Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

RACF - anyone here has lots of experience with it?

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM
View previous topic :: :: View next topic  
Author Message
prino

Active Member


Joined: 07 Feb 2009
Posts: 984
Location: Oostende, Belgium

PostPosted: Mon Jun 06, 2011 12:30 am    Post subject: RACF - anyone here has lots of experience with it?
Reply with quote

How do you populate an almost virgin RACF database, that has just a handful userids defined to it, but that needs to be set up as "you cannot do anything, unless you are given specific permission to do so" (and not "you can do anything unless we disallow you")

Feel free to contact me via a private.
Back to top
View user's profile Send private message

dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Mon Jun 06, 2011 2:10 am    Post subject:
Reply with quote

Hi Robert,

Quote:
but that needs to be set up as "you cannot do anything, unless you are given specific permission to do so"
Isn't "closed" security fun. . . icon_wink.gif

I've not been a heads-down security guy, but i have helped a few folks with a similar situation as yours (most have been clerks rather than technicians). One way or another, i worked with them to generate a set of transactions that they could apply in batch. How these are generated depends on what is available to "generate from".

Recommend saving these as they may be needed again - with or without some changes. Also recommend saving a set of transactions to "kill" these userids.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Mon Jun 06, 2011 1:37 pm    Post subject:
Reply with quote

Hi Robert, If I recall correctly there is an option that you can set to WARN or FAIL if you have no access. Can't recall it exactly, but a quick RTFM may reveal all.
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Thu Jun 09, 2011 6:37 am    Post subject: RACF
Reply with quote

Robert,

Protecting all the datasets and general resources that may exist on your system involves a substantial amount of technically challenging work. It is far too broad an issue than can be dealt with on a forum such as this. If you are not a RACF expert, I suggest you hire one to complete this effort.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jun 09, 2011 12:37 pm    Post subject:
Reply with quote

Oh, and just let me guess who this supposed RACF expert may be icon_rolleyes.gif

Prino, there is one global setting in RACF as stated above, which I can not recall off the top of my head that will fail any access where none is granted or if a profile does not exist.
PROTECTALL I think, but may be wrong.

Another method may be to use a ** profile with UACC(NONE)

You most certainly DO NOT need to hire a self declared RACF wizard to solve this.

This is the same RACF guru who was warbling on about text files on the mainframe ...........................
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Thu Jun 09, 2011 3:11 pm    Post subject: RACF
Reply with quote

Expat,

There are many good RACF experts out there who can help. We're booked solid and don't have the time to help Robert, but I would be happy to give him some names if he contacts me directly. He definitely needs better advice than you can provide.

Before he turns on PROTECTALL(FAILURES) as you suggest, he first needs define a group or user for all his dataset HLQs and then a dataset profile of HLQ.** to cover these datasets with an appropriate UACC and permissions. Otherwise, he risks denying critical tasks access to their data and could conceivably cause an outage. A profile ** cannot be used for datasets, only general resources, and should not be used for all general resource classes as it can cause problems. This is merely the tip of the iceberg and is the reason why Robert needs to seek the advice of a knowledgeable RACF professional. He certainly cannot rely on anything YOU have to say on this matter as you don't know RACF and the terms "knowledgeable" and "professional" don't apply to you either.

25 years of experience with RACF gives me the expertise to answer his question. Google "Hansel RACF", and you'll find amply evidence to back up my claim. I don't have to hide behind a fictitious name. You clearly don't have anything close to that level of expertise, so when it comes to matters related to RACF, the world will thank you to SHUT UP!

As to your silly response about text file, since you want to criticize people because they don't use what you consider to be proper terms, then know that the term for RACF settings is "SETROPTS options". Anyone with the slightest bit of RACF knowledge is aware of this.

Fire away with more inane comments if you wish but don't expect a response unless you offer Robert further bad advice, in which case I will correct you once again.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jun 09, 2011 3:16 pm    Post subject:
Reply with quote

I don't profess to be Mr RACF although I have worked with it in the past.

I was merely attempting to point Prino in the right direction. As stated in my post, it was just from memory.
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Thu Jun 09, 2011 7:32 pm    Post subject: Reply to: RACF - anyone here has lots of experience with it?
Reply with quote

Hello,

Quote:
You clearly don't have anything close to that level of expertise, so when it comes to matters related to RACF, the world will thank you to SHUT UP!
Opinions vary. . . Many would rather have an Expat "guess" than some people's "fact".

More importantly (at least to me). This forum is intended to support "technical" q & a. It is not meant for self-advertising. . .

d
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Thu Jun 09, 2011 7:48 pm    Post subject:
Reply with quote

i have found that people who blow their own horns,
usually have small instruments.
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Thu Jun 09, 2011 9:14 pm    Post subject: RACF
Reply with quote

Dick,

No self advertising was ever intended. I was responding to sarcastic innuendoes accusing me of being self-serving and to unwarranted attacks on my credibility and level of expertise. I regard these as extremely serious accusations that prompted what for me was a most unusual harsh response. This is not the first time I have been subjected to Expat's unjustified attacks; however, this time I simply could not let them go unanswered. Unfortunately, I let anger get the better of me and crossed the line with a few of my comments.

Robert, the original poster, is starting from scratch with the laudable goal of building a well protected system using RACF. This is a big effort requiring considerable expertise to do it right and fraught with risk of causing major system problems or creating vulnerabilities if done incorrectly. There are many, many steps that must be carefully choreographed to completing a full, proper RACF implementation. Far too many than can be reasonably addressed via a forum such as this. Since Robert seems to be a RACF newcomer, he would be far better off seeking the help of a RACF professional with this effort, just as I myself did when I was first getting started with RACF. No where did I suggest the RACF professional he chooses be me. My intent, then and now, was only to offer helpful advice.

Opinion is fine in many circumstances, but not for making offhand suggestions about activating an option with which you are not thoroughly familiar. PROTECTALL can be lethal to a system if activated without proper prior preparation. In my opinion, making such suggestions is best left to someone who truly knows subject product.
Back to top
View user's profile Send private message
dbzTHEdinosauer

Global Moderator


Joined: 20 Oct 2006
Posts: 6966
Location: porcelain throne

PostPosted: Thu Jun 09, 2011 9:21 pm    Post subject:
Reply with quote

For someone who is booked solid and does not have time to help,
seems as if Mr. Hansel, LRS, has plenty of time to write novelettes
in order to set the record straight
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Thu Jun 09, 2011 10:19 pm    Post subject:
Reply with quote

OK folks, shall we call it a day now.

First of all, I had a bad morning and after some time for further reflection feel that my comments were not warranted. So I will take this opportunity to apologise for that.

Also, by looking at other posts from Prino I believe that this is for a Hercules based MVS system, so probably not a great problem if it all goes belly up.

Dick and Dick, my thanks for your support, it is appreciated.
It's a nice feeling to know that I am still appreciated too icon_wink.gif

Robert, I believe that it is one of the unwritten rules of the forum that members do not post their company details either directly or by way of a footnote.
Back to top
View user's profile Send private message
prino

Active Member


Joined: 07 Feb 2009
Posts: 984
Location: Oostende, Belgium

PostPosted: Fri Jun 10, 2011 2:43 pm    Post subject:
Reply with quote

All,

This is indeed about a Hercules based system running something it should not be running - I've been out of work for the past 20 months, without much hope of getting anything new, 51 is not a good age and not having COBOL knowledge doesn't help either, PL/I jobs are thin on the ground.

I've managed to create an additional account on the system, with rather a lot less privileges than the supplied one, and if things do go belly-up, I can simply roll back all changes by going to a previous backup of the Hercules created shadow disks.

Having this system gives me an opportunity to not only keep my skills reasonably (z/OS 1.10) current, but also to expand them with some more admin skills, such as RACF, and one of the things I would like to do with the latter is to make the system reflect the ones at my last two clients/employers, i.e. as I wrote in the first post of this thread, make it a system where everything is off limits, unless specifically authorized.

I have 0.0 RACF experience, and most certainly do not have the money to pay for professionals, whether real or self-declared, to help me. I'm sure that spending a few weeks going through ICHZA790.PDF, aka the "RACF Security Administrator's Guide" will tell me everything that I need to know, but some simple basic hints as how to start would be most welcome.
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Fri Jun 10, 2011 3:16 pm    Post subject: RACF
Reply with quote

Robert,

Try getting a copy of the book "Mainframe Basics for Security Professionals: Getting Started with RACF". It is summarize the Guide. Also Google "RACF Presentations" as you may find something helpful among the copies of RACF presentations posted on the Internet. IBM has quite a few; although I don't know if any of them will provide the help you seek.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts RACF profile access vasanthz All Other Mainframe Topics 11 Fri Sep 23, 2016 5:51 am
No new posts RACF Easytrieve Plus macro Susan Jackson CA Products 0 Fri Jun 03, 2016 8:25 pm
This topic is locked: you cannot edit posts or make replies. Mainframe tester with 3-5 yrs of expe... mbattu Mainframe Jobs 0 Tue Mar 15, 2016 2:25 pm
No new posts Experience sharing of upgrading the DB2 Francis Tchang DB2 1 Tue Dec 09, 2014 12:00 pm
No new posts Looking for experience sharing for CO... Francis Tchang COBOL Programming 0 Tue Dec 09, 2014 11:57 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us