View previous topic :: View next topic
|
Author |
Message |
Dan Reyes
New User
Joined: 26 Oct 2008 Posts: 8 Location: Manila
|
|
|
|
Hi Gurus,
I am not sure if this is the right section to ask about this question but I hope someone can help me out or give me some ideas.
I hope to find a tool that can resume revoked RACF userids so that our users can resume or (in the future)reset their mainframe accounts on their own.
If no free tool is available, I am willing to develop one but I don't know where to start. So far, here's a sketch of what I want to accomplish:
Part1: Webpage User Reset Form -> WebServer Module1
Part2: WebServer Module2 -> (Mainframe Program) -> Mainframe RACF
Planned Workflow:
(1) User inputs userid in Webpage User Reset Form
(2) WebServer Module1 will email the user the confirmation link regarding the request
(3) Once the user clicks on the confirmation link from his email account, WebServer Module2 will send a request to (Mainframe Program) and it will hopefully issue the RESUME command in Mainframe RACF
I can do (1) and (2) easily but creating WebServer Module2 and (Mainframe Program) will be a tough one. I tried to find a similar software that can do this but as much as possible it should be free or opensource.
I know Linux, Java, a lot of SQL DBs and other webdev languages so I think I can take care of the WebServer Modules.
I also know a bit of HLASM (assembler), a lot of REXX and JCLs (i'm a sysprog of a small mainframe shop) but it is unclear to me on how to create the (Mainframe Program) that will wait for requests from the WebServer and issue RACF commands once a request arrives. I hope someone can shed a light on this. Thanks.
Best regards,
Dan |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello,
Quote: |
I hope to find a tool that can resume revoked RACF userids so that our users can resume or (in the future)reset their mainframe accounts on their own. |
Suggest you get approval to even approach this from the senior management of your organization.
This is directly contrary to every security policy i have seen on the mainframe, unix, or win-based systems. If they (users, programmers, whatever) are permitted to flail away and then get-out-of-jail free, a considerable security hole exists. Keep in mind that the one trying over and over might not be the person with the user id being "hacked". |
|
Back to top |
|
|
Dan Reyes
New User
Joined: 26 Oct 2008 Posts: 8 Location: Manila
|
|
|
|
Hi Guru,
Actually, we have a JCL that emails RACF access violations obtained from SMF and emails the report to our security policy team where they notify the offending users and provide sanctions if required.
The problem occurs when our users claim that the technical security team who does the manual MF account resume (as well as other platforms and email account resets) take a long time before they can resume the RACF account. This takes a toll with our users efficiency since they can't do anything while waiting for their mainframe account to manually resume or reset the password.
This issue already reached the upper management and they said that if Oracle eBiz has a self-service password reset, why can't the mainframe have the same feature. With this dilemma, our group has started to find a possible solution and hopefully we can do a POC, test it out on another LPAR.
Be assured however, that any security solution that we will be developing will have to pass the security policy team as well as third-party audit requirements. Hopefully, everything is cleared up now and someone can suggest on how to do this... =)
- Dan |
|
Back to top |
|
|
dick scherrer
Moderator Emeritus
Joined: 23 Nov 2006 Posts: 19244 Location: Inside the Matrix
|
|
|
|
Hello,
Quote: |
users claim that the technical security team who does the manual MF account resume (as well as other platforms and email account resets) take a long time before they can resume the RACF account. This takes a toll with our users efficiency since they can't do anything while waiting for their mainframe account to manually resume or reset the password. |
Many organizations have an online "help desk" system/aopplication and a user who locks themself out submits a help ticket to have their password(s) reset. At several of my clients, this is resolved within an hour of the help ticket being entered.
Sorry, but i don't have a suggestion on an implementation plan.
Good luck |
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
Quote: |
but it is unclear to me on how to create the (Mainframe Program) that will wait for requests from the WebServer and issue RACF commands once a request arrives. I hope someone can shed a light on this |
Hi it is not necessary to have a task that is permanently active and waiting for work to arrive. The simplest aproach is to get the webserver application to generate a batch job and to submit it. A simple job to invoke TSO in batch and issue an ALTERUSER command will achieve everything you want. Regards Nevil |
|
Back to top |
|
|
Nic Clouston
Global Moderator
Joined: 10 May 2007 Posts: 2455 Location: Hampshire, UK
|
|
|
|
I would have thought that if a user had been revoked then that user would have no RACF privileges at all and, therefor, cannot re-instate his/her access? |
|
Back to top |
|
|
Dan Reyes
New User
Joined: 26 Oct 2008 Posts: 8 Location: Manila
|
|
|
|
Quote: |
Many organizations have an online "help desk" system/aopplication and a user who locks themself out submits a help ticket to have their password(s) reset. |
Yes, we also have a centralized helpdesk. The actual process is the user calls helpdesk and the helpdesk creates a support ticket for the request and forwards it to tech security team. The bottleneck happens where there are a lot of account resets from all platforms.
Quote: |
I would have thought that if a user had been revoked then that user would have no RACF privileges at all and, therefor, cannot re-instate his/her access? |
Yes, it would need a privileged user (from the security team) to resume his RACF userid.
Quote: |
The simplest aproach is to get the webserver application to generate a batch job and to submit it. A simple job to invoke TSO in batch and issue an ALTERUSER command will achieve everything you want. |
That's a brilliant idea man, I have never thought of that. Experience really pays off. Now, I'm starting to think of having FTP do the job (is this the correct way to do it?), it's like you have to FTP to the mainframe and push the batch job with the JCL in it. I have seen that kind of code somewhere and I have to look for it. |
|
Back to top |
|
|
|