OnDemand Users Group

Support Forums => CMOD for z/OS Server => Topic started by: LWagner on July 29, 2010, 06:17:20 PM

Title: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on July 29, 2010, 06:17:20 PM
I must have one small thing incorrect somewhere, but have not found it yet.  This is holding up our move from CMOD 2.1 to CMOD 8.4.

In ARSUSECZ, I have the change:

     ARSFLDRN DC    C'IOD$FLD'

to agree with the RACF folder resource name.

I think I have followed the other steps in the config guide Appendix E, so what have I missed ?  Admin Ids and non-admin ids can all view all folders. Are there additional code changes in one of the modules besides the ARSFLDRN value ?

ars.ini contains:
SRVR_FLAGS_SECURITY_EXIT=1       
SRVR_FLAGS_FOLDER_APPLGRP_EXIT=0

Thank You,

Larry Wagner,
City of Los Angeles
Dept of Water & Power
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: PasiPK on July 30, 2010, 05:30:12 AM
Hi Larry,
is exit point ARS.SECUTIRY active?

Command D  PROG,EXIT,EN=ARS.SECURITY,DIAG  shows:
CSV464I 08.27.24 PROG,EXIT DISPLAY 174               
EXIT ARS.SECURITY                                   
MODULE    STATE EPADDR    LOADPT    LENGTH    JOBNAME
ARSUSECZ    A   9CAEF2A8  1CAEF2A8  00000D58  *     

Pasi
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on July 30, 2010, 03:36:46 PM
I just got that sequence covered by IBM, so I seem to be advancing.

for:
D PROG,EXIT,EXITNAME=ARS.SECURITY,DIAG

I receive response:
RESPONSE=PRD1                                         
CSV464I 07.05.13 PROG,EXIT DISPLAY 237               
EXIT ARS.SECURITY                                     
MODULE    STATE EPADDR    LOADPT    LENGTH    JOBNAME
ARSUSECZ    A   00000000  00000000  00000000  *       

Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on July 30, 2010, 05:09:27 PM
With more testing,

SRVR_FLAGS_SECURITY_EXIT=1       
SRVR_FLAGS_FOLDER_APPLGRP_EXIT=0

is working to block folder USE, but folders are listed and not acessible. In CMOD 2.1, folders were not listed.  I expected the same behavior.

Is there a way to make the folders remain unlisted if there is no access ?
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on August 10, 2010, 08:54:43 PM
ARSUSECX has these three variables with defaults for CMOD 8.4

ARSAGRN   DC    C'ARS1APGP'          - Application groups
ARSFLDRN DC    C'ARS1FLDR'           - Folders, new value IOD$FLD
ARSCABRN DC    C'ARS1CAB'            - Cabinets

We only changed one, ARSFLDRN, changing the value to match the folder name variable we used with CMOD 2.1.
It seems the others may need to be added to RACF, but in what format, the same as for folders ?  Create IOD$CAB, and IOD$APGP, then add their contents in the same pattern used for folders with CMOD 2.1 ?
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: PasiPK on August 11, 2010, 05:04:38 AM
Hi Larry,
we did this for folders and application groups. In RACF created classes ARS1FLDR and ARS1APGP and then created new profiles in those classes. Both were needed.
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on November 01, 2010, 03:23:31 PM
So the actual RACF update specified in the Configuration guide is a mandatory requirement ?
Title: Re: CMOD 8.4, Security Exit and RACF, no folders blocked from any users
Post by: LWagner on January 31, 2011, 07:22:13 PM
Resurrecting this topic, since we did not get it resolved, ...


We are now looking at the code supplied by IBM.  The IBM subroutines appear to have no checking of RACF groups to establish what authority level a user has.  If a valid userid and password to the mainframe, then any subsequent authority must be governed by permissions in the OnDemand Admin client.  No other RACF validation takes place.  This is not at all what I asked about when requesting information from IBM.  I know I sopecifically asked if the same controls were maintained by CMOD 7 and RACF as in CMOS 2.1 and RACF.  IBM said yes, but this is not true.

Comments ?