Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
RACF Self-Service

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> IBM Tools
View previous topic :: :: View next topic  
Author Message
Dan Reyes

New User


Joined: 26 Oct 2008
Posts: 8
Location: Manila

PostPosted: Mon Dec 19, 2011 11:19 am    Post subject: RACF Self-Service
Reply with quote

Hi Gurus,

I am not sure if this is the right section to ask about this question but I hope someone can help me out or give me some ideas.

I hope to find a tool that can resume revoked RACF userids so that our users can resume or (in the future)reset their mainframe accounts on their own.

If no free tool is available, I am willing to develop one but I don't know where to start. So far, here's a sketch of what I want to accomplish:

Part1: Webpage User Reset Form -> WebServer Module1
Part2: WebServer Module2 -> (Mainframe Program) -> Mainframe RACF

Planned Workflow:
(1) User inputs userid in Webpage User Reset Form
(2) WebServer Module1 will email the user the confirmation link regarding the request
(3) Once the user clicks on the confirmation link from his email account, WebServer Module2 will send a request to (Mainframe Program) and it will hopefully issue the RESUME command in Mainframe RACF

I can do (1) and (2) easily but creating WebServer Module2 and (Mainframe Program) will be a tough one. I tried to find a similar software that can do this but as much as possible it should be free or opensource.

I know Linux, Java, a lot of SQL DBs and other webdev languages so I think I can take care of the WebServer Modules.

I also know a bit of HLASM (assembler), a lot of REXX and JCLs (i'm a sysprog of a small mainframe shop) but it is unclear to me on how to create the (Mainframe Program) that will wait for requests from the WebServer and issue RACF commands once a request arrives. I hope someone can shed a light on this. Thanks.


Best regards,

Dan
Back to top
View user's profile Send private message

dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Mon Dec 19, 2011 11:27 am    Post subject:
Reply with quote

Hello,

Quote:
I hope to find a tool that can resume revoked RACF userids so that our users can resume or (in the future)reset their mainframe accounts on their own.
Suggest you get approval to even approach this from the senior management of your organization.

This is directly contrary to every security policy i have seen on the mainframe, unix, or win-based systems. If they (users, programmers, whatever) are permitted to flail away and then get-out-of-jail free, a considerable security hole exists. Keep in mind that the one trying over and over might not be the person with the user id being "hacked".
Back to top
View user's profile Send private message
Dan Reyes

New User


Joined: 26 Oct 2008
Posts: 8
Location: Manila

PostPosted: Mon Dec 19, 2011 12:00 pm    Post subject:
Reply with quote

Hi Guru,

Actually, we have a JCL that emails RACF access violations obtained from SMF and emails the report to our security policy team where they notify the offending users and provide sanctions if required.

The problem occurs when our users claim that the technical security team who does the manual MF account resume (as well as other platforms and email account resets) take a long time before they can resume the RACF account. This takes a toll with our users efficiency since they can't do anything while waiting for their mainframe account to manually resume or reset the password.

This issue already reached the upper management and they said that if Oracle eBiz has a self-service password reset, why can't the mainframe have the same feature. With this dilemma, our group has started to find a possible solution and hopefully we can do a POC, test it out on another LPAR.

Be assured however, that any security solution that we will be developing will have to pass the security policy team as well as third-party audit requirements. Hopefully, everything is cleared up now and someone can suggest on how to do this... =)


- Dan
Back to top
View user's profile Send private message
dick scherrer

Site Director


Joined: 23 Nov 2006
Posts: 19270
Location: Inside the Matrix

PostPosted: Mon Dec 19, 2011 12:14 pm    Post subject:
Reply with quote

Hello,

Quote:
users claim that the technical security team who does the manual MF account resume (as well as other platforms and email account resets) take a long time before they can resume the RACF account. This takes a toll with our users efficiency since they can't do anything while waiting for their mainframe account to manually resume or reset the password.
Many organizations have an online "help desk" system/aopplication and a user who locks themself out submits a help ticket to have their password(s) reset. At several of my clients, this is resolved within an hour of the help ticket being entered.

Sorry, but i don't have a suggestion on an implementation plan.

Good luck icon_smile.gif
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Tue Dec 20, 2011 2:41 pm    Post subject: Reply to: RACF Self-Service
Reply with quote

Quote:
but it is unclear to me on how to create the (Mainframe Program) that will wait for requests from the WebServer and issue RACF commands once a request arrives. I hope someone can shed a light on this

Hi it is not necessary to have a task that is permanently active and waiting for work to arrive. The simplest aproach is to get the webserver application to generate a batch job and to submit it. A simple job to invoke TSO in batch and issue an ALTERUSER command will achieve everything you want. Regards Nevil
Back to top
View user's profile Send private message
Nic Clouston

Global Moderator


Joined: 10 May 2007
Posts: 1894
Location: UK

PostPosted: Tue Dec 20, 2011 2:47 pm    Post subject:
Reply with quote

I would have thought that if a user had been revoked then that user would have no RACF privileges at all and, therefor, cannot re-instate his/her access?
Back to top
View user's profile Send private message
Dan Reyes

New User


Joined: 26 Oct 2008
Posts: 8
Location: Manila

PostPosted: Tue Dec 20, 2011 3:57 pm    Post subject: Reply to: RACF Self-Service
Reply with quote

Quote:
Many organizations have an online "help desk" system/aopplication and a user who locks themself out submits a help ticket to have their password(s) reset.


Yes, we also have a centralized helpdesk. The actual process is the user calls helpdesk and the helpdesk creates a support ticket for the request and forwards it to tech security team. The bottleneck happens where there are a lot of account resets from all platforms.

Quote:
I would have thought that if a user had been revoked then that user would have no RACF privileges at all and, therefor, cannot re-instate his/her access?


Yes, it would need a privileged user (from the security team) to resume his RACF userid.

Quote:
The simplest aproach is to get the webserver application to generate a batch job and to submit it. A simple job to invoke TSO in batch and issue an ALTERUSER command will achieve everything you want.


That's a brilliant idea man, I have never thought of that. Experience really pays off. Now, I'm starting to think of having FTP do the job (is this the correct way to do it?), it's like you have to FTP to the mainframe and push the batch job with the JCL in it. I have seen that kind of code somewhere and I have to look for it.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> IBM Tools All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
This topic is locked: you cannot edit posts or make replies. Limit access to certain RACF group cvnlynn CLIST & REXX 5 Wed Aug 23, 2017 2:28 am
No new posts RDz Json restful service Kevin Vaz IBM Tools 4 Thu Jun 29, 2017 10:44 pm
No new posts find RACF group for access to spooled... jzhardy JCL & VSAM 1 Mon May 08, 2017 11:46 am
No new posts Liberty Angel Server using RACF Keyring martin9 CICS 0 Tue May 02, 2017 5:49 pm
No new posts Any Recommended Timesharing service c... johnmull All Other Mainframe Topics 0 Mon Jan 02, 2017 11:39 am

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us