IBM GC28-1920-01 Utility, Enhancements to the, Rdceruid Callable Service, SOMobjects for MVS

Page 66
R_dceruid Callable Service

resources. Profiles must reside in storage before RACROUTE

REQUEST=FASTAUTH can

be used to verify a user's

access to

a resourc

Ÿ The client/server

relationship is not propagated

from the

application

If

the security

administrator

implements access

control bothto

resources th

the

server's RACF

identity and

the client's RACF

identity in

an access

decision, application servers that the security administrator does not treated endas pointson OS/390. These servers notshouldbe allowed to submit batch jobs or use the services of other servers that run exclusively identity of the client. This is because the relationship of the clien identity pair is not propagated to other applications or servers. The administrator must enforce this through administrative procedures by ens applications servers that do not meet notthisauthorizedcriteria areto the profile BPX.SERVER in the RACF FACILITY class. By denying the untrusted servers

authorization to BPX.SERVER, the

security administrator

ensures

that

all

done by the server, including

job submission and the

use of

other

se

using the server's identity.

 

 

 

 

Controlling

the

R_dceruid Callable Service

 

 

The security

administrator must define the IRR.RDCERUID

profile in th

class to control the use of the SAF

R_dceruid callable

service. This

service

maps

the DCE UUID to the

RACF user ID.

 

Check your installation for programs that use:

Ÿthe SAF R_dceruid callable service

or services that call it, such as:

Ÿ the OS/390 OpenEditionconvert_id_np

callable service

Ÿthe C library functionconvert_id_np() function call

Users or

servers

using programs

that use these services must

have REA

or higher

to the

profile that

protects IRR.RDCERUID in the

FACILITY

Enhancements to the

Remove

ID

Utility

 

 

 

 

 

 

 

 

The RACF remove ID utility, IRRRID00, has been

enhanced to search

pr

defined to the DCEUUIDS class

when removing a user ID. The utility g

output consisting of commands that remove

DCEUUIDS

class profiles

in

whic

APPLDATA field

contains

the

user

ID being

removed.

 

 

The

RACF

security administrator

should contact

the

DCE administrator

when

removing a user ID

which

has

been cross-linked with a DCE principal, to

if

the

DCE

principal

should be

deleted

from

the

cell.

 

 

SOMobjects for MVS

The

security administrator must permit the users who

are allowed to

us

SOM

servers and are allowed to use specific methods

within classes

to

within the new RACF CBIND and SOMDOBJS classes. In addition, the securit administrator must define which servers are known to the SOM daemon, by defining profiles within the new RACF SERVER class.

42 OS/390 V1R2.0 Security Server (RACF) Planning: Installation and Migration

Page 65 Page 67
Image 66
Page 65 Page 67
Contents Security Server RACF Planning Installation and Migration OS/390Place graphic in this area. Outline is keyline only. DO NOT PRINT Page Security Server RACF Planning Installation and Migration Second Edition, September 1996. AllPage Page Contents MigrationAdministration Considerations Customization ConsiderationsAuditing Considerations Chapter Operational ConsiderationsIndex 10. ApplicationPage Figures Page Notices Trademarks Who Should Use This Book How to Use ThisAbout This Book xiiiŸ The OS/390 Security Server RACF Information , PackageSK2T-2180 Where to Find More InformationSoftcopy Publications ServerUsing the Administration, H3927Elements of Security RACF Installation - Student GG24-3971Notes Ÿ Tutorial Options for Tuning GG22RACFInternet Sources Other Sources of InformationIBM Discussion Areas listserv@uga.cc.uga.eduPublications To Request Copies ofOS/390 xviiiFeatures OSA/SF ServiceŸ OpenEditionProduct V2R5TSO/EPage Summary of Changes Page Migration Planning Considerations Chapter 1. PlanningMigration Installation Considerations Administration ConsiderationsCustomization Considerations Application Development Considerations Auditing ConsiderationsOperational Considerations General User ConsiderationsPage Chapter 2. Release Overview New and Enhanced Supportfunction OS/390 OpenEdition DCEidentifies introduced in OS/390 ReleaseConcepts CheckOS/390 OpenEdition Authorizing and Auditing Server Access to the CCS and WLM ServicesAuditing the Passing of Access Rights SOMobjects for MVSnon-main Multisystem NodesRRSF Network systemsOS/390 Enable and Disable Functions YearTARGET classes NetView1.10 Facilityidentifies function Function Not Upgradedupdated for that3. Summary of Components forRelease Class Descriptor Table CDTwhich Commandslists classes thereCommand Chapter 3. Summary of Changes to RACF Components for OS/390 15Releaselists changed Data AreasExits general-use programming interface GUPI data areFigure 12 lists changes MacrosMessages RACF macrosMessages New MessagesChanged Messages RACF Database Split/Merge Utility IRRUT400Routines PanelsPublications Library Figure 13 lists RACF panels that areFigure 16 identifies changes to RACF members of SYS1.SAMPLIB SYS1.SAMPLIBTemplates RACROUTE REQUEST=EXTRACTUtilities Figure 18 lists changes to RACF utilities for OS/390 ReleaseTemplate Utility 0280Chapter 4. Planning Considerations OS/390 Security Server RACF Planning Installation and forMigrationRACF Planning Installation and Migrationfor RACF Migration StrategySoftware Requirements RACF Planning Installation and Migrationfor RACF 2.1, andHardware Requirements RACF Migration and Planning for RACFCompatibility Compatibility Considerations for Remote SharingRequirements Page Considerations Chapter 5. Installation ConsiderationsEnabling RACF Networksare in your existing workspace data sets when you installationconfigured install multisystem RChapter 5. Installation Considerations29 mustsysname prefixnodename local-luprefix.local-node.local-node .INMSG This section discusses storage considerations for RACF RACF Storage ConsiderationsVirtual Storage Figure 21 estimates RACF virtual storage usage, for planning purposesCustomer Additions to the CDT Subpoolinformation, OS/390see Security Server Templates for RACF onOS/390 Release Systemand IRRSXT00 Chapter 6. Customization ConsiderationsExit Processing Effects of OS/390 OpenEdition DCEIRRSXT00 Installation Exit RACROUTE REQUEST=DEFINE Preprocessing Exit ICHRDX01Cross-Linking Between RACF Users Chapter 7. Administration ConsiderationsServer RACF Security Administrators. Guide signonDCEUUIDS Class Signon toActivating single signon restrictionsOpenEditionsee DCE Administration .Guide OS/390 OpenEdition DCE Application Considerations the DCE Encryption Key OpenEdition Planning, and inOS/390 OpenEdition Programming Assembler Library ReferenceThreads and Changes to RACF Authorization Processing Restrictionscallable servicepthread orsecuritynp Rdceruid Callable Service UtilityEnhancements to the Chapter 7. Administration Considerations43 SYSMVIEWPage Auditors Guide and OS/390 Chapter 8. Auditing ConsiderationsSMF Records Server RACF MacrosServices Auditing New OS/390Interfaces Report Writer Auditing OS/390 OpenEdition DCE SupportAuditing SystemView for MVS Support SMF Data Unload UtilityPage Chapter 9. Operational Considerations CommandOS/390 Security Server RACF Command Language Referencefor more Enabling and DisablingPage Servers Chapter 10. Application Development Considerations2000 Support 01yydddFNew Application Services and Security pthread the securitynpChanges to the Class Descriptor Table ServiceNew Application Authorization Programming InterfacesŸ “Macros” on page Ÿ “Templates” on page Ÿ “Utilities” on page Ÿ “Routines” on pageOpenEdition Chapter 11. General UserConsiderations Reference forPage OW08457 Chapter 12. NJE ConsiderationsAPAR OW14451 After Applying the PTFUACC Actions RequiredOW08457 NODESAPAR OW15408 GROUPFAILSAFE Page Nodes Chapter 13. ScenariosMigrating an Existing RRSFprefixTARGET NODEORLANDO DELETE prefixTARGET NODEMIAMI2 SYSNAMESYSTEM2 LOCAL OPERATIVEOn MIAMI2 prefixTARGET NODEMIAMI2 DELETERACF Diagnosis On ORLANDODELETE prefixTARGET NODEORLANDO OPERATIVE PREFIX... PROTOCOL... WORKSPACE Note TheGlossary accessdirection Page Seegeneral-use programming Seeinventoryprogramming Seelogical Seemultisystemlogical other.single-system supervisorytask segment andDFP Index A classes continuedcontinued Page SERVER SFSCMDKEYSMSTR utilitiescontinued Page IBM  Now you can! TheIBM Online Library ProductivityEdition OS/390 Security Server RACF Information Page Page Communicating Your Comments to IBM commentsPublication No. GC28-1920-01 Readers Comments - Wed Like to Hear from YouOS/390 Security Server RACF Planning Installation and Migration Note CopiesBUSINESS MAILREPLY IBMPage IBM Drop in Back Cover Image HereGC28-192ð-ð1
Top Page Image Contents