Re: Access to SMF logstreams

[Timothy Sipples]

Gadi Ben-Avi wrote:
>I would like to prevent a user from accessing the SMF log
>streams
>Is there anything else that I need to define?

To add to earlier replies, it's prudent to encrypt your log stream data
sets so that you're fully blocking unauthorized user access, even from
storage administrators for example. You can enable log stream data set
encryption in z/OS 2.2 (with the z/OS Data Set Encryption PTFs) or higher
on IBM z114/z196 machines or higher. (z/OS 2.1 with PTFs has some awareness
of encrypted log stream data sets but cannot create them.) There are some
potential performance implications to consider on machines prior to the z14
models, but you shouldn't treat such implications as a veto even if they
exist. Security is also quite important and keeps getting more important.

For more information, try this link (z/OS 2.3 documentation):

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.ieaf100/enclogstrds.htm


Timothy Sipples
IT Architect Executive, Industry Solutions, IBM Z & LinuxONE


E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Access to SMF logstreams

[Gadi Ben-Avi]

Probably

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
David Spiegel
Sent: Monday, April 29, 2019 11:46 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Access to SMF logstreams

Hi Gadi,
I think that you meant "discrete" instead of "discreet".

Shalom,
David

On 2019-04-29 01:34, Gadi Ben-Avi wrote:
> Hi,
> I would like to prevent a user from accessing the SMF log streams.
> Class is active and there are discreet profiles for each of the SMF 
> logstreams.
> The user in question does not have access to the profiles.
>
> Is there anything else that I need to define?
>
> Thanks
>
> Gadi
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN .
>


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Access to SMF logstreams

[David Spiegel]

Hi Gadi,
I think that you meant "discrete" instead of "discreet".

Shalom,
David

On 2019-04-29 01:34, Gadi Ben-Avi wrote:
> Hi,
> I would like to prevent a user from accessing the SMF log streams.
> Class is active and there are discreet profiles for each of the SMF 
> logstreams.
> The user in question does not have access to the profiles.
>
> Is there anything else that I need to define?
>
> Thanks
>
> Gadi
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> .
>


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Access to SMF logstreams

[Gadi Ben-Avi]

Thanks
I found the problem
The profile were protecting generic log stream names, but I defined the log 
streams using the LPAR name.

Gadi

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Mike Shorkend
Sent: Monday, April 29, 2019 9:03 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Access to SMF logstreams

Gadi
You should be good. Remember to grant the user associated with the SMF address 
space UPDATE access to the profiles.
If you haven't already done so, take a look at this redbook:

SMF Logstream Mode <http://www.redbooks.ibm.com/redbooks/pdfs/sg247919.pdf>

Chapter 5.1.5 covers RACF

Mike



On Mon, 29 Apr 2019 at 08:34, Gadi Ben-Avi  wrote:

> Hi,
> I would like to prevent a user from accessing the SMF log streams.
> Class is active and there are discreet profiles for each of the SMF 
> logstreams.
> The user in question does not have access to the profiles.
>
> Is there anything else that I need to define?
>
> Thanks
>
> Gadi
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


--
Mike Shorkend
m...@shorkend.com
www.shorkend.com
Tel: +972524208743
Fax: +97239772196

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Access to SMF logstreams

[Mike Shorkend]

Gadi
You should be good. Remember to grant the user associated with the SMF
address space UPDATE access to the profiles.
If you haven't already done so, take a look at this redbook:

SMF Logstream Mode 

Chapter 5.1.5 covers RACF

Mike



On Mon, 29 Apr 2019 at 08:34, Gadi Ben-Avi  wrote:

> Hi,
> I would like to prevent a user from accessing the SMF log streams.
> Class is active and there are discreet profiles for each of the SMF
> logstreams.
> The user in question does not have access to the profiles.
>
> Is there anything else that I need to define?
>
> Thanks
>
> Gadi
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Mike Shorkend
m...@shorkend.com
www.shorkend.com
Tel: +972524208743
Fax: +97239772196

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Access to SMF logstreams

[Gadi Ben-Avi]

Hi,
I would like to prevent a user from accessing the SMF log streams.
Class is active and there are discreet profiles for each of the SMF logstreams.
The user in question does not have access to the profiles.

Is there anything else that I need to define?

Thanks

Gadi



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN