Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Trace example 1 z/OS Security Server RACF Diagnosis Guide GA32-0886-00 |
||||||||||||||||||||||||||||
This slip should be used to write a GTF trace record for each program
loaded into the environment:
Because this slip produces GTF records, you need to start GTF ensuring that you use PARM TRACE=SLIP, then use IPCS to format the data with the GTFTRACE IPCS command. If the preceding steps have been implemented correctly, 'SLIP S+U' entries are generated in the trace records. Under the 'SLIP S+U' heading, locate the 'General Purpose Register Values' line and obtain the value of R15 for each of the 'SLIP S+U' records in the trace output. R15 can have 5 possible values:
If the value in R15 is 4, 8, or C, a profile in the PROGRAM class must be defined to protect the program identified by this trace entry. In addition to defining the profile in the PROGRAM class, the PERMIT command must be issued to put users or groups in the access list for program's profile. To rebuild the in-storage profile list, issue the SETROPTS WHEN(PROGRAM) REFRESH command after making changes to the PROGRAM class. This allows the changes to take effect immediately. For more information about defining profiles in the PROGRAM class and creating entries in a conditional access list, see z/OS Security Server RACF Security Administrator's Guide. Note: If the RACF database
is being shared with other systems, the SETROPTS REFRESH takes effect
only on the system on which it was issued. In this case, the SETROPTS
WHEN(PROGRAM) REFRESH must be issued on all the other sharing systems.
This allows the PROGRAM class changes to take effect immediately
on the other systems as well. An exception occurs when RACF is enabled for sysplex communications.
The information that you need to define the PROGRAM class profile
correctly is found in the 'SLIP USR' of the trace record following
the 'SLIP S+U' information. If the zzzzz value
was set correctly you will see:
where:
Note: As stated in z/OS Security Server RACF Security Administrator's Guide,
if a TSO user has executed a non-controlled program during the current
session, and then attempts to access a PADS data set, the attempt
fails. The TSO user can in some cases temporarily regain a controlled
environment by invoking the controlled program through the TSOEXEC
command. See Special consideration when REXX is involved for exceptions to this. When writing a program,
you can do the equivalent by invoking the TSO IKJEFTSR service. This
technique can prove extremely useful to users who want to have their
programs run from the TSO session, but do not want to protect every
program that is executed between logon time and execution of the program
intended to access the data set.
Also, program AAOEFTB3 might require protection if the MVS/TSO Dynamic Steplib Facility, program number 5798-DZW, is used while attempting to implement program control in the environment created by TSOEXEC. AAOEFTB3 is normally found in SYS1.LINKLIB. |
Copyright IBM Corporation 1990, 2014
|