I must have one small thing incorrect somewhere, but have not found it yet. This is holding up our move from CMOD 2.1 to CMOD 8.4.
In ARSUSECZ, I have the change:
ARSFLDRN DC C'IOD$FLD'
to agree with the RACF folder resource name.
I think I have followed the other steps in the config guide Appendix E, so what have I missed ? Admin Ids and non-admin ids can all view all folders. Are there additional code changes in one of the modules besides the ARSFLDRN value ?
ars.ini contains:
SRVR_FLAGS_SECURITY_EXIT=1
SRVR_FLAGS_FOLDER_APPLGRP_EXIT=0
Thank You,
Larry Wagner,
City of Los Angeles
Dept of Water & Power
Hi Larry,
is exit point ARS.SECUTIRY active?
Command D PROG,EXIT,EN=ARS.SECURITY,DIAG shows:
CSV464I 08.27.24 PROG,EXIT DISPLAY 174
EXIT ARS.SECURITY
MODULE STATE EPADDR LOADPT LENGTH JOBNAME
ARSUSECZ A 9CAEF2A8 1CAEF2A8 00000D58 *
Pasi
I just got that sequence covered by IBM, so I seem to be advancing.
for:
D PROG,EXIT,EXITNAME=ARS.SECURITY,DIAG
I receive response:
RESPONSE=PRD1
CSV464I 07.05.13 PROG,EXIT DISPLAY 237
EXIT ARS.SECURITY
MODULE STATE EPADDR LOADPT LENGTH JOBNAME
ARSUSECZ A 00000000 00000000 00000000 *
With more testing,
SRVR_FLAGS_SECURITY_EXIT=1
SRVR_FLAGS_FOLDER_APPLGRP_EXIT=0
is working to block folder USE, but folders are listed and not acessible. In CMOD 2.1, folders were not listed. I expected the same behavior.
Is there a way to make the folders remain unlisted if there is no access ?
ARSUSECX has these three variables with defaults for CMOD 8.4
ARSAGRN DC C'ARS1APGP' - Application groups
ARSFLDRN DC C'ARS1FLDR' - Folders, new value IOD$FLD
ARSCABRN DC C'ARS1CAB' - Cabinets
We only changed one, ARSFLDRN, changing the value to match the folder name variable we used with CMOD 2.1.
It seems the others may need to be added to RACF, but in what format, the same as for folders ? Create IOD$CAB, and IOD$APGP, then add their contents in the same pattern used for folders with CMOD 2.1 ?
Hi Larry,
we did this for folders and application groups. In RACF created classes ARS1FLDR and ARS1APGP and then created new profiles in those classes. Both were needed.
So the actual RACF update specified in the Configuration guide is a mandatory requirement ?
Resurrecting this topic, since we did not get it resolved, ...
We are now looking at the code supplied by IBM. The IBM subroutines appear to have no checking of RACF groups to establish what authority level a user has. If a valid userid and password to the mainframe, then any subsequent authority must be governed by permissions in the OnDemand Admin client. No other RACF validation takes place. This is not at all what I asked about when requesting information from IBM. I know I sopecifically asked if the same controls were maintained by CMOD 7 and RACF as in CMOS 2.1 and RACF. IBM said yes, but this is not true.
Comments ?