I need a RACF security question answered and I can’t get a straight answer internally. Our security department believes in secrecy and is not open to trying something new.
Question: Can RACF provide Read Only access to DASD volume(s) for any request when it comes from a specific LPAR. We have 5 LPARs defined on one box. It is a shared DASD environment. One of the LPARs is supposed to be used for test/development. Can a global rule to permit only READ for an LPAR be defined?
I don’t know about LPAR, but I know that datasets can be read-only for some users. For example, I may have access to write CB.XXX.XXX, but have read-only access for CQAT.XXX.XXX datasets. Also, some users can use write options in CICS and others can’t.
Johnny LA, A LPAR is a logical partition. Using software to carve up one physical computer into several “logical” or independent systems. I am really looking for specific RACF command syntax to provide to our security team on how this may be done(if it can be). Any takers?
Sn-man,
You might want to consider subscribing to the IBM mainframe list server or the RACF list server. There are some real gurus active on both of them.
To join the mainframe list, just send an e-mail with the words “subscribe ibm-main” to listserv@bama.ua.edu. To join the RACF list, send a “subscribe RACF-L” e-mail to listserv@listserv.uga.edu.
Or you can go to http://www.knutson.org/internet.htm for a list of lists and just click on the “subscribe” link.
RR
Thanks RR, I will subscribe to both.
CA-Top Secret would certainly let you do that ten years ago. I would hope that RACF has caught up by now. (Especially since Top Secret has to have been built on the RACF base line.) It is possible that it is not the LPARs, themselves, that we were using, but the VTAM nodes. (On the other hand, I would think that VTAM is figures into your LPAR structure.)
I’m just an apps guy that messed with it around the fringes, so there is a possibility that the nature of the relationships among all the pieces-parts has changed in the last few years and I missed it. However, my impression would be that this is very much a possibility. (I will, however, check with my tech buddies. It may take me a day or two to come up with the definitive answer.)
My tech source confirmed that CA-Top Secret© can, indeed, use an LPAR in a profile to limit access in any way that an AccessorId or VTAM Node can be granted or denied access. Now, it is possible that Top Secret has some additional coding that makes the task easier than the same task would be in RACF. However, the physical properties of the operating system are built with RACF as the security agent, so Top Secret cannot permit or deny access that RACF was not able to permit or deny. (This is not to say that CA did not invest more energy in actually writing the code than IBM chose to invest*, but it should be available in RACF.)
*(An interesting aspect of that is that IBM has been actively promoting the purchase of Top Secret over their own product, which implies that they are not interested in maintaining the application aspect of the software.)