'Re: How to determine who making use a default OMVS segment'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: How to determine who making use a default OMVS segment
From:       Bogdan Belciu <belciu.bogdan () GMAIL ! COM>
Date:       2017-09-03 17:12:52
Message-ID: 59ac3815.8f0f1c0a.d4aae.015e () mx ! google ! com
[Download RAW message or body]

Hi Bob,
I know this very well, what I wanted to say was that if he tries to define the \
profiles and his racf db is not AIM3 it will not work.  When issuing ‘rdefine \
unixpriv shared.ids' Racf will issue a message stating "your racf db is not aim3" or \
similar. That's all.

Sent from my Windows 10 phone

From: Robert S. Hansel (RSH)
Sent: duminică, 3 septembrie 2017 19:07
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: How to determine who making use a default OMVS segment

Bogdan,
SHARED.IDS and BPX.NEXT.USER will work under AIM stage 2. BPX.UNIQUE.USER requires \
AIM stage 3. Calvin should run IRRIRA00 to confirm the stage.

Calvin,
Here is sample JCL for IRRIRA00. To identify the current AIM stage, IRRIRA00 is to be \
run without an input PARM.

//jobname JOB (account),'username',CLASS=x,MSGCLASS=x
//STEP EXEC PGM=IRRIRA00
//SYSPRINT DD SYSOUT=*

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.                 *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

-----Original Message-----
Date:    Sat, 2 Sep 2017 20:34:52 +0300
From:    Bogdan Belciu <belciu.bogdan@GMAIL.COM>
Subject: Re: How to determine who making use a default OMVS segment

Hi Bob,

When you define UNIXPRIV SHARED.IDS you get a message if your RACF db is not AIM3.
You are right with CICS regions used for web services but the impact is not very big \
even if they get a new UID, depending on the setup only some log files are not \
available and CICS admin (apart from being a bit angry) will have to delete them and \
CICSes will create new ones with new ownership. But this can be avoided by setting an \
OMVS segment for them before enabling automatic UID.

Sent from my Windows 10 phone

From: Robert S. Hansel (RSH)
Sent: sâmbătă, 2 septembrie 2017 19:01
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: How to determine who making use a default OMVS segment

Hi Calvin,

I recommend against simply slamming this into production without some careful \
analysis.

First and foremost, you need to find out if your database has been converted to Stage \
3 of the Application Identity Mapping (AIM) structure. This will determine whether \
you can implement BPX.UNIQUE.USER.

Then you need to look for pitfalls such as files and directories owned by the Default \
User UID. If you assign a new UID to a user who today is using the Default UID to \
access such objects, you could cut off their access. I've had to remediate instances \
where CICS regions were accessing Java directories in this fashion.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.                 *** Celebrating our 25th Year ***
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com
----------------------------------------------------------------------------
Upcoming RSH RACF Training - WebEx
- RACF Audit & Compliance Roadmap - SEPT 11-15, 2017
- RACF Level I Administration - DEC 5-8, 2017
- RACF Level II Administration - NOV 13-17, 2017
- RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017
- RACF - Securing z/OS UNIX  - OCT 23-27, 2017
----------------------------------------------------------------------------

-----Original Message-----
Date:    Fri, 1 Sep 2017 20:14:57 +0300
From:    Bogdan Belciu <belciu.bogdan@GMAIL.COM>
Subject: Re: How to determine who making use a default OMVS segment

The implementation of auto uid takes 10 minutes.
(if you copy paste end execute the statements bellow even less)
Rdef facility bpx.unique.user appldata(‘bpxmodel')
Rdef facility bpx.next.user appldata(‘100/5')
Rdef unixpriv shared.ids
Au bpxmodel name(‘bpx model id') +  omvs(home(‘/tmp')) prog(‘/bin/sh')) \
nopassword + restricted Setr raclist(facility unixpriv) refr

And that's all.


Sent from my Windows 10 phone

From: Calvin Bohannon
Sent: miercuri, 30 august 2017 17:24
To: RACF-L@LISTSERV.UGA.EDU
Subject: How to determine who making use a default OMVS segment

We are running z/OS 1.13 and are doing limited testing of  z/OS 2.1 on weekends.
We have discovered thus far that there are several user that is in need of an OMVS \
segment when we go to z/OS 2.1.  We currently do not have the RACF or UNIX expertise \
to determine what users are making use of the default OMVS segment under our z/OS \
1.13 environment.  We would like to determine if possible who is making use of the \
default OMVS segment, which was implemented back with OS/390.  If there's a small \
count, the implementation of the automatic unique UID and GID generation can be done \
at a later date.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic