[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: Enabling the ADDCREATOR
From: George Markouizos <00000f455a37b104-dmarc-request () LISTSERV ! UGA ! EDU>
Date: 2023-12-31 1:38:21
Message-ID: 1200189674.5460147.1703986701469 () mail ! yahoo ! com
[Download RAW message or body]
Hello Prakash,
As Marc correctly stated, the Application Identity Mapping (AIM) function was added \
to RACF approximately 15 years ago (I forgot the exact year and RACF release we \
developed this function) to help with the management of UIDs and GIDs. In my biased \
opinion (as a retired RACF developer) it is highly advisable to get your shop's RACF \
DB at AIM Stage 3 and avoid using the SETROPTS ADDCREATOR option.
This is a direct quote from, IBM Documentation, regarding the AIM function and its \
benefit(s). https://www.ibm.com/docs/en/zos/2.2.0?topic=ibmracf-racf-aim-stage
"Description:
The RACF_AIM_STAGE check examines the RACF ® database application identity mapping \
(AIM) to see whether it is at AIM stage 3, which is recommended. Your system \
programmer can convert your RACF database to AIM stage 3 using the IRRIRA00 \
conversion utility. Reason for check:
AIM stage 3 allows RACF to more efficiently handle authentication and authorization \
requests from applications such as z/OS ® UNIX and is required to use some RACF \
function. You should assign a unique UNIX UID for each user and a unique GID for each \
group that needs access to z/OS UNIX functions and resources. Assigning unique IDs \
rather than shared IDs improves overall security and increases user accountability. \
However, if you have a large number of users without OMVS segments who need access to \
z/OS UNIX services, such as FTP, you might choose not to assign UNIX identities in \
advance of their need to use the services. In these cases, when your RACF database \
has been converted to AIM stage 3, you can enable RACF to automatically assign unique \
UNIX UIDs and GIDs at the time they are needed. "
By the way, Bob Hansel (RSH Consulting) had conducted a survey, in November 2011, \
regarding the Application Identity Mapping (AIM): \
https://rshconsulting.com/surveys/RSH_Consulting__RACF_Survey_002__AIM.pdf
George Markouizos
On Thursday, December 28, 2023 at 01:42:37 AM EST, prakash Lalaram \
<prakashlalaram@hotmail.com> wrote:
Good Day
Many thanks Mr. Marc for you valuable input and for putting everything into \
Perspective
Your guidance in this matter is very much appreciated
Regards
________________________________
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> on behalf of Marc Van der Meer1 \
<Marc_vd_Meer@NL.IBM.COM>
Sent: Wednesday, 27 December 2023 15:47
To: RACF-L@LISTSERV.UGA.EDU <RACF-L@LISTSERV.UGA.EDU>
Subject: Re: Enabling the ADDCREATOR
RLIST UNIXMAP is no longer available when you have migrated to the long time \
recommended Application Identity Mapping (AIM) stage 3. The UNIXMAP profiles are \
removed by IRRIRA00 when migrating from stage 2 to stage 3. The VLF cache classes \
IRRUMAP and IRRGMAP are recommended in both a UNIXMAP class maping setup and in AIM \
stage 3. When in AIM stage 3 you can use the search class(user) command with the \
UID(nnn) keyword and search class(group) with the HID(nnn) keyword only. You can look \
at IRRDBU00 unload records 0120 and 0270 to see which GIDs and UIDs respectively are \
currently shared. Or as you mention zSecure.
Marc
-----Original Message-----
From: prakash Lalaram \
<prakashlalaram@HOTMAIL.COM<mailto:prakash%20Lalaram%20%3cprakashlalaram@HOTMAIL.COM%3e>>
Reply-To: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU%3e>>
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>
Subject: [EXTERNAL] Re: Enabling the ADDCREATOR
Date: 12/27/2023 02:39:40 PM
Apologies I meant to say we should not Share UID's or GID's as right now that is \
what is causing issues with USS - The path we define in the User ID is getting \
incorrect permissions based on the Group Owner
Why can I not use the RLIST UNIXMAP * Command - what makes this command work ?
I can do the search command but not the Rlist Command
Having Z/secure makes it all easier - We got what we were looking for
Just a thought
________________________________
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>> \
on behalf of Marc Van der Meer1 \
<Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM>>
Sent: Wednesday, 27 December 2023 15:31
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU> \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>
Subject: Re: Enabling the ADDCREATOR
If you have SHARED.IDS defined then RACF will not allow you to reuse an already \
assigned UID or an already assigned GID, unless you add the "shared" keyword.
I do not understand why you would want to consider to move away from that feature. \
The typical goal is to have unique UIDs (bdesides 0) and unique GIDs
Marc
-----Original Message-----
From: prakash Lalaram \
<prakashlalaram@HOTMAIL.COM<mailto:prakashlalaram@HOTMAIL.COM><mailto:prakash%20Lalara \
m%20%3cprakashlalaram@HOTMAIL.COM<mailto:prakash%20Lalaram%20%3cprakashlalaram@HOTMAIL.COM>%3e>>
Reply-To: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF%20Discussion%20Li \
st%20%3cRACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU>%3e>>
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>
Subject: [EXTERNAL] Re: Enabling the ADDCREATOR
Date: 12/27/2023 02:07:48 PM
Godo Day
We do have SHARED ID's profile defined in our UNIXPRIV class - We been using this \
option when we want the UID to be specific and it has been used already for another \
UID same with GID's
Maybe we must move away from doing that - Rather stick to getting another usable \
UID
SHARED.IDS
________________________________
From: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>> \
on behalf of Marc Van der Meer1 \
<Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM><mailto:Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM>>>
Sent: Wednesday, 27 December 2023 14:55
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>> \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>
Subject: Re: Enabling the ADDCREATOR
Of course I meant to say "if ADDCREATOR is not enabled it must remain DISabled". \
Sorry about that. If it is enabled the shop must consider turning it off.
Marc
-----Original Message-----
From: prakash Lalaram \
<prakashlalaram@HOTMAIL.COM<mailto:prakashlalaram@HOTMAIL.COM><mailto:prakashlalaram@H \
OTMAIL.COM<mailto:prakashlalaram@HOTMAIL.COM>><mailto:prakash%20Lalaram%20%3cprakashla \
laram@HOTMAIL.COM<mailto:prakash%20Lalaram%20%3cprakashlalaram@HOTMAIL.COM><mailto:pra \
kash%20Lalaram%20%3cprakashlalaram@HOTMAIL.COM<mailto:prakash%20Lalaram%20%3cprakashlalaram@HOTMAIL.COM>>%3e>>
Reply-To: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSER \
V.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU><mailto:RACF%20 \
Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU>>%3e>>
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA \
.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>
Subject: [EXTERNAL] Re: Enabling the ADDCREATOR
Date: 12/27/2023 01:53:39 PM
Thank you all for your valuable input
Much appreciated
Regards
________________________________
From: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>> \
on behalf of Marc Van der Meer1 \
<Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM><mailto:Marc_vd_Meer@NL.IBM.CO \
M<mailto:Marc_vd_Meer@NL.IBM.COM>><mailto:Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM><mailto:Marc_vd_Meer@NL.IBM.COM<mailto:Marc_vd_Meer@NL.IBM.COM>>>>
Sent: Wednesday, 27 December 2023 14:43
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA \
.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>> \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>>
Subject: Re: Enabling the ADDCREATOR
Yes. SEARCH class(user/group) uid/gid(nnn) requires AIM stage 2 minimum, see chapter \
"Listing UIDs and GIDs" in the SAG.
There is no relation between ADDCREATOR and VLF other than the admin creating a \
profile is not on any ACL with access(ALTER), which is what ADDCREATOR does. Very bad \
practice to have that on, if not enabled it must remain enabled.
You definitely do not need ADDCREATOR to manage UID/GID's (and would be impossible - \
ADDCREATOR is a on/off switch). You must define SHARED.IDS in UNIXPRIV to avoid \
assigning already in use UID's and GID's.
Marc
-----Original Message-----
From: Alessandro Brezzi \
<alessandro.brezzi@GMAIL.COM<mailto:alessandro.brezzi@GMAIL.COM><mailto:alessandro.bre \
zzi@GMAIL.COM<mailto:alessandro.brezzi@GMAIL.COM>><mailto:alessandro.brezzi@GMAIL.COM< \
mailto:alessandro.brezzi@GMAIL.COM><mailto:alessandro.brezzi@GMAIL.COM<mailto:alessand \
ro.brezzi@GMAIL.COM>>><mailto:Alessandro%20Brezzi%20%3calessandro.brezzi@GMAIL.COM<mai \
lto:Alessandro%20Brezzi%20%3calessandro.brezzi@GMAIL.COM><mailto:Alessandro%20Brezzi%2 \
0%3calessandro.brezzi@GMAIL.COM<mailto:Alessandro%20Brezzi%20%3calessandro.brezzi@GMAI \
L.COM>><mailto:Alessandro%20Brezzi%20%3calessandro.brezzi@GMAIL.COM<mailto:Alessandro% \
20Brezzi%20%3calessandro.brezzi@GMAIL.COM><mailto:Alessandro%20Brezzi%20%3calessandro. \
brezzi@GMAIL.COM<mailto:Alessandro%20Brezzi%20%3calessandro.brezzi@GMAIL.COM>>>%3e>>
Reply-To: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSE \
RV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>><mailto:RA \
CF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20 \
%3cRACF-L@LISTSERV.UGA.EDU><mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.E \
DU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU>><mailto:RACF%20Discus \
sion%20List%20%3cRACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@L \
ISTSERV.UGA.EDU><mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU<mailto:RACF%20Discussion%20List%20%3cRACF-L@LISTSERV.UGA.EDU>>>%3e>>
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA \
.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LIS \
TSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>><mailto \
:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>>
Subject: [EXTERNAL] Re: Enabling the ADDCREATOR
Date: 12/27/2023 01:14:39 PM
Hi,
try the RACF command "TSO SEARCH CLASS(GROUP) GID(gidshared)
Alessandro
Il giorno mer 27 dic 2023 alle ore 12:44 BUCKLEY Pete \
<pete.buckley@axa.com<mailto:pete.buckley@axa.com><mailto:pete.buckley@axa.com<mailto: \
pete.buckley@axa.com>><mailto:pete.buckley@axa.com<mailto:pete.buckley@axa.com><mailto \
:pete.buckley@axa.com<mailto:pete.buckley@axa.com>>><mailto:pete.buckley@axa.com<mailt \
o:pete.buckley@axa.com><mailto:pete.buckley@axa.com<mailto:pete.buckley@axa.com>><mail \
to:pete.buckley@axa.com<mailto:pete.buckley@axa.com><mailto:pete.buckley@axa.com<mailto:pete.buckley@axa.com>>>>>
ha scritto:
Hi Prasath,
UNIXMAP is probably defunct at your installation.
Try running IRRIRA00 with no PARM and check the output.
Hopefully you'll see a message like this:
IRR66017I The system is currently operating in stage 3.
https://www.ibm.com/docs/en/zos/3.1.0?topic=considerations-converting-stage-3-application-identity-mapping
Pete Buckley
AXA
Internal
-----Original Message-----
From: RACF Discussion List \
<RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSE \
RV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>><mailto:RA \
CF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<m \
ailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>>> \
On Behalf Of prakash Lalaram
Sent: 27 December 2023 11:37
To: RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA \
.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LIS \
TSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>><mailto \
:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.ED \
U<mailto:RACF-L@LISTSERV.UGA.EDU>><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU><mailto:RACF-L@LISTSERV.UGA.EDU<mailto:RACF-L@LISTSERV.UGA.EDU>>>>
Subject: [EXTERNAL] Enabling the ADDCREATOR
Good Day
We have an issue where in ISHELL the path we defined in a user ID is
showing the OWNER as a group that is not associated with the ID - It looks
like the GID is shared with another group
We needed to check which groups shared the same GID
We looked at the class UNIXMAP - We tried to doing the RLIST Command
(RLIST UNIXMAP *) and we received a response " NOTHING TO LIST"
The UNIXMAP class is active
I started reading about the Class and found reference to the ADDCREATOR .
This is not enabled in our environment - Further reading is bringing up
the VLF ( Virtual Look aside Facility)
My question is what is VLF and the close association with the ADDCREATOR
Will the enabling of ADDCREATOR assist us in managing the UID and GID we
grant in the OMVS Segment
also what effect will ADDCREATOR have on the user ID that is defining
Profiles - Will that user ID be added as ALTER ACCESS in the profiles a
access list we Define
I only want to use ADDCREATOR for managing the UID and GID - and when we
run the RLIST command it shows us which id is associated with which UID/GID
If I am on the complete wrong path here - Your expert guidance is
appreciated
I did use Z/secure and I was able to get the information I needed for the
UID and GID
This email originates from AXA Group Operations UK Ltd (reg. no. 1854856),
a company registered in England and Wales, which has its registered office
at 5 Old Broad Street, London EC2N 1AD, England.
This message and any files transmitted with it are confidential and
intended solely for the individual or entity to whom they are addressed. If
you have received this in error, you should not disseminate or copy this
email. Please notify the sender immediately and delete this email from your
system.
Please also note that any opinions presented in this email are solely
those of the author and do not necessarily represent those of the AXA
Group.
Email transmission cannot be guaranteed to be secure, or error free as
information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The sender
therefore does not accept liability for any errors or omissions in the
contents of this message which arise as a result of email transmission.
Finally, the recipient should check this email and any attachments for
viruses. The AXA Group accepts no liability for any damage caused by any
virus transmitted by this email.
Unless otherwise stated above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214
Unless otherwise stated above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214
Unless otherwise stated above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214
Unless otherwise stated above:
IBM Nederland B.V.
Gevestigd te Amsterdam
Inschrijving Handelsregister Amsterdam Nr. 33054214
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic