|
View previous topic :: View next topic
|
| Author |
Message |
zosREXX
New User
Joined: 04 Feb 2022
Posts: 3
Location: United States
|
|
|
|
Background: I'm a mainframe application programmer responsible mostly for batch jobs responsible for our shop's overnight access provisioning across dozens of sysplexes, and over 100 individual lpars. Although my go-to is REXX, I have experience with CLIST, COBOL, and PL/I.
Backstory: We have several off-platform teams across our shop that have been enabling product suites for LDAP/Active Directory automation...surprisingly without involving Mainframe as part of the initial discussions, and we're always the last area pulled into the conversation because they eventually find a mainframe component that is necessary for everything else to work. The question is always this...can you get me live information for all of our available mainframe systems? I've recently been working on understanding all RACF DB record types and how they would be useful in automating access provisioning across multiple/all systems from one interface. I have a job running daily everywhere to format and ftp this data to one Production system where I consolidate the data into a master record. The idea is to create a Db2 database from this master record so I can eventually create a front end web service...initially querying data, then trigger group/profile creation, access changes, etc.
Question: Are exits the answer to this problem? If there were a central Db2 database organizing all RACF users, groups, profiles, connections/permissions, etc., could exits be made to call a program that would update that central database when a RACF command (COnnect, PErmit, AddUser, ALterUser, etc) is executed? Current solutions we've attempted may work for provisioning across a few systems with a few commands simultaneously, but I'm imagining wanting to add a new admin to all systems simultaneously, or triggering an immediate termination everywhere, or changing an entire department's default group across all of the Test or Production systems.
If this is the right direciton, this will be a great excuse to dive into Assembler and eventually feel comfortable as a systems programmer. If this is a horrible idea...too much strain on the system, overkill, or not at all possible...does anyone else have any other suggestion on how to query live data from so many systems simultaneously that would eventually culminate in the creation of fully automated access provisioning? |
|
| Back to top |
|
 |
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
I would start looking at what SMF type 80 (RACF) provides. Exits in my mind is a last resort.
Depending on how SMF records are archived, you can do daily or hourly reports, or anything in between. |
|
| Back to top |
|
|
zosREXX
New User
Joined: 04 Feb 2022
Posts: 3
Location: United States
|
|
|
|
You’re right about SMF data if I wanted old data. Only live data interests me. Did you want to elaborate on whether exits would actually be a solution or if you had any other ideas to trigger a program call live upon a change to the racf database or completion of a racf command?
Is there a reason why exits are a last resort? Too much strain on the system resources? |
|
| Back to top |
|
|
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
"Is there a reason why exits are a last resort? Too much strain on the system resources?"
I think it is a last resort because of the development and maintenance effort, plus the dwindling number of assembler programmers. Having said that, I can see how a SMF exit might intercept the type 80 and put data to an internal buffer, which could be read asynchronously. Which would make it almost unnoticable in performance terms.
Another soluion springs to mind - force users to use a REXX (or similar) to issue the command, the REXX could write a log after successful command completion. |
|
| Back to top |
|
|
Willy Jensen
Active Member
Joined: 01 Sep 2015
Posts: 712
Location: Denmark
|
|
|
|
| I mention SMF exit as I really don't know if RACF has a usable exit for this. It just might. |
|
| Back to top |
|
|
Garry Carroll
Senior Member
Joined: 08 May 2006
Posts: 1193
Location: Dublin, Ireland
|
|
| Back to top |
|
|
Joerg.Findeisen
Senior Member
Joined: 15 Aug 2015
Posts: 1255
Location: Bamberg, Germany
|
|
|
|
| Garry Carroll wrote: |
| Would RACF RRSF address your need to propagate commands across multiple systems? |
If you have TSS or ACF/2 that brings some difficulties. Otherwise RRSF is probably the right way to look at. |
|
| Back to top |
|
|
|
|
