About permissions and commands



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

About permissions and commands

Postby hakghen » Mon Feb 08, 2010 8:22 pm

Hello,

I'm in training and I just installed a new zOS and now I have to create the user's profiles. But then, I need to give them the permissions to access certain resources (SDSF, for example).

I'd like to know if there is a place where I can find the correct name of the dataset's resources to allow the user's to access them...

Thanks!
[]'s,

Hakghen
User avatar
hakghen
 
Posts: 59
Joined: Thu Sep 11, 2008 8:15 pm
Has thanked: 0 time
Been thanked: 0 time

Re: About permissions and commands

Postby Robert Sample » Mon Feb 08, 2010 8:49 pm

Usually the RACF database is copied over from the old OS to the new one so everyone retains their specific privileges. If this is not done, there's usually in the z/OS installation procedures sections on the RDEFINE, PERMIT, and SETROPTS commands required to grant the appropriate access to the facilities needed. If not there, you'd have to look in the installation manual for each product to determine what is necessary.
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: About permissions and commands

Postby hakghen » Thu Feb 18, 2010 9:08 pm

So, hm, what about authorizing users to submit/cancel jobs? Can someone explain to me how can I do that?
[]'s,

Hakghen
User avatar
hakghen
 
Posts: 59
Joined: Thu Sep 11, 2008 8:15 pm
Has thanked: 0 time
Been thanked: 0 time

Re: About permissions and commands

Postby Robert Sample » Thu Feb 18, 2010 9:42 pm

There is a JESJOBS FACILITY in RACF to control this. You'll need to ensure the FACILITY is active, connect users to it, then do the SETROPTS.
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Re: About permissions and commands

Postby Constad » Fri Feb 19, 2010 3:00 pm

I'm afraid that there isn't a simple answer to this.

The JESJOBS class in RACF is used to control who can submit batch jobs. As for cancelling jobs that are running, then that depends on how the cancel command is being issued. You would need to look at the OPERCMDSand SDSF classes to build comprehensive security around this.

To be honest, a combination of profiles in the JESJOBS; JESINPUT; SURROGAT; PROPCNTL; NODES; OPERCMDS; JESPOOL; WRITER; APPCLU; FACILITY and SDSF is required to give you comprehensive security around job submission and output control.
I would suggest looking at the JESx Initialization and Tuning Guide (where x is 2 or 3 depending on which you use).

Dave
Constad
 
Posts: 4
Joined: Mon Feb 15, 2010 4:22 pm
Has thanked: 0 time
Been thanked: 0 time

Re: About permissions and commands

Postby Robert Sample » Fri Feb 19, 2010 6:04 pm

More importantly, why are you not copying the existing data base of RACF authorizations to the new z/OS? This is what is done 99+% of the time since it can be a pain to recreate the entire set of authorizations.
Robert Sample
Global moderator
 
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post