Manuals / IBM / Computer Equipment / Server

IBM GC28-1920-01 manual Actions Required, OW08457, Uacc, Nodes, Addmem&Dfltgrp

Models: GC28-1920-01

1 110
Download 110 pages 26.8 Kb
Page 82
Image 82

Actions Required

With

 

OW08457 and OW14451, group propagation and

group

translation

has

 

be

fixed for NODES profiles, both for batch jobs and for SYSOUT. This ch

significantly

alter

the

external

results

of

your

NJE

 

environment

and

 

your

must

decide

what

changes

will

best

suit your

needs.

 

 

 

 

 

 

 

 

 

Case

 

1: Nodes defined to &RACLNDE.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

For

nodes defined to the RACFVARS

variable &RACLNDE, there is no change

(group

propagation

still

does

 

not

 

occur,

and

group translation

was

never

It was determined that fixing group propagation for this case would

disruption, so it was left unchanged. Remember

that

if

a

node

is

def

&RACLNDE,

no

NODES

profile

lookup

 

will

 

take

place.

 

 

 

 

 

 

 

 

 

 

 

 

Case

 

2: Getting NODES externals to

work

as

they

 

did

 

prior

to

 

OW08457

an

OW14451

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Your

 

installation

might

decide

to

 

continue to base NJE security

primari

user

 

ID, and let the resulting job or SYSOUT

take

that

 

user

 

ID's

 

de

purposes of verification. This was

the case prior to these APARs. Thes

steps

suggested

for

achieving

the

same

effect

with

the

revised

ext

Note:

 

The changes listed below in

steps

1

and

2 must be made on

 

all

 

 

where you want processing to work as it

did

prior

to

OW08457

 

and

 

 

OW14451.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step

1:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Delete all GROUPJ and GROUPS

NODES

 

profiles

that

have

a

UACC

 

value

 

gre

than

or equal to READ. These profiles were previously

irrelevant

but

now

result

in

failing

jobs

or

unowned

 

SYSOUT. Note that GROUPJ and GROUPS

NODES

profiles with a UACC value of NONE already worked and still work as

documented.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step

2:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Create a NODES profile of the format nodeid.GROUP%.* UACC(READ)

 

 

 

 

 

 

ADDMEM(&DFLTGRP)

for

each

node

for

which

you

expect

inbound

work. If

 

no

more-specific NODES profiles exist

 

than nodeid.GROUP%.* that would protec

inbound work(e.g. nodeid.*.*), the profile *.GROUP%.* UACC(READ)

 

 

 

 

 

 

ADDMEM(&DFLTGRP) can be created instead of the individual nodeid.GROUP%.*

profiles. After

 

the

NODES profiles

 

are

created,

 

do

any

necessary

refr

in-storage

profiles. The

new

profile(s)

cause

RACF

to

use

the

 

default

NJE

verification

after

the

user

 

ID has been propagated and possibly

Note

that without step 1 above,

 

there could be more specific GROUP

"GROUPS"

profiles

so

that

the

&DFLTGRP

wouldn't

be

used consistently,

 

res

in problems

 

described

above.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Case 3: Making use of group propagation in NJE security

 

 

 

 

 

 

 

 

Because

group

propagation

and

group

translation

were

not

functional

until

RACF

recommends

the

following

steps

for

making

 

the

transition

to

 

this

 

func

Step

1:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

58 OS/390 V1R2.0 Security

Server

(RACF)

Planning: Installation

and

Migration

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Page 81 Page 83
Page 82
Image 82
IBM GC28-1920-01 manual Actions Required, OW08457, Uacc, Nodes, Addmem&Dfltgrp
Page 81 Page 83