RACF POSIT



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

RACF POSIT

Postby ccaldwell » Thu Sep 20, 2012 8:03 pm

I am tring to list the POSIT that are currently in use. Who can I list the POSIT for a class?
ccaldwell
 
Posts: 4
Joined: Thu Sep 20, 2012 7:59 pm
Has thanked: 0 time
Been thanked: 0 time

Re: RACF POSIT

 

Re: RACF POSIT

Postby steve-myers » Thu Sep 20, 2012 8:32 pm

I've never heard the term POSIT used with RACF. You have classes like DATASET, TSOPROC, OPERCMDS and lots more, and resources within a class, e.g., DATASET/SYS1.MACLIB, and profiles that define users authorized to use a class and resource - DATASET/SYS1.** for example. So, what do you really want to know using standard terminology.
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: RACF POSIT

Postby ccaldwell » Thu Sep 20, 2012 8:37 pm

I am creating a dynamic class and I need the POSIT to create a new dynamic class. (Adding a dynamic class with a unique POSIT value) Is there a way to create a dynamic class without the POSIT? (POSIT = positions)
ccaldwell
 
Posts: 4
Joined: Thu Sep 20, 2012 7:59 pm
Has thanked: 0 time
Been thanked: 0 time

Re: RACF POSIT

Postby ccaldwell » Thu Sep 20, 2012 8:47 pm

When I was try to creat a dynamic class it also is asking to input the position ID. THe follwoing is the 1st step in creating the class:

Steps for adding a dynamic class with a unique POSIT value

Perform the following steps in this example to define a new class called PIX2004 that you will administer separately.

1. Determine a unique POSIT value for the new profile. Evaluate the class entries in the dynamic CDT. Consult your system programmer to evaluate the class entries in the static CDT (modules ICHRRCDE and ICHRRCDX).
ccaldwell
 
Posts: 4
Joined: Thu Sep 20, 2012 7:59 pm
Has thanked: 0 time
Been thanked: 0 time

Re: RACF POSIT

Postby Peter_Mann » Thu Sep 20, 2012 9:08 pm

I found some reference in the RACF Admin guide and the command reference guide

Figure 62. Example 10: Output for RLIST command for the CDTINFO segment
RLIST CDT TSTCLAS8 NORACF CDTINFO
CLASS NAME
----- ----
CDT TSTCLAS8

CDTINFO INFORMATION
------- -----------
CASE = UPPER
DEFAULTRC = 004
DEFAULTUACC = NONE
FIRST = ALPHA
GENERIC= DISALLOWED
GENLIST = DISALLOWED
GROUP =
KEYQUALIFIERS = 0000000000
MACPROCESSING = NORMAL
MAXLENGTH = 042
MAXLENX = NONE
MEMBER =
OPERATIONS = YES
OTHER = ALPHA NUMERIC SPECIAL
POSIT = 0000000303
PROFILESALLOWED = YES
RACLIST = REQUIRED
SECLABELSREQUIRED = YES
SIGNAL = NO

Maybe from here, you can get the correct command and syntax, this is from my z/os 1.12 system
HTH's
Peter
Peter
Peter_Mann
 
Posts: 139
Joined: Fri Jun 24, 2011 7:37 pm
Location: Lowell,AR
Has thanked: 14 times
Been thanked: 3 times

Re: RACF POSIT

Postby ccaldwell » Thu Sep 20, 2012 9:29 pm

I have created the dynamic class, but when I try to refresh the class in generic I get the follwoing message:

ICH14016I CANNOT REFRESH $****, GENERIC ACCESS CHECKING INACTIVE.

I also tried to add a generic profile and it does not see it as a generic profile.
ccaldwell
 
Posts: 4
Joined: Thu Sep 20, 2012 7:59 pm
Has thanked: 0 time
Been thanked: 0 time

Re: RACF POSIT

Postby Peter_Mann » Thu Sep 20, 2012 10:28 pm

I think its time to check the fine manual, from my 1.12 doc I found - as the message states, generic access checking is inactive, you need to be careful here, I think this is a global option and if not currently set may affect resources currently protectd.

Generic Profile Checking of General Resources

z/OS V1R12.0 Security Server RACF Security Administrator's Guide
SA22-7683-14



The rules for access-authorization checking of generic profiles for general resources are similar to those for the DATASET class.

Generic profiles are not checked unless generic profile checking is in effect for the class. To do this, issue the following command.
SETROPTS GENERIC(classname)Guideline: Once you activate generic profile checking for a class and define generic profiles in it, avoid deactivating generics with the NOGENERIC operand. RACF® will not use your previously defined generic profiles for authorization checking while NOGENERIC is in effect.

If the class is not active, RACF does not check for profiles. RACF returns the default return code of the class to the resource manager. For a complete description, see Authorization Checking for RACF-Protected Resources.
If more than one profile covers a particular resource, RACF searches for profiles in the following order:
Discrete profile
Matching generic profiles (see Table 15)


you can find it here
http://publib.boulder.ibm.com/infocente ... cpsmfa.htm
Peter
Peter
Peter_Mann
 
Posts: 139
Joined: Fri Jun 24, 2011 7:37 pm
Location: Lowell,AR
Has thanked: 14 times
Been thanked: 3 times

Re: RACF POSIT

Postby angrybeaver » Thu Sep 20, 2012 10:28 pm

steve-myers wrote:I've never heard the term POSIT used with RACF. You have classes like DATASET, TSOPROC, OPERCMDS and lots more, and resources within a class, e.g., DATASET/SYS1.MACLIB, and profiles that define users authorized to use a class and resource - DATASET/SYS1.** for example. So, what do you really want to know using standard terminology.


POSIT numbers have been part of the standard terminology since about release 1.6. POSIT numbers allow sets of classes to be managed collectively via CDT entries. Perhaps if posters on this forum aren't aware of something they should ask for clarification from the poster or google/IBM Redbook search for the term as opposed to immediately assuming the poster is making up terms and killing the credibility of the forum.
angrybeaver
 
Posts: 11
Joined: Sat Jan 21, 2012 10:09 am
Has thanked: 0 time
Been thanked: 1 time

Re: RACF POSIT

Postby steve-myers » Fri Sep 21, 2012 12:32 am

Yes, I recall, vaguely, now that angrybeaver reminded us, that POSIT is a class attribute, though I never used it or specified it back when I fiddled with CDTs - a very long time ago, though more recently that RACF 1.6!
steve-myers
Global moderator
 
Posts: 1885
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 197 times

Re: RACF POSIT

Postby enrico-sorichetti » Fri Sep 21, 2012 1:00 am

Perhaps if posters on this forum aren't aware of something they should ask for clarification from the poster or google/IBM Redbook search for the term as opposed to immediately assuming the poster is making up terms and killing the credibility of the forum.

utter horse manure...
perhaps if You had looked more carefully You would have seen that Steve Myers has replied more than one thousandth times with more than useful information,
and since we are replying on our own time and free of charge the burden of the proof of using the proper terminology is on the TS ( topic starter )
it has happened too many times that we ( people answering ) have lost time by trusting the TS terminology and reserching what is not there,
and if You had cared to look at the overall trend of the forum it is more reasonable to doubt rather than search ourselves!

on the other side this is a beginners forum, and the question is not a beginners one...
most probably the TS would have got a better answer by posting on the IBM main RACF list as per
http://www-03.ibm.com/systems/z/os/zos/ ... acf-l.html
which leads to
http://listserv.uga.edu/archives/
which leads to
http://listserv.uga.edu/archives/racf-l.html

or just looking at ( just another example found by googling with racf how to display the cdt)
http://www-03.ibm.com/systems/z/os/zos/ ... odies.html
and proceeding to
http://www-03.ibm.com/systems/z/os/zos/ ... stcdt.html

yes... I checked, the RACF-L, the issue is discussed in depth there
nothing that the TS could not have found out himself, instead of lazily asking here...

so meditate twice before posting and criticizing the others .

PS. the listcdt utility has bee updated quite recently as per
public.dhe.ibm.com
/eserver/zseries/zos/racf/listcdt/listcdt.jcl
/eserver/zseries/zos/racf/listcdt/listcdt.slo
/eserver/zseries/zos/racf/listcdt/listcdt.xmitbin ==> 29/03/12
as confirmed by
unxmit   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
unxmit   - INMR01 1 73
unxmit   - INMR01.1.inmlrecl   = 80
unxmit   - INMR01.1.inmfnode   = MVSFJES2
unxmit   - INMR01.1.inmfuid    = DPFTC
unxmit   - INMR01.1.inmtnode   = A
unxmit   - INMR01.1.inmtuid    = B
unxmit   - INMR01.1.inmftime   = 20120326065133
unxmit   - INMR01.1.inmnumf    = 1
unxmit   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


and since christmas 2005 it supports the dynamic cdt entries.
cheers
enrico
When I tell somebody to RTFM or STFW I usually have the page open in another tab/window of my browser,
so that I am sure that the information requested can be reached with a very small effort
enrico-sorichetti
Global moderator
 
Posts: 2643
Joined: Fri Apr 18, 2008 11:25 pm
Has thanked: 0 time
Been thanked: 130 times

Next

Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post