[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: How to use wildcard on Permit and RALTER
From:       "Robert S. Hansel (RSH)" <R.Hansel () RSHCONSULTING ! COM>
Date:       2013-06-29 11:50:34
Message-ID: 002501ce74be$dd723220$98569660$ () rshconsulting ! com
[Download RAW message or body]

Kevin,

Whereas I agree with John's concerns about permitting ALTER to a backstop
profile as it might give away too much access, one has to be cautious about
permitting ALTER to discrete profiles because it enables the permitted users
to change the access list for such profiles. This is not the case with
generic profiles. If this is a concern and your installation doesn't use the
RACF command exit to restrict such users from making permission changes or
use PROGRAM profiles to restrict use of the PERMIT and PE programs, you
might want to create and permit ALTER access to generic profiles like
CONNECTION* instead of discrete profiles like CONNECTION to avoid this
issue. I would only substitute generic profiles of this kind for discrete
profiles in cases where ALTER was necessary. I wouldn't do this for SHUTDOWN
for instance since ALTER does not apply. To make use of this technique, you
will first have to activate GENERIC for CCICSCMD as John indicated.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com
---------------------------------------------------------------------
2013 RACF Training
- Audit & Compliance Roadmap - Boston - NOV 5-8
- Intro & Basic Admin - WebEx - OCT 21-25
- Securing z/OS UNIX  - WebEx - JUL 23-25
- Securing z/OS UNIX  - WebEx - SEPT 17-20
- Securing z/OS UNIX  - WebEx - DEC 3-6
---------------------------------------------------------------------

-----Original Message-----
Date:    Fri, 28 Jun 2013 12:23:42 +0000
From:    "Chase, John" <jchase@USSCO.COM>
Subject: Re: How to use wildcard on Permit and RALTER

> -----Original Message-----
> From: RACF Discussion List On Behalf Of kevin lawson
>
> Hello,
>
> I got all my commands to work but it was not what I expected it to
accomplish.
>
> In the CLASS CCICSCMD there are 41 objects/profiles, one of them is call
SHUTDOWN.
> Wanted to prevent people from shutting down the region so added
>   RALTER CCICSCMD SHUTDOWN UA(NONE)
> PE SHUTDOWN CL(CCICSCMD) ID(SYSPROG) AC(UPDATE) which worked and just
allowed me to shutdown the
> region/task.
>
> Then noticed that the other 40 names had default of UPDATE defined for
them but I need ALTER for some
> of them (to do discards and creates).
>
> Was looking for a easy/fast way (maybe using wildcards) to give all the
names one UA and then another
> line/command to give ID of whoever access of ALTER for everything.
> So was hoping I only had to code two lines for them all.
>
> Is this possible or should I just code individual RDEF and PE for each one
of the 41 profile names in
> the CLASS CCICSCMD?

I think you're on the right track, but you first need to ensure that you
issued SETROPTS GENERIC(CCICSCMD) *before* defining any profile containing a
"wildcard character" (* or %).  If that's not the case, and there exists a
profile in CCICSCMD with a generic character, you need to delete it before
issuing SETROPTS GENERIC(CCICSCMD).  Once you have the class set up for
generics, you can then define a "backstop" profile * (or **) with
UACC([NONE|READ]) and PERMIT users/groups with READ (for inquiry-type
commands) or UPDATE (for SET-type commands).  I would shy away from granting
ALTER to such a "backstop" profile, preferring instead to define discrete
profiles for those functions requiring ALTER and permitting appropriate
users/groups to them.

Another option (preferred by some, including me) would be to avail yourself
of the "grouping class" VCICSCMD, wherein you can group resources needing
similar access privileges together, simplifying administration.  The
CICS-RACF Security Guide has examples of such groupings.

    -jc-
[prev in list] [next in list] [prev in thread] [next in thread]