF users have a bug in it?  No.)  

If anyone has a suggestion for what to look for, I'd appreciate hearing about 
it.   

Thanks,
Greg Shirey
Ben E. Keith Company 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS Configuration for Security - Not RACF or other ESM

[Robert S. Hansel (RSH)]

Ken,

The reference that perhaps comes closest to what you want is the book 
OS/390-z/OS Security Audit and Control Features. It used to be available from 
ISACA but is now out of print. It is a bit dated (2004), somewhat verbose, and 
mostly focused on RACF.

Also from ISACA is the 2009 checklist publication z/OS Security 
Audit/Assurance Program. It is a free download for members. May not give you 
much more than you already have. At a glance, It appears is a slightly updated 
checklist from that available in the aforementioned book.

You might also find the DISA STIG for RACF helpful. It includes controls for 
z/OS. 
http://iase.disa.mil/stigs/os/mainframe/z_os.html 

To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs 
(governing entry of operator commands), TSO parms, installation SVCs and 
Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs.

So much of z/OS control is tightly coupled with RACF protection (how do you 
protect APF libraries without RACF) that I would be inclined to combine their 
respective security best practices into a single document.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
-
2013 RACF Training
- Audit  Compliance Roadmap - Boston - NOV 5-8
- Intro  Basic Admin - WebEx - OCT 21-25
- Securing z/OS UNIX  - WebEx - JUL 23-25
- Securing z/OS UNIX  - WebEx - SEPT 17-20
- Securing z/OS UNIX  - WebEx - DEC 3-6
-

-Original Message-
Date:Fri, 28 Jun 2013 18:46:51 +
From:Ken Porowski ken.porow...@cit.com
Subject: z/OS Configuration for Security - Not RACF or other ESM

I have been tasked with documenting 'best practice' for configuring z/OS for 
security.

This does not include RACF (or other ESM) practices.

The scope is limited to what I can do in configuring z/OS to ensure no one can 
bypass RACF/ESM.

What I can think of offhand is keeping tight control of LPALIST, LINKLIST, 
APFLIST, SCHEDxx/PPT

Does anyone know of a book/paper/guide/reference that would outline a 'best 
practice' for z/OS security configuration.

I've been searching this list, redbooks, Google, but not finding much that 
isn't RACF/ESM specific.

TIA
Ken


Ken Porowski
VP Mainframe Engineering
CIT
Information Technology
+1 973 740 5459 (tel)
One CIT Drive
Livingston, NJ 07039
ken.porow...@cit.com
www.cit.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: BYPASSING RECALL OF MIGRATED DSNS WHILE ATTEMPTING ALTER

[Robert S. Hansel (RSH)]

Esmie,

One possible solution would be to define group ARCCATGP to RACF, connect your 
ID to it, and logon with this group when you are about to execute IDCAMS. 
ARCCATGP is intended to allow you to perform catalog operations on migrated 
datasets without having to recall them.

To log on with the group in TSO, enter ARCCATGP on the TSO/E Logon panel in the 
field labeled Group Ident. In batch, code GROUP=ARCCATGP on the JOB card.

I'm not certain it will work with IDCAMS ALTER, but it worth a try. For more 
details, see IBM's z/OS DFSMShsm Implementation and Customization Guide.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
-
2013 RACF Training
- Audit for Results   - Boston - APR 24-26
- Intro  Basic Admin - Boston - MAY 21-23
- Securing z/OS UNIX  - WebEx - JUL 23-25
-

-Original Message-
Date:Thu, 31 Jan 2013 10:45:04 -0800
From:esmie moo esmie_...@yahoo.ca
Subject: BYPASSING RECALL OF MIGRATED DSNS WHILE ATTEMPTING ALTER

Good Afternoon Gentle Readers,
 
I am altering a large amount of gdg dsns which are migrated.  :
 
/*
//STEP1 EXEC PGM=IDCAMS   
//SYSPRINT  DD  SYSOUT=*  
//SYSIN  DD  *
ALTER 'SMF.ZWA6PWG.DRAP0.RPT.G0999V00' ROLLIN 
/*
//
 
The dsns are presently is ML2 with a STATUS--DEFERRED 
 
How can I bypass the recall of the dsns (4,340) in order to alter them/   

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: DFSMRCL0 usermod - was: I broke it

[Robert S. Hansel (RSH)]

Peter,

Suggest to the ADCD owners that they make an IRRDBU00 unload of the RACF 
database and then run the IRRRID00 Remove ID utility with the unload as input 
to find and remove references to deleted users and groups. Instructions, 
examples, guidelines, and tips for running these utilities are provided in our 
presentation RACF Utilities, available on our website via the RACF Center 
webpage.

Also suggest the them that they run ICHDSM00 (a.k.a. DSMON) to identify system 
datasets that may not be properly protected and incomplete STARTED profiles. 
The aforementioned presentation has information on DSMON.

Further suggest to them that they make an IRRHFSU unload of the entire Unix 
file system and examine the results to identify orphaned Owner UIDs and Group 
GIDs. Information for obtaining and running the IRRHFSU utility are provided in 
our presentation IRRHFSU, also available on our website. This presentation 
includes a sample ICETOOL report for finding orphaned IDs.

If the ADCD owners have any problems or questions when trying to run the 
reports or need help interpreting the results, have them contact me directly. 
We have use of an ADCD system in Dallas, so helping them clean this up would 
benefit us as well.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel 
www.rshconsulting.com 
-
2013 RACF Training
- Securing z/OS UNIX  - WebEx - JAN 15-17
- Intro  Basic Admin - WebEx - FEB 4-8
- Audit for Results   - Boston - APR 24-26
- Intro  Basic Admin - Boston - MAY 21-23
- Securing z/OS UNIX  - WebEx - JUL 23-25
-

-Original Message-
Date:Fri, 4 Jan 2013 08:13:24 -0500
From:Peter Relson rel...@us.ibm.com
Subject: Re: DFSMRCL0 usermod - was: I broke it

The ADCD owners confirm that they do now have plans to run IBM 
HealthChecker for z/OS against the ADCD (at least for the newer releases 
of z/OS that they support). Whether that was a direct result of this 
thread or not, I am not sure. It remains to be seen how much they take 
advantage of the exceptions that initially are reported. 

Once that is underway, I expect, at least, that the DFSMRCL0 usermod will 
not be applied when a z/OS 1.13 ADCD system is subsequently built. I 
mention 1.13 only because that is the release where the HC of IEAVTRML is 
introduced and thus that is the release where the presence of DFSMRCL0 
usermod would be flagged. Quite possibly they will be able to apply that 
knowledge to earlier releases that have IMS V9 or later (that being the 
release where the need for DFSMRCL0 went away, and knowing that earlier 
IMS versions are no longer supported).

If any of you care to contribute by running HC yourself on the ADCD 
system and reporting things that both are flagged as exceptions and that 
in all likelihood would help just about the entire ADCD community to have 
changed, feel free to send me a note (but not that IEAVTRML one, please!). 
I mention the entire ADCD community only because I can imagine some 
exception situations being left alone in order to accommodate a subset of 
users who might need the flagged behavior. I have no specific examples of 
such things with respect to ADCD.

I do also have hope that some information would accompany the 
distribution, setting the expectation for what exceptions one might see 
if running HC.

Peter Relson
z/OS Core Technology Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: I broke it - programcontrolled programs

[Robert S. Hansel (RSH)]

Barbara,
 
This is in regards to your statement Asking about it here (and eventually 
finding where DFSMRCL0 is located) helped me when I had to get RDz running. 
Which insisted on a program-controlled environment despite BPX.DAEMON not being 
defined. According to the books and your explanation, the need for a 
program-controlled environment should not have been there. This was true for 
ftp, but not for RDz. 

IBM documentation states that Rational should be permitted UPDATE access to 
FACILITY class profile BPX.SERVER, and on our ADCD system, BPX.SERVER is 
defined and the Rational Started Task ID STCRSE has been permitted the required 
access. BPX.SERVER also requires a program-controlled environment.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
-
2013 RACF Training
- Securing z/OS UNIX  - WebEx - JAN 15-17
- Intro  Basic Admin - WebEx - FEB 4-8
- Audit for Results   - Boston - APR 24-26
- Intro  Basic Admin - Boston - MAY 21-23
- Securing z/OS UNIX  - WebEx - JUL 23-25
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN