vanguard administrator 5.2 tech reference guide - · pdf filevanguard administrator technical...

Vanguard Administrator

z/OS (OS/390) Security Server Automated Administration

Technical Reference Guide

Version 5.2

Vanguard Administrator™ Version 5.2 Document Number VRAR-092904-521T September, 2004

Copyright © 1997-2004 Vanguard Integrity Professionals-Nevada. All rights reserved. Printed in the USA. No part of this publication may be copied, reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, for any purpose other than the Licensee's personal use, without express written permission from Vanguard Integrity Professionals-Nevada.

Trademarks Vanguard, Vanguard Integrity Professionals, Vanguard Security Solutions, Vanguard Security Suite, Vanguard Security on Demand, Security on Demand, ez/Security on Demand, RioVision, Vanguard Administrator, Administrator, Vanguard Advisor, Advisor, Vanguard Analyzer, Analyzer, Vanguard Enforcer, Enforcer, Vanguard SecurityCenter, SecurityCenter, Vanguard INCompliance, INCompliance, Vanguard PasswordReset, PasswordReset, Vanguard ez/AccessControl, ez/AccessControl, Vanguard ez/Signon, ez/Signon, Vanguard ez/Integrator, ez/Integrator, Vanguard ez/Signon Deploy, ez/Signon Deploy, Vanguard Identity Manager, Quality Security Framework, Quality Security/390 Suite, QS/390, SmartPanel, SmartLink, Find-it-Fix-it-Fast, RiskMinder, SmartAssist, eDistribution, AutoPilot, QuickGen, Pathway to Profitability, Enterprise-Wise and Knowledge Expo are trademarks or service marks of Vanguard Integrity Professionals-Nevada. z/OS, OS/390, Security Server, RACF, DB2, CICS, IMS, JES and MVS/ESA are registered trademarks of International Business Machines Corporation. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. All other products mentioned in this publication are trademarks of their respective companies.

About This Product Any software products accompanying this publication are copyrighted and owned by Vanguard Integrity Professionals-Nevada. Use of the software product is governed by the provisions of your License Agreement or the Terms of Use on the envelope in which the software product was sent to you. Warranty and Limitation of Liability: VANGUARD warrants that the licensed software products as delivered do not infringe any patent or copyright held by any third party and enforceable under U.S. law. THE FOREGOING WARRANTY IS THE SOLE AND EXCLUSIVE WARRANTY PROVIDED BY VANGUARD UNDER OR IN CONNECTION WITH THE LICENSED SOFTWARE PRODUCTS AND IS IN LIEU OF ALL OTHER WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. UNDER NO CIRCUMSTANCES WILL VANGUARD BE LIABLE TO CUSTOMER FOR ANY OF THE FOLLOWING: (I) ANY DAMAGES CAUSED BY THE FAILURE OF CUSTOMER TO PERFORM ITS RESPONSIBILITIES; (II) ANY THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES; OR (III) ANY LOST PROFITS, LOSS OF BUSINESS, LOST SAVINGS OR OTHER CONSEQUENTIAL, SPECIAL, INCIDENTAL, INDIRECT, EXEMPLARY OR PUNITIVE DAMAGES, EVEN IF INFORMED OF THEIR POSSIBILITY.

T a b l e o f C o n t e n t s

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e iii

Table of Contents

Customer Support......................................................................................................xi How to Contact Us...............................................................................................................xi Join Vanguard-L ..................................................................................................................xi Submit Vanguard Forms .....................................................................................................xii How to Send Your Comments ............................................................................................xii

About This Manual ...................................................................................................xiii What's New in This Release ..............................................................................................xiv

Chapter 1. Introduction to Vanguard Administrator ................................................1 Administrator Features..........................................................................................................2 Administrator Information Flow...........................................................................................7

Chapter 2. Getting Started..........................................................................................9 Invoking the Administrator...................................................................................................9 Administrator Initialization Panels .....................................................................................10

User Initialization – General ........................................................................................11 User Initialization – Data Set .......................................................................................12 User Initialization – VSAM .........................................................................................14 User Initialization – DB2 .............................................................................................15

Vanguard Option Library Parameters ...........................................................................17 VRAOPT00 – Administrator Customization Parameters ....................................17 General Parameters.......................................................................................................17 Automated Command Scheduler Parameters ...............................................................20 Email Parameters..........................................................................................................23

Customizing Administrator Storage Parameters.................................................................25 VIMOPT00 – Distributed Identity Manager Parameters .............................................26

Administrator Main Menu ..................................................................................................27 Administrator Main Menu Options ..............................................................................27

Chapter 3. Controlling Access to Administrator Functions..................................29 Controlling Feature Operation ............................................................................................30 Support for Decentralized Administration..........................................................................31 Controlling SETROPTS REFRESH Command Generation...............................................32 Controlling Access to Identity Manager .............................................................................34

Checking New Passwords ............................................................................................37

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e

iv V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Auditing Identity Manager..................................................................................................37 Audit Records...............................................................................................................37 Information Contained in the LOGSTRING................................................................39

Controlling Access to Connect Manager ............................................................................39 Connect Manager Authorization Checks......................................................................39 Permitting Access to Connect Manager Functions.......................................................40 Denying Access to Connect Manager Functions..........................................................41 About the CMLOCKOUT Parameter in VRAOPT00..................................................41 Permitting Access to Auditing Profiles ........................................................................42

Controlling Unix AUTOUID, AUTOGID and SHARED Options ....................................42 System Requirements ...................................................................................................42 AUTOUID and AUTOGID Options ............................................................................43 SHARED Option..........................................................................................................45

Chapter 4. Data Services..........................................................................................47 Data Services Functions......................................................................................................47 Extract Program ..................................................................................................................48

Creating RACF Extract Files .......................................................................................49 Invoking and Processing the Extract Program .............................................................49 The Extract Audit Report .............................................................................................53 Load the Administrator Extract into DB2 Tables.........................................................53 Load Administrator DB2 Tables ..................................................................................54 Invoking and Processing the DB2 Load Function........................................................54

Initialization Variable Maintenance....................................................................................56 Invoking and Processing Initialization Variable Maintenance.....................................56 Initialization Variable Maintenance – General.............................................................57 Initialization Variable Maintenance – VSAM..............................................................58 Initialization Variable Maintenance – GORACF .........................................................60 Initialization Variable Maintenance – DB2..................................................................61 Initialization Variable Maintenance – UPDATE .........................................................62

Tailor Administrator Batch JCL .........................................................................................63 Install / Re-install DB2 .......................................................................................................64

DB2 Batch Execution Job Statement Information .......................................................65 DB2 Variable Maintenance ..........................................................................................65 Administrator DB2 Tailoring .......................................................................................67 Administrator DB2 Object Profiles ..............................................................................68


V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e v

Administrator DB2 Plan Profiles..................................................................................69 DB2 Tailoring – Update ...............................................................................................70

Administrator DB2 Customization .....................................................................................71 Creating Administrator DB2 Objects ...........................................................................71 Binding Administrator DB2 Application Plans............................................................72 Loading Administrator DB2 Tables .............................................................................72 DB2 Tables and Views.................................................................................................74 Load Administrator Shadow Catalog Tables ...............................................................76

Chapter 5. Vanguard Security Server Commands Baseline Configuration.........77 Overview of Vanguard Security Server Command Facility ...............................................77 Establishing Installation Baseline Configurations ..............................................................77 User Configuration Process ................................................................................................79

User-Entered CONFIG Command ...............................................................................80

Chapter 6. Distributed Identity Manager .................................................................81 Overview of the Distributed Identity Manager ...................................................................81 Software Requirements.......................................................................................................83 Reference Documentation...................................................................................................84 Distributed Identity Manager Configuration Overview......................................................84

RACF ...........................................................................................................................85 CICS .............................................................................................................................86 TSO ..............................................................................................................................86 VTAM ..........................................................................................................................87 APPC/MVS ..................................................................................................................87

Distributed Identity Manager Configuration Details ..........................................................88 Preliminary Considerations ..........................................................................................88 CICS Administrator......................................................................................................95 TSO Administrator .......................................................................................................98 VTAM Administrator...................................................................................................98 APPC/MVS ..................................................................................................................99 CICS ...........................................................................................................................102 TSO ............................................................................................................................103

Chapter 7. Automated Command Scheduler........................................................105 Reference Documentation .............................................................................................105 Software Requirements.....................................................................................................106


vi V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Overview of the Automated Command Scheduler .....................................................106 ACS Configuration Overview...........................................................................................110

Configuring ACS for a Single MVS System..............................................................112 Configuring ACS for Multiple MVS Systems Using a Single RACF Database........113 Configuring ACS for Multiple MVS Systems with Multiple RACF Databases ........114

ACS Configuration Tasks .................................................................................................115 Step 1: Inventory the Network. ..................................................................................117 Step 2: Define the RACF Database ID(s)...................................................................118 Step 3: Propagate RACF Administrator User IDs......................................................118 Step 4: Define a User ID for the ACS Started Task. ..................................................119 Step 5: Define a User ID for the ACS TP. .................................................................119 Step 6: Define Logon Mode Table. ............................................................................120 Step 7: Define an ACS VTAM Application Program Major Node............................120 Step 8: Define the ACS LUs to VTAM......................................................................121 Step 9: Define the ACS LUs to APPC/MVS..............................................................122 Step 10: Define ACS TP Transaction Class. ..............................................................123 Step 11: Define ACS APPC/MVS TP........................................................................124 Step 12: Define CVSAM Data Set. ............................................................................126 Step 13: Define VRATPMAP Configuration Module. ..............................................127 Step 14: Add ACS Started Task JCL to PROCLIB. ..................................................127 Step 15: Update VRAOPT00 Options........................................................................129 Step 16: Define APPCLU Profiles. ............................................................................130 Step 17: Control Access to the ACS TP Error Log. ...................................................131 Step 18: Control Access to the CVSAM Data Set. ....................................................132 Step 19: Control Access to ACS Started Task Execution. .........................................132 Step 20: Dynamically Update RACF, VTAM and APPC/MVS. ...............................132

Controlling the ACS Started Task ....................................................................................134 Starting the ACS Started Task....................................................................................134 Modifying the ACS Started Task ...............................................................................134 ACS Options That Can Be Modified After Start........................................................135 Stopping the ACS Started Task..................................................................................135

ACS CVSAM Utility Program – VRAABCSU................................................................135 BACKUP....................................................................................................................136 RESTORE ..................................................................................................................136 REORG ......................................................................................................................136


V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e vii

RECOVER .................................................................................................................137

Appendix A. User Exits...........................................................................................139 ICHPWX01.......................................................................................................................139 ICHRCX01 .......................................................................................................................139 ICHRCX02 .......................................................................................................................140 IEFUJI...............................................................................................................................140

Appendix B. RACF New Password Exit (ICHPWX01) ..........................................141 Appendix C. VRATPMAP Configuration Module..................................................143

VRATPMAP Macros........................................................................................................143 The TPMAP Macro...........................................................................................................144 The TPENTRY Macro......................................................................................................144

Appendix D. VRALOG SYSOUT File Contents .....................................................149 Appendix E. VSAM Extract File Conversion.........................................................155 Appendix F. Sequential Extract File Generation ..................................................157 Appendix G. Flat File to Extract File Cross-Reference List ................................159 Appendix H. Glossary of Terms.............................................................................169 Index.........................................................................................................................175


viii V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

List of Tables

Table 1. Administrator Main Menu Options .............................................................................28 Table 2. Profiles Controlling Access to Administrator Functions.............................................30 Table 3. Profiles Controlling Administrator Feature Operation................................................31 Table 4. Profiles Controlling Decentralized Administration.....................................................32 Table 5. Profiles Controlling SETROPTS REFRESH Command Generation..........................33 Table 6. Profiles Allowing Identity Management .....................................................................35 Table 7. Profiles Allowing Hard Revoke for Non-System SPECIAL Users ............................35 Table 8. Profiles Disallowing Identity Management.................................................................36 Table 9. Profile Controlling the Checking of New Passwords..................................................37 Table 10. Profiles Auditing Identity Manager...........................................................................37 Table 11. Connect Manager Access Profiles.............................................................................40 Table 12. Connect Manager Deny Access Profiles ...................................................................41 Table 13. Connect Manager Auditing Access Profiles..............................................................42 Table 14. Generated Members of the Administrator DB2 JCL library .....................................71 Table 15. DB2Base Table Names and Corresponding View Name..........................................75 Table 16. Corresponding IBM and Administrator Shadow Catalog Tables.....................................76 Table 17. Baseline Configurable ...............................................................................................79 Table 18. Identity Management Reference Documentation ......................................................84 Table 19. ACS Configuration Skills........................................................................................115 Table 20. ACS Configuration Checklist..................................................................................116 Table 21. Variables for Example ACSVTAM ........................................................................121 Table 22. Variables for Example ACSLUADD ......................................................................123 Table 23. Variable for Example ACSCLASS .........................................................................124 Table 24. Variables for Example ACSAPPC ..........................................................................125 Table 25. Variables for Example CVSAMDEF ......................................................................126 Table 26. Variables for Example ACSTASK..........................................................................128 Table 27. Variables for Example ACSRDEFA.......................................................................131 Table 28. Variables for Example ACSRDEFF........................................................................132 Table 29. Identity Manager Exit Parameters ...........................................................................141 Table 30. VRATPMAP Substitution Variables.......................................................................143 Table 31. VRAEXCNV Substitution Variables ......................................................................155


V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e ix

Table 32. VRAFLAT Substitution Variables .........................................................................158

List of Figures

Figure 1. Automated Command Scheduler Overview.............................................................107 Figure 2. Configuring ACS for a Single MVS System ...........................................................112 Figure 3. Configuring ACS for Multiple MVS Systems Using a Single RACF Database......113 Figure 4. Configuring ACS for Multiple MVS Systems Using Multiple RACF Databases ...114 Figure 5. ACSVTAM – VTAM Application Program Major Node APPL Definition ...........122 Figure 6. VRALOG SYSOUT File Report Diagram ..............................................................153

C u s t o m e r S u p p o r t

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e xi

Customer Support Technical support is available 24 hours a day. A direct support hotline is fully staffed from 5:00 am to 5:00 pm PST, Monday through Friday. Before and after the direct support hours and on weekends, a responsive system is in place to handle your calls on a priority basis.

When you call Vanguard for assistance, please be prepared to provide your name, company name, and customer number. You can reach us at:

Vanguard Customer Support Phone: (702) 794-0014 or (877) 794-0014 Fax: (702) 794-0023 Email: [email protected]

Please call Vanguard Integrity Professionals if you have questions about Vanguard products, the Vanguard Knowledge Expo, RACF, or your local RACF User Group.

How to Contact Us Corporate Headquarters Vanguard Integrity Professionals-Nevada 3035 East Patrick Lane, Suite 11 Las Vegas, NV 89120-3478 Direct/International: (702) 794-0014 Fax: (702) 794-0023

California Vanguard Research Institute, Inc. 180 South Anita Drive, Suite 201 Orange, CA 92868-3306 Direct/International: (714) 939-0377Fax: (714) 939-0273

Note: We distribute product maintenance on the 1st and 15th of the month through our website, www.go2vanguard.com. To obtain product maintenance from our website, click the Customer Zone link on the home page. Then log in to the Customer Zone and click the Download Maintenance Files & PTFs link.

Join Vanguard-L Vanguard-L is a free interactive discussion forum we provide for our users to exchange information, ask questions, make suggestions and get advice on Vanguard products. To join Vanguard-L, visit our website, www.go2vanguard.com, and click the Vanguard-L link.

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e

xii V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Submit Vanguard Forms Vanguard Product Problem Support and Enhancement Request Forms are available in PDF format in the documentation folder of the CD supplied with this product. Print or photocopy these forms as needed.

You can also report a problem or request an enhancement through the Vanguard website. After you log into the Customer Zone, click the Contact Tech Support link.

Vanguard Product Problem Support Form

You may use the Vanguard Product Problem Support Form to report problems with any Vanguard product. Along with this form, fax a copy (when applicable) of the following:

• Screen print of error message(s)

• Symptom dump(s)

• Job log

• Any additional information

Vanguard Enhancement Request Form

You may use the Enhancement Request Form to help Vanguard Development identify enhancements that will make their products more beneficial to your installation. Fax or email this form along with any appropriate samples.

How to Send Your Comments Your comments about Vanguard documentation are important in helping us provide useful information about installing and using Vanguard software solutions. If you have comments about this book or any other Vanguard publication, send your comments to [email protected].

Be sure to include the document name, the document number, product version and release information, and the page number you are referring to.

A b o u t T h i s M a n u a l

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e xiii

About This Manual This manual contains information about some of the more technical aspects of Vanguard Administrator features. It also explains sequential extract file generation record layouts, user exits, VRATPAP module macros and VRALOG SYSOUT file contents.

This manual is designed for system programmers and RACF administrators. To benefit from this information you should understand your enterprise architecture, operating systems and programming practices especially as they relate to RACF administration.

How This Manual Is Organized

This manual is organized in the following sections:

Chapter 1. Introduction is a brief introduction to Vanguard Administrator.

Chapter 2. Getting Started describes Vanguard Administrator Main Menu and the panels you use to customize the product for a specific user.

Chapter 3. Controlling Access to Administrator Functions describes Vanguard Administrator Security Server Profiles.

Chapter 4. Data Services gives a description of the data and configurations used by Vanguard Administrator.

Chapter 5. Vanguard Security Server Commands Baseline Configuration describes the technique for establishing installation baseline configurations for VRC, Vanguard Security Server Commands.

Chapter 6. Distributed Identity Manager a detailed description of Vanguard Distributed Identity Manager.

Chapter 7. Automated Command Scheduler explains the Vanguard Automated Command Scheduler (ACS) and how to configure it.

Appendix A. User Exits include sample RACF, MVS and JES exits.

Appendix B. RACF New Password Exit (ICHPWX01) includes the parameters available to the ICHPWX01 exit when called from Identity Manager.

Appendix C. VRATPMAP Configuration Module includes the VRATPMAP module that relates RACF database Ids to communication destinations.

Appendix D. VRALOG SYSOUT File Contents is a description of the SYSOUT file used to record an ACS client’s VRALOG activity.


xiv V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Appendix E. VSAM Extract File Conversion explains the VSAM Extract File conversion program.

Appendix F. Sequential Extract File Generation explains the Sequential Extract File Generation.

Appendix G. Glossary of Terms is a glossary of useful Vanguard Administrator terms.

What's New in This Release Vanguard Administrator now includes:

Enhanced Masking. Enhanced Masking now includes Boolean logic in masking selection criteria. Boolean logic allows you string multiple search criteria using logical operators (such as AND, OR and NOT) to help you build a more sophisticated search statement on-line or in batch.

Data Set Profile Summary Report. Data Set Profile Summary Report includes an enhancement that allows you to report the Erase on Scratch option regardless of the SETROPTS Erase on Scratch system default.

VRAFLAT Process. With this release, the VRAFLAT process will create variable length records rather than fixed length. Also, all fields in the file generated by this process will be in text display format, except for fields designated as length fields, which will be in binary format. Length fields will precede each variable length text field.

The original VRAFLAT process is carried forward in this release. Applications designed to use the original file format will work without modification.

Extract File Names Display. The active Extract File names now display on the Administrator main panel as well as through the ST option of the Administrator Main Menu.

UNIX AutoUID, AutoGID, and SHARED Option Support. Support for the new options when you clone OMVS segment information has been added. AutoUID and AutoGID allow RACF to generate a unique UNIX UID or GID within the OMVS segment. The SHARED option allows RACF to generate the same UNIX UID or GID when cloning an OMVS segment.

Security Server Reports and Task Oriented Administration. Support for the Kerb and Proxy segments of User and General Resource profiles has been added.

A b o u t T h i s M a n u a l

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e xv

Security Server Commands. Support for the following segments and fields have been added:

• USER – OMVS segment AutoUID and SHARED, KERB, PROXY, and EIM segments support

• GROUP – OMVS segment AutoGID and SHARED options support

• GENERAL RESOURCE – KERB, PROXY, and EIM segments support

• SETROPTS

• KERBLVL and EIMREGISTRY fields support

• The ADDCREATOR keyword is now a supported SETROPTS option. The ADDCREATOR keyword specifies that if a user defines any new DATASET or general resource profiles, the profile creator’s user ID is placed on the profile access list with ALTER authority.

Extract File Conversion Support. The extract file conversion process now supports the conversion of prior Administrator Extract VSAM files for access in this release.

Batch JCL Parameters-STEPLIB and SYSEXEC. With this release, you no longer specify STEPLIB and SYSEXEC DD statement information on initialization panels. Administrator, along with Advisor and Analyzer, now use two new parameters, STEPLIB and SYSEXEC, to store this information. To specify STEPLIB and SYSEXEC data set names for batch JCL generation, update the STEPLIB and SYSEXEC parameters as follows:

• Once for all three products in the new VANLIBS member of the Vanguard Options Library (VANOPTS)

- or -

• In member VRAOPT00 for Administrator when you want to specify a data set name to override the one specified in the VANLIBS member. See the Vanguard Security Solutions Installation Guide appendix for more information about the VANLIBS member.

Unix File Manager Added Capabilities. Unix File Manager now supports fixed and custom display reporting, as well as the EMAIL, QuickGen and PRNT functions. In addition, support for Access Control Lists (ACLs) was added to UFM; each of the three types of ACLs (Access, File Default, and Directory Default) can be created, edited, deleted and listed via easy-to-use line and primary commands. Copy and paste functionality is available to clone ACLs from one entry to another.

C h a p t e r 1 . I n t r o d u c t i o n t o V a n g u a r d A d m i n i s t r a t o r

V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e G u i d e 1

Chapter 1. Introduction to Vanguard Administrator

Vanguard Administrator is the industry’s leading administration tool for the IBM z/OS (OS/390) Security Server (RACF). Vanguard Administrator simplifies administration and increases the quality and effectiveness of z/OS (OS/390) Security Server implementations.

Vanguard Administrator provides the widest range of security administration, data mining and reporting capabilities, in both interactive and batch modes, in either a centralized or decentralized z/OS (OS/390) Security Server environment. When originally released, Vanguard Administrator was the first product to provide a greater level of security administration than the capabilities native to RACF. It has been continuously reengineered to provide higher levels of performance and functionality, in addition to unprecedented levels of integration with other Vanguard Security Solution products.

Vanguard Administrator tackles the problem of increased workloads and operating complexity with security automation features that provide easy-to-use password management, decentralized support, task-oriented administration, authority analysis, security monitoring, DB2 authority reporting and data services. Vanguard Administrator allows experienced IT security experts to work more efficiently, while providing an easy-to-use environment that brings inexperienced staff members up to speed quickly.

Note: Parameters required for the execution of the Administrator must be included in the VRAOPT00 member of your VANOPTS Options Library. VRAOPT00 parameters are described in the Vanguard Security Solutions Installation Guide.

• The terms RACF and Security Server are used interchangeably in this manual.

• This Guide is not intended to be a resource for definitions or explanations of the RACF commands discussed in this manual. Please use the appropriate IBM™ manual for this purpose.


2 V a n g u a r d I n t e g r i t y P r o f e s s i o n a l s

Administrator Features

Improving the Quality of z/OS (OS/390) Security Server Implementations

Your business’ data and other IT assets are only as secure as the integrity of the systems and procedures that protect them. The IBM z/OS (OS/390) Security Server (RACF) provides access control for the OS/390 System. Vanguard Administrator delivers the tools and processes that will enable you to better manage the z/OS (OS/390) Security Server.

RACF Live or Extract File – The Choice is Yours

Do you need to work immediately with users, groups and resources you just added to your Security Server Database? Vanguard Administrator gives you the ability to work directly with the Security Server database, as well as with the Administrator’s Extract File. You can easily switch between these options, for maximum efficiency and the advantages that each offers. This feature is available with all Vanguard Administrator Security Server reports and commands.

Reduce Exposure and Risk

Any business that depends on Information Technology entails risk to system integrity and data exists. It is the responsibility of the security organization to minimize that risk. This means constantly monitoring and administering information system security.

It is widely accepted that the biggest single threat to your IT security comes not from the hacker, but from the authorized user. Breached security can result from malicious intent or honest mistakes while having many authorized users means that there is more exposure and risk to your IT assets.

With Vanguard Administrator, Administration of the IBM z/OS (OS/390) Security Server has never been easier. Administrator provides live data access, cross-system password management, decentralized support; task oriented administration, Security Server (RACF) command generation, user cloning and resource access analysis, as well as extensive reporting and audit capabilities.



Integration with Vanguard Advisor

As part of Vanguard Security Solutions, Vanguard Administrator uses Vanguard SmartLink™ and Find-it-Fix-it-Fast™ technologies to bring Vanguard Advisor into play. Vanguard Report enables you to review actual system (SMF) events involving the users and resources you are working with. It automatically populates the correct Vanguard Advisor panel with the data you were working with. Once you are done, SmartLink brings you back to Administrator, right where you left it. With the power of linking Administrator and Advisor, you work smarter and faster.

REBUILD – The Security Safety Net

If a security administrator accidentally deletes authorities or security rules that are not otherwise documented, it becomes impossible to rebuild those rules. In some extreme cases, accidents like this have shut down entire systems causing significant inconvenience and financial loss to the company.

Vanguard Administrator’s powerful REBUILD command automatically recreates the complete sequence of detailed Security Server (RACF) commands needed to define the security environment. REBUILD may be executed against a live security environment or an archived, backup environment.

Ensuring a Secure DB2 Environment

The DB2 subsystem can maintain security rules independent from z/OS (OS/390) Security Server. Vanguard Administrator automatically extracts DB2 security information, combines it with Security Server rules, and makes it available to all the powerful data mining, and reporting capabilities that Administrator has to offer. This gives the security administrator a complete view of enterprise-wide security without the need for formal DBA training.

DB2 Authority Reporting combines Security Server information with DB2 access rules to ensure compliance with your company’s security policies. DB2 Table Build provides the fastest tool to create and load DB2 tables from files produced by the Security Server extract function.

SETROPTS Refresh Commands

SETROPTS refresh commands are automatically added to generated JCL produced by the online batch report process or by the Task Oriented Command process. They are added to the end of the command list. The user no longer has to remember to add these commands.



TAPEVOL Process

The TAPEVOL class process has been modified to report on secondary volumes and link them to the primary volume. Though TAPEVOL profiles cannot be cloned, the Delete and Rebuild functions will automatically handle secondary volumes. You can view the result of this process by issuing an LV line command from an appropriate Administrator Security Server report.

Security Extensions

Vanguard Administrator provides a Sample Library (VANSAMP) containing a wide range of programs designed to extend the quality of your security administration.

Automated Administration Saves Time and Money

Vanguard Administrator has been designed to automate RACF system administration tasks. Tasks such as adding a new user, moving a user from one department to another, or finding and disabling all access for a specific user may be done simply and quickly. Even the most routine administrative task consumes valuable time. Vanguard Administrator greatly reduces the number of man-hours, and therefore cost, consumed by these routine activities.

Vanguard Administrator allows the system administrator to easily execute complex tasks, such as:

• CLONE creates a new, fully defined User ID based on the attributes of a pre-existing user or profile.

• DELETE completely removes a user, group or security rule while ensuring the integrity of the Security Server’s database.

• OWNER replaces all occurrences of a given user or group in all security rules.

• NOTIFY automates the task of changing whom the Security Server will notify when a violation occurs.

• OBSOLETE removes all traces of obsolete security rules, improving database integrity, eliminating exposures and improving operating system performance.

• REPLACE dramatically saves time by replacing all occurrences of a user when a user changes User ID, department or job function.

• TRANSFER automates the task of moving a user to a different department. In a single step, Administrator removes current authorities and replaces them with new ones.



Automated Command Scheduler

The Automated Command Scheduler allows RACF administrators to store commands for unattended execution at a specified date and/or time. The commands are executed using the authority of the RACF administrator who entered the command. Any valid TSO command, CLIST or REXX EXEC can be executed. Up to 10 out put response lines from each command are saved for viewing.

Full SMS Support

Administrator now has full SMS support in all of it's file handling. It will allow specification of DATACLAS, MGMTCLAS, and STORCLAS in support of System Managed Storage where disk files may be created. Extract files which do no permit the DATACLAS option of COMPACTION=YES are an exception. This is defined during the Administrator's Initialization process. See page 14.

User Interface Streamlining

Experts can work more efficiently and novices will be able to master our logically grouped, concise menu and report request panels. Menus have been simplified, and levels minimized, providing quicker access to administrative functions.

Exclusive Profile Editor – Vanguard Security Server Command Facility

Vanguard Administrator offers the user a powerful profile editor called Vanguard Security Server Command Facility. For ordinary users and group special administrators, many of the data elements contained in RACF profiles are superfluous. System special administrators can now optionally set up a specific Security Server Command environment to limit the information displayed to group special users and ordinary users.

The Vanguard Security Server Command Facility offers the ability to view and alter online information contained in the RACF database. The information is presented on dynamic ISPF panels allowing the ability to over-type into the displayed fields. The newly entered values are then automatically formatted into the appropriate RACF commands that can be executed in foreground or in a batch job. This profile editor provides normal RACF authority checking and logging as well as execution of any installation-defined RACF exit.

Vanguard Administrator simplifies definition and maintenance of individual Security Server commands for user and group profiles for system-wide operations. Complete and easy profile updating is possible on the single,



scrollable profile display. Generated Security Server Commands can be reviewed and modified before being executed.

The Vanguard Security Server Command Facility always accesses and updates the live RACF database. It processes the following RACF profile types and RACF options:

• User Profiles

• Group Profiles

• Data Set Profiles

• General Resources Profiles

• Selected SETROPTS options

Decentralized Administration and Reporting

Vanguard Administrator provides functions and capabilities that decentralize portions of the security administration and reporting workload. While doing so, Vanguard Administrator insures that only those profiles within the user’s scope of authority may be displayed to a given decentralized user.

With Vanguard Administrator, password management activities can easily be decentralized to departments, such as an IT Help Desk, that would not otherwise have Security Server authority. This allows part of the routine maintenance to be passed on to others, freeing the IT security personnel to focus on other more critical tasks. Using this feature of Vanguard Administrator allows Help Desk personnel to change passwords, revoke a user ID, and resume a user ID. These capabilities would only apply to users or groups for whom the Help Desk administrator has responsibility or authority.

Various reporting and analysis needs may also be decentralized, so that an administrator may create and analyze their own reports without requiring the assistance of specialized IT security personnel. Vanguard Administrator will allow access to information and reports only on those profiles over which they have authority. For example, a group administrator can create the following:

• Batch Access Analysis – reports on the actual access capability of any user or group within the requester’s authority.

• Access List Anomaly Analysis – reports on redundant or duplicated accesses

• Scope of Authority Analysis – identifies the profiles a given user may alter. This may also be used to identify all users that have the ability to alter certain resources.

• Group Tree Report – provides a representation of the actual security domains for your environment.



• Cross-Reference Report – reports on all occurrences of users or groups in the Security Server database.

• Batch and Online Reports – displays reports on users, groups, data sets and general resources.

Administrator Information Flow The following functionality can be accessed from the Administrator Main Menu. Numbers indicate the menu option.

3Security Server

Reports(Live RACF)

4Online Access

Analysis(Live RACF)

2Security Server

Commands(Live RACF)

5CommandScheduler

1Task OrientedAdministration

(Live RACF)

6Vanguard Identity

Manager(Live RACF)

7Installation Data

Management(Live RACF)

8Information and

AnalysisServices

9VanguardAnalyzer

10VanguardAdvisor

11Data

Services

12User Data

Management

13ConnectManager

14 Unix

File Manager

15Registration

Manager

Vanguard Administrator Main Menu

Clone UserDelete UserNotifyOwnerRemoveReplaceTransferClose GroupDelete DatasetClone ResourceDelete Resource

ExtractLoad DB2 TablesInitialization Variable Maint.Tailor Batch JCLInstall/Reinstall DB2 Option

User ProfileGroup ProfileData Set ProfileGeneral ResourcesProfile Specific SegmentsUserid NotifyOwnershipControlled ProgramRRSFUniversal AccessGrouping ClassSeclevel/CategoryClass AuthorityCross ReferenceConnect ReportsGlobal TableID in Access List

Access List AnomalyObsolete CommandVTOC ReportsScope of AuthorityGroup TreeData Set AnalysisAccess AnalysisDB2 Authority Reports

UsersGroupsData SetsGeneral ResourcesSETROPTS

Add EventEvent MaintenanceCommand Scheduler MaintReminder Maintenance

Online DisplayBatch ReportOnline DisplaysBatch ReportsGlobal Capture Processing

Standard ReportsSpecial ReportsGeneral Summary ReportsData ServicesSecurity Events Reports

ExtractMigrationRecoveryDeleteReports

C h a p t e r 2 . G e t t i n g S t a r t e d


Chapter 2. Getting Started This chapter gives a brief introduction to what users will experience the first time the invoke Administrator. The user must first invoke the Administrator, go through the Initialization process and then select from the many choices available on the Administrator Main Menu.

The invocation and initialization processes are explained in detail. A table gives a brief description of each Main Menu option. Please refer to the Administrator User Guide for in-depth information of all menu items, other than Data Services, which is discussed in Chapter 4 of this publication.

Invoking the Administrator

You can invoke Administrator by executing the VRA CLIST within an ISPF environment as follows:

• From a command line within ISPF, type TSO VRA and press Enter. The Administrator Main Menu appears.

• From the ISPF Command Shell, type VRA and press Enter. The Administrator Main Menu appears.

TSO Command Menu Utilities Compilers Options Status Help ISPF Primary Option Menu Option ===> tso vra 0 Settings Terminal and user parameters User ID . : YOURID 1 View Display source data or listings Time. . . : 11:38 2 Edit Create or change source data Terminal. : 3278 3 Utilities Perform utility functions Screen. . : 1 4 Foreground Interactive language processing Language. : ENGLISH 5 Batch Submit job for language processing Appl ID . : AAA 6 Command Enter TSO or Workstation commands TSO logon : TEST 7 Dialog Test Perform dialog testing TSO prefix: YOURID System ID : P390 MVS acct. : ACCT# Release . : ISPF 5.2 Enter X to Terminate using log/list defaults



ISPF Command Shell Menu List Mode Functions Utilities Help ISPF Command Shell Enter TSO or Workstation commands below: ===> VRA Place cursor on choice and press enter to Retrieve command => => => => => =>

Administrator Initialization Panels

Administrator Initialization Panels are used to customize Administrator for a user's needs. These appear when a user accesses a release of Administrator for the first time or when installation product defaults are changed. The following panel may display:

First Time Access Message Panel MESSAGE VANGUARD ADMINISTRATOR MESSAGE MESSAGE PANEL This is the first time that you have entered the VANGUARD ADMINISTRATOR. Please press enter so that the ADMINISTRATOR can be configured for your use. Please note that you can reconfigure the ADMINISTRATOR at any time by using option 0 on the Main Menu.

When you press Enter, the User Initialization – General panel will display.

Most Initialization panel fields are pre-initialized based on information obtained during product customization. Product customization is discussed in detail in the Vanguard Security Solutions Installation Guide. The VRAOPT00 options library member is described in the next section. The Initialization panels can be accessed at any time by selecting Option 0 from the Administrator Main Menu.

Note: STEPLIB and SYSEXEC data set names are specified during Administrator customization. For information, see the Vanguard Security Solutions Installation Guide appendix.



User Initialization – General

The User Initialization – General panel contains variables that the Administrator uses to build batch job streams, to specify if Command Scheduler Reminders are to be displayed at product startup and to define the jobcard that will be used for Administrator initiated batch jobs.

User Init ial ization – General VANGUARD ADMINISTRATOR Date: 00/02/18 COMMAND ===> Time: 07:24 USER INITIALIZATION - GENERAL Region Size ==> 6M (For batch jobs) Data Set HLQ ==> MICKK (Will default to User ID if blank) Command Scheduler Reminders ==> N (Y/N) Y to show Reminders Output Reports Will Go To: Command Audit Report ==> SYSOUT=X Contains an audit record of generated commands to the REPORT DD Batch / PRNT Report ==> SYSOUT=X For Batch JCL Reports & On-line PRNT commands to the PRNT DD (Enter "SYSOUT=0 thru 9 or A thru Z" or an existing fully qualified DSN) ***************************** Job Card Information **************************** ==> //USERID JOB (ACCOUNT),'NAME' ==> //* ==> //* ==> //* (Press ENTER to continue)

Note: You must press Enter upon completion of each Initialization panel until you are returned to the Main Menu. Pressing F3, F12 or Back will not display a previous panel. If you wish to go back to a prior panel, you must reenter the Initialization process from the Administrator Main Menu.

Panel Descriptions

• Region Size Region size for batch jobs. A region of 6M is recommended.

• Dataset HLQ High-level qualifier used for data sets containing JCL for batch jobs. If left blank, the default is your User ID.

• Command Scheduler Reminders Enter a Y if you wish the Automated Command Scheduler Reminder List panel to display when you invoke Administrator. This panel will display all reminders up to and including the current date. If N is entered, the Administrator Main Menu will display when the product is invoked. N is the default. This feature is described in detail in the Automated Command Scheduler chapter of the Vanguard Administrator User Guide.



• Reports Will Go To This is the location to which reports are written. This location can be either a SYSOUT class or a data set. If a data set is specified, it must be pre-allocated with the DCB having a record length of 133 (LRECL=133) and a record format of FB or FBA (RECFM=FB or RECFM=FBA). The data set name must be fully qualified and not have quotations. Each time an Administrator function is invoked this data set is overwritten. Therefore, if you have to retain this report, you must either change the data set name between functions or use ISPF/TSO to copy this output to another data set. The Command Audit Report is an audit echo of generated commands (not executed commands). This can be suppressed by making the SYSOUT class one that JES will automatically purge (see your System Programmer for assistance). The Batch Reports and PRNT Reports specifications are used to control the report SYSOUT class in generated JCL. Also, used when a PRNT command is issued, which generates a report on-line.

• Job Card Information These control statements are used in batch jobs and should be modified to meet your installation's requirements. They are initialized from the ISPF defaults.

User Initialization – Data Set

The User Initialization – Data Set panel provides the variables required for allocating the Command Data Set, the data set that contains the RACF commands generated by Administrator Task Oriented Administration options, and for allocating sort work space.

User Init ial ization – Data Set VANGUARD ADMINISTRATOR Date: 01/03/08 COMMAND ===> Time: 07:45 USER INITIALIZATION - DATA SET Command Data Set Name ==> MICKC.VRA.COMMAND Data Set Size ==> 1 (Cyl) Permanent and Command Data Set: Unit ==> SYSALLDA or Storage Class ==> Data Class ==> Management Class ==> Sortwork Data Set Size ==> 25 (Cyl) Unit ==> or Storage Class ==> Data Class ==> Management Class ==> DATACLAS (Press ENTER to continue)

Panel Description



• Command Data Set Name Enter the fully qualified name (without quotes) of the data set containing the RACF commands generated by Administrator Task Oriented Administration options. This data set also contains information from Information Request Services such as the output of the LR and LV line commands. When in ISPF split screen, .VRAx is appended to this data set name where x is the logical screen number. Logical screen 1 is just suffixed with .VRA. The Administrator Command program will generate RACF commands that are written to this data set. Each user should use their own data set because these commands are overlaid with each execution. Enter a data set name that will be allocated for you as required. Since the command data set is shared by many functions, some batch Administrator functions add a suffix to the specified name to avoid conflicts with online functions. The following suffixes are used:

Function Suffix

OBSOLETE command .OBS

Access List Anomaly Analysis .ACL

Note: To facilitate identifying the Administrator Command data sets to your data migration product, it is recommended that you include a common node (such as VRA) within the name. This prevents the command data set from being migrated and causing delays when running the product.

• Size Specify the size of the Command file to be allocated.

• Unit Specify the unitname for the Command file. (or) For SMS managed systems: Do NOT enter UNIT, enter only: one or more SMS Class variables.

STORCLAS - SMS Storage Class DATACLAS - SMS Data Class MGMTCLAS - SMS Management Class

• Sortwork Data Set Size Specify, in cylinders, the amount of space used for each of three sort work files.

• Unit Specify the unitname for devices used to allocate the sort work files. (or) For SMS managed systems: Do NOT enter UNIT, enter only: one or more SMS Class variables.

STORCLAS - SMS Storage Class DATACLAS – SMS Data Class



MGMTCLAS – SMS Management Class

User Initialization – VSAM

The User Initialization – VSAM panel is only displayed to users with READ access to the VRA$.VRAEXTR profile defined in the RACF FACILITY class. It defines the two VSAM files where the information extracted from the RACF database resides. These files are referred to as Small and Medium based upon the size of the VSAM key assigned to each. They are created during the Extract process. Refer to the Extract section in Chapter 4 of the Administrator Technical Guide.

User Init ial ization – VSAM VANGUARD ADMINISTRATOR Date: 00/02/18 COMMAND ===> Time: 07:41 USER INITIALIZATION - VSAM Small Extract VSAM: Name ==> VRA.V420.SVSAM Size Primary ==> 2 (Cyl) Secondary ==> 4 (Cyl) Volser ==> VIPDV2 or Storage Class ==> Data Class ==> Management Class ==> Medium Extract VSAM: Name ==> VRA.V420.MVSAM Size Primary ==> 9 (Cyl) Secondary ==> 2 (Cyl) Volser ==> VIPDV4 or Storage Class ==> Data Class ==> Management Class ==> (Press ENTER to continue)

Panel Descriptions

• Small Extract VSAM/Medium Extract VSAM The ADMINISTRATOR Extract program reads the RACF database and builds two VSAM data sets to contain information about your RACF environment. These data sets are input to all ADMINISTRATOR Report and Command programs. Most installations will schedule an Extract to run on off-hours to create these data sets. Unless you have special needs, you should not change the default values.

• Size Size in cylinders of the primary and secondary space allocation for the small and medium VSAM files. Typically, an allocation of 6,2 handles up to 10,000 users for the small VSAM file and up to 5,000 data sets and general resource profiles for the medium VSAM file. Review an IDCAMS list of the Cluster after the first extract to ensure secondary extents are not used and adjust the size of the primary space allocation accordingly.

• Volser Specify the Volume name for Small and Medium data sets.



For SMS managed systems: Do NOT enter VOLUME, enter only: one or more SMS Class variables.

STORCLAS - SMS Storage Class DATACLAS - SMS Data Class MGMTCLAS - SMS Management Class

Note: The DATACLAS option of COMPACTION=YES is not permitted for these files. This option is meaningful only if you are using SMS data classes to control the allocation of Administrator extract files. SMS data classes are usually managed by a systems programmer or storage administrator; check with the appropriate individual at you installation to insure that compaction is turned off in the data class(es) used to allocate these files.

User Initialization – DB2

The User Initialization - DB2 panel is displayed only if the Administrator's DB2 Component is activated. See the Load the Administrator Extract into DB2 Tables section, on page 53.

User Init ial ization – DB2 VANGUARD ADMINISTRATOR Date: 01/03/03 COMMAND ===> Time: 15:52 USER INITIALIZATION - DB2 DB2 Subsystem ID ===> DB32 DB2 DSNLOAD DSN ===> SYS1.DB2.SDSNLOAD DB2 DSNEXIT DSN ===> SYS1.DB2.SDSNEXIT DB2 Object Prefix ===> VRA DB2 Plan Prefix ===> VRA (Press ENTER to continue)



Panel Descriptions

• DB2 Subsystem ID The DB2 subsystem (1 to 4 characters) where the Administrator's DB2 component is installed.

• DB2 DSNLOAD DSN Name of the DB2 load module library, fully qualified without quotes.

• DB2 DSNEXIT DSN Name of the DB2 exit load module name (optional), fully qualified without quotations.

• DB2 Object Prefix Three-character prefix of the Administrator's DB2 application plans.

• DB2 Plan Prefix Three-character prefix of the Administrator's DB2 application plans.



Vanguard Option Library Parameters

VRAOPT00 – Administrator Customization Parameters

The VRAOPT00 member of your VANOPTS library is used for product customization. The parameters listed below are established when Administrator is installed.

General Syntax Rules

• Parameters must be contained in columns 1-71.

• Parameters can start in any column and cannot be continued.

• Multiple parameters can be specified on a control statement.

• Parameters can be specified in any order.

• Parameters must be separated by one or more blanks.

• An asterisk (*) in column one signifies a comment.

• A completely blank control statement signifies a comment.

General Parameters

Administrator General Parameters are listed below.

• LINESPERPAGE(nn|60) Indicates the number of lines per page for printed reports. The valid range is 30-99. The default value is 60.

• UPPERCASE(ALL|HEADERS|ASIS) Use this parameter to set the report titles/column headers and data of all batch generated reports or reports generated with the PRNT or EMAIL commands to print in capitalized letters. ALL sets all report titles/column headings and data to display in uppercase. HEADERS sets the report titles/column headers only to display in uppercase. ASIS leaves the titles/column headers and data format as is. If UPPERCASE is not specified, ASIS is the default format.

• WORKUNIT(xxxxxxxx) Administrator will allocate temporary work files from time to time. Enter a valid MVS unitname for these allocations.



• VIOUNIT(xxxxxxxx) Identity Manager will allocate temporary work files from time to time. Enter a valid MVS unitname that supports VIO, for these allocations.

• WORKPRIM(nnnn) Administrator will allocate work files from time to time during batch processing. Enter the primary space allocation in cylinders for these work files. The default is 50.

• WORKSEC(nnnn) Administrator will allocate work files from time to time during batch processing. Enter the secondary space allocation in cylinders for these work files. The default is 150.

• DATEFORMAT(MM/DD/YY|DD/MM/YY|YY/MM/DD| DD/MM/CCYY|MM/DD/CCYY|CCYY/MM/DD) The format of date fields for both input and display is defined by the DATEFORMAT keyword. If required, the Security Server Command Facility will internally reformat all dates to the format required by the RACF commands, when commands are generated. All references to dates in help text reflect RACF’s command syntax, and not the syntax defined with the DATEFORMAT keyword.

Note: The / (slash) used in the above date formats is a user definable separator character. For example, periods (.), commas (,), dashes (-), colons (:) are acceptable substitutes.

• TIMESEPARATOR(:) Display all times with the specified character. The default is (:).

• VRCGLOBALCONFIG The VRCGLOBALCONFIG keyword only applies to the Security Server Command Facility and allows the usage of global baseline configurations.

• UNBOUND(ENABLE|DISABLE) This keyword enables a warning panel to display on many security server reports when the user fails to specify masking criteria. The warning condition is controlled by the ENABLE/DISABLE value. The warning is suppressed when the UNBOUND keyword is missing or the parameter is followed by the DISABLE option or spaces. For a list of reports controlled by this keyword, see the Security Server Reports section of the Vanguard Administrator User Guide.

Note: If the UNBOUND keyword is either missing from or commented out of VRAOPT00, Administrator will assume that the default ENABLE is in effect.

• DEFAULT_REPORT_OPTION(ENABLE|DISABLE) This keyword provides the ability to have one 1 be the default option for all Security Server Report Panels. With this option enabled, you do not need to select a sub-report option since it will default to 1. This provides a fastpath option for getting into Administrator Report Panels when the option you select most often is 1.



• DEFAULT_FILE_MODE(LIVE|EXTRACT) This keyword sets the default file mode to LIVE for all applicable Administrator option. This means you do not need to issue a LIVE primary command each time a process needs to run against the LIVE RACF Database. Once the default file mode is over-ridden to LIVE, you must issue an EXTRACT primary command to switch to EXTRACT mode when necessary. Note that batch reporting always requires EXTRACT mode.

• LIVESVC(nnn) This specifies a number, between 200 and 255, inclusive. It is the number assigned to the SVC (SuperVisor Call) installed for Administrator live RACF and Extract file access.

• LIVEALLOC(xxxxxxxxxx) This parameter controls which RACF databases, if any, are allocated to the user's TSO session while running Administrator. It applies to all Administrator users. The valid parameters are PRIMARY, BACKUP, or NONE. Please refer to instructions for installation of Live RACF access, in the Administrator Customization chapter of the Vanguard Security Solutions Installation Guide.

Note: This parameter is required.

• FORCEUPDT(YES|NO) Use this parameter only when FORCEINIT=NO. YES – updates all user settings. NO – in order to allow a streamlined path to Security Server Reports, all user settings are updated except user-preferred extract VSAM file descriptions.

Note: If the FORCEINIT and/or FORCEUPDT parameter is either missing from or commented out of VRAOPT00, Administrator will default to YES for each.

• FORCEINIT(YES|NO) This parameter determines whether or not users bypass the Administrator User Initialization process when the Data Services Variable Maintenance option is selected. The default setting is YES. YES – sets the Administrator User Initialization process to follow the Variable Maintenance process. User-defined defaults are automatically updated when the FORCEINIT parameter is set to NO. NO – bypasses the Administrator User Initialization process. If FORCEINIT=NO, the FORCEUPDT keyword is in effect.

The following parameters are not initially established in VRAOPT00.

• EXTRACTSVC(nnn) This specifies a number, between 200 and 255, inclusive. It is the number assigned to the SVC (SuperVisor Call) installed for Administrator live



RACF and Extract access. If LIVESVC is used, it may be the same number.

• VPWDEBUG(Y|N) This keyword is optional. Specify a one-character value of Y or N. If this keyword is not specified, N is assumed. If you wish to enable debugging, specify Y. If trying to do problem determination, it is strongly recommended that this option be specified in the Vanguard Administrator options library on both the client and server hosts involved.

• VPWDBUGC(Y|N) This keyword is optional. Specify a one-character value of Y or N. VPWDBUGC (debug C) is used for debugging the C code within Identity Manager. Additional information will be written to sysout of the APPC transaction and the caller (from TSO) will get trace information on his screen.

• STEPLIB(name1,name2…namex) This parameter specifies the STEPLIB data set name(s) to include in generated batch JCL. A STEPLIB DD will only generate if the STEPLIB parameter is specified in either the VANLIBS or VRAOPT00 member. Define this parameter in VRAOPT00 only when you want Administrator to use values that differ from the STEPLIB values stated in the VANLIBS options member. If your libraries are LINKLISTed, do not specify a STEPLIB parameter.

• SYSEXEC(name1,name2…namex) This parameter specifies the SYSEXEC data set name(s) to include in generated batch JCL. Define this parameter only when you want Administrator to use values that differ from the SYSEXEC values stated in the VANLIBS options member.

Automated Command Scheduler Parameters

See Chapter 7. Automated Command Scheduler for detailed information about setting up the Automated Command Scheduler. Using the Command Scheduler is described in the Vanguard Administrator User Guide.

Required Automated Command Scheduler parameters are:

• CVSAM_DATA_SET_NAME This keyword is required only if the Command Scheduler feature is used. It specifies the CVSAM base cluster name. The file name specified under this keyword must match the CVSAM cluster name specified in Command Scheduler install job CVSAMDEF. The CVSAM file holds scheduled events and the results of those events.

• ACS_SMF_RECORD_NUMBER It specifies the SMF record number used to record and recover CVSAM file activity. The SMF record number selected must be made active for the system and all subsystems defined in the SMFPRMxx member of the MVS SYS1.PARMLIB data set. For detailed information about specifying SMF



parameters, refer to the MVS System Management Facilities (SMF) and the MVS Initialization and Tuning Reference manuals. The value is specified as a 3-digit number. There is no default for this keyword. If your installation does not want to generate SMF data, enter a value of NO for this parameter. If NO is used, the Recovery utility program VRAABCSU cannot be run and you will not be able to recover your CVSAM file. The VRAABCSU utility is described in Chapter 7. Automated Command Scheduler of this publication.

• ACS_APPC_DEFAULT_LOCAL_LU(LU_name) If specified, the ACS_APPC_DEFAULT_DEST keyword must also be specified. It specifies the Local_LU_name used to allocate (start) an APPC/MVS session between an ACS client and server. ACS_APPC_DEFAULT_LOCAL_LU is used if there was no RACF database ID specified when the RACF administrator entered the scheduled command into the CVSAM file or the VRATPMAP configuration module (see Appendix C. VRATPMAP Configuration Module) was not found or was not built. The value may be 1 to 8-characters. The default value for this keyword is blank. Using the default value of blank indicates that APPC/MVS is to use the base LU. Refer to the discussion of the Local_LU_name parameter of the APPC/MVS Allocate service in the OS/390 MVS Programming: Writing Transaction Programs for APPC/MVS manual for more information on how to specify this keyword.

• ACS_APPC_DEFAULT_DEST(netid.LU_name) It specifies the network qualified Partner_LU_name used to allocate (start) an APPC/MVS session between an ACS client and server. ACS_APPC_DEFAULT_DEST is used if there was no RACF database ID specified when the RACF administrator entered the scheduled command into the CVSAM file or the VRATPMAP configuration module (see Appendix C. VRATPMAP Configuration Module) was not found or was not built. The value may be 1 to 17-characters. The default value for this keyword is blank. Using the default value of blank indicates to APPC/MVS that the ACS server program's destination is the local MVS system (same system as the ACS client). Refer to the discussion of the Partner_LU_name parameter of the APPC/MVS Allocate service in the OS/390 MVS Programming: Writing Transaction Programs for APPC/MVS manual for more information on how to specify this keyword.



• ACS_APPC_TP_NAME(transaction_name) It specifies the ACS server transaction name used to allocate (start) an APPC/MVS session between an ACS client and server. ACS_APPC_TP_NAME is used if there was no RACF database ID specified when the RACF administrator entered the scheduled command into the CVSAM file or the VRATPMAP configuration module (see Appendix C. VRATPMAP Configuration Module) was not found or was not built. The value may be 1 to 64-characters. The default value for this keyword is VRAVACS. The value specified in the TPNAME parameter of the APPC/MVS administration utility (ATBSDFMU) TPADD command is not VRAVACS. It must be the same as the value specified here. Refer to topic Using the APPC/MVS Administration Utility in the OS/390 MVS Planning: APPC/MVS Management manual for more information on how to specify this keyword.

The optional Automated Command Scheduler parameters are:

• ACS_APPC_ALLOCATE_RETRIES(nnn) It specifies the number of times the ACS client can attempt to allocate (start) a new APPC/MVS conversation with an ACS server when the allocation failure code indicates that a retry is possible. The value may be a 1 to 3-digit number from 0 to 999. A value of 0 means that allocation retries will continue until a non-retry failure code is returned from APPC/MVS. The default value for this keyword is 4.

• ACS_APPC_DEFAULT_MODE_NAME(modename) It specifies VTAM Mode_name used to allocate (start) an APPC/MVS session between an ACS client and server. ACS_APPC_DEFAULT_MODE_NAME is used if there was no RACF database ID specified when the RACF administrator entered the scheduled command into the CVSAM file or the VRATPMAP configuration module was not found or was not built. The value may be 1 to 8-characters. The default value for this keyword is #INTERSC. Refer to the discussion of the Mode_name parameter of the APPC/MVS Allocate service in the OS/390 MVS Programming: Writing Transaction Programs for APPC/MVS manual for more information on how to specify this keyword.

• ACS_BYPASS_COMMAND_IF_OLDER_THAN(HHMMSS) It specifies the amount of time between a command's scheduled execution date and time and the current time when the command is to be considered old and should not be executed. This value prevents old scheduled commands from being executed if the ACS client or ACS server was not active for an extended period of time. The value is specified as an 6-character field in the form HHMMSS, where HH is a number of hours, MM is a number of minutes, and SS is a number of seconds. The default is 240000 or one full day.



• ACS_COMMAND_CHECK_INTERVAL(HHMMSS) It specifies the time interval that the ACS client is to scan the CVSAM file for scheduled commands that are ready to be executed. All commands with a scheduled time between the scan and the next time interval are selected for execution. This interval is important since it controls the amount of contention for the CVSAM file between the ACS client and RACF administrators. A value that is too low will cause many moments of short CSVAM file contention. A value that is too high will cause fewer intervals of contention, but each contention interval will be longer. The value is specified as an 6-character field in the form HHMMSS, where HH is a number of hours, MM is a number of minutes, and SS is a number of seconds. The default is 002000 or once every 20 minutes.

• ACS_LOG_MAXLINES(nnnnnn) It specifies the amount of print lines written to the ACS client's VRALOG SYSOUT file before an automatic file SPIN is performed. The SPIN closes the VRALOG file and starts a new VRALOG file for the same job. The value is specified as a 1 to 9-digit number. A value of 1 is equal to 1,024 print lines (1k). The default is 0, which means that the VRALOG SPIN will not be done automatically. You may SPIN the VRALOG SYSOUT file at any time using the MODIFY VRASCHED SPINLOG command.

• ACS_LOG_SYSOUT_CLASS It specifies the output class of the ACS client's and ACS server's VRALOG SYSOUT file. The value must be one character. The default is X.

• ACS_SUBSYSTEM_NAME It specifies the MVS subsystem name used by ACS. The value is specified as a 1 to 4-character name. The default is VACS.

Email Parameters

Parameters you set here, in VRAOPT00 take precedence over those set in EMAILOPT. Using email is described in the Vanguard Administrator User Guide.

• EMAILLCLNODE(node-name) This parameter specifies the TCP Network Domain Name (found in the SMTP started task SYSOUT listing). It can be 1-60 characters in length. This node name along with the current user ID will form the default FROM: field in the email header. If not specified, the local JES node name will be used. In a JES3 environment, this parameter is required.

• EMAILASATCHMT(YES|NO) This parameter specifies how the report will be packaged in the email. Specify YES if you want the report to be sent as an attachment to the



email. If NO is selected, the report will print in line as part of the email. If not specified, the default is YES. This parameter applies to reports sent as email only.

• EMAILREPLYTO(userid@node-name) This parameter specifies an E-MAIL reply to address of 1 - 60 characters. This email address will be the REPLY TO: address in the notices if it is present. This parameter is optional and if not specified, the REPLY TO: field in the email header will not be generated.

• EMAILSMTPNODE(node) This parameter specifies the JES node name (found in the SMTP started task SYSOUT listing) where your SMTP server resides. It can be 1-8 characters in length. It can be your systems local node, or a node in your NJE network. Contact your network administrator or systems support group to determine the appropriate value in your environment. If not specified, the local JES node name will be used. In a JES3 environment, this parameter is required.

• EMAILSMTPUSER(server-name) This parameter specifies the SMTP server name (found in the SMTP started task SYSOUT listing) that is to receive and route email. It can be 1-8 characters in length. Contact your network administrator or systems support group to determine the appropriate server name for your environment. If not specified, then SMTP will be used.

• EMAILPRMSPACE(3) The primary space allocation amount to use when allocating the MVS temporary data set. It can be specified as 1-3 decimal digits in the range of 1-999. If not specified, 3 will be used. The space is allocated in cylinders.

• EMAILSECSPACE(3) The secondary space allocation amount to use when allocating the MVS temporary data set. It can be specified as 1-3 decimal digits in the range of 1-999. If not specified, 3 will be used. The space is allocated in cylinders.

• EMAILUNITNAME() The volume unit name used when allocating a MVS temporary data set. If not specified, then VIO will be used.

Note: An SMTP server must be available for you to use email. To help determine the appropriate values for some of the above email parameters, do the following:

• Browse the SYSOUT of your SMTP Started Tasks

• Check your TCP parameters, e.g., SYS1.TCPPARMS

• Contact your VTAM administrator



Customizing Administrator Storage Parameters

Administrator uses option library (VANOPTS) member VAMOPT00 to control the storage requirements for the Vanguard Access Method used by both Extract and Live processing. The VAMOPT00 parameters are established when the Vanguard Security Solutions are installed; you should not have to update them.

Administrator storage parameters are:

• STORAGE_MAX_24(value) Specifies the required below the line storage. Any unused storage will be released. (value) The value can be expressed in bytes (131072 to 6291456), in Kilobytes (128K to 6144K), or Megabytes (1M to 6M). The default is 128K.

• STORAGE_MAX_31(value) Specifies the required above the line storage. Any unused storage will be released. (value) The value can be expressed in bytes (2097152 to 1073741824), in Kilobytes (2048K to 1048576K), Megabytes (2M to 1024M), or Gigabytes (1G). Any unused storage will be released. The default is 2M.

Note: Excessive storage allocation could negatively affect system performance.



VIMOPT00 – Distributed Identity Manager Parameters

The VIMOPT00 member of your VANOPTS options library is used to control Distributed Identity Manager customization. These options are only used if you choose to install the distributed Identity Manager feature.

• VIOUNIT(unitname) This option is required if the distributed Identity Manager feature is implemented. Distributed Identity Manager will allocate temporary work files from time to time. Enter a valid MVS unit name that supports VIO for these allocations.

• VPWDEBUG(Y|N) This keyword is optional. Specify a one-character value of Y or N. If this keyword is not specified, N is assumed. If you wish to enable debugging, specify Y. When trying to do problem determination, it is strongly recommended that this option be specified in the VANOPTS options library on both the client and server hosts involved.

• VPWDBUGC(Y|N) This keyword is optional. Specify a one-character value of Y or N. VIMDBUGC or VPWDBUGC (debug C) is used for debugging the C code within Distributed Identity Manager. Additional information will be written to SYSOUT of the APPC transaction and the caller (from TSO) will get trace information on his screen.

Sample VIMOPT00 Member ** VIOUNIT(VIO) * * VIMDEBUG(Y) or VPWDEBUG(Y) can be specified to enable debugging. * If VIMDEBUG or VPWDEBUG is * not specified, or contains other than a Y, debugging will not be * enabled. It must be specified on the host where the problem is * occurring. If the host on which host the problem is occurring is * unknown, we recommend it be specified on all hosts participating. * VIMDEBUG(N) VIMDBUGC(N) VPWDEBUG(N) VPWDBUGC(N) *

Note: Please note that either VIMDEBUG or VPWDEBUG and VIMDEBUGC or VPWDEBUGC can be used interchangeably.



Administrator Main Menu

The Main Menu is the entry point for all Administrator functions. The menu selections provide the necessary choices for using the Administrator. Fastpath selections speed you to your Administrator destination by saving menu steps. Fastpath is described in chapter 3 of the Administrator User Guide.

The Main Menu is structured according to job function. Each function is described briefly in the table that follows.

Administrator Main Menu VANGUARD ADMINISTRATOR Date: 04/02/20 OPTION ===> Time: 11:07 ADMINISTRATOR MAIN MENU 0 Initialize ADMINISTRATOR Options 8 Information and Analysis Services 1 Task Oriented Administration 9 Vanguard Analyzer 2 Security Server Commands 10 Vanguard Advisor 3 Security Server Reports 11 Data Services 4 On-line Access Analysis 12 User Data Management 5 Command Scheduler 13 Connect Manager 6 Vanguard Identity Manager 14 Unix File Manager 7 Installation Data Management 15 Registration Manager X Exit ST Extract Statistics Active Extract Files: Small ==> WENDELL.V521.SVSAM Medium ==> WENDELL.V521.MVSAM Please consult the help text for this panel regarding new feature information and contact information. Copyright 1989-2004 Vanguard Integrity Professionals - Nevada. All rights reserved.

Note: If you use the ISPF Return command from within the Administrator, you will return to the Administrator Main Menu.

Administrator Main Menu Options

For detailed explanations of all product features, please refer to the following Vanguard publications:

Opt Function Description 0 Initialize Options The Getting Started section of the Vanguard

Administrator User Guide explains the Initialize Options.

1 Task Oriented Administration

Refer to the Task Oriented Administration chapter of the Vanguard Administrator User Guide for an expanded set of commands designed to simplify administration of RACF.

2 Security Server Commands

Refer to the Vanguard Security Server Commands chapter of the Vanguard Administrator User Guide.



Opt Function Description 3 Security Server

Reports Refer to the Security Server Reports of the Vanguard Administrator User Guide. All Administrator reports and their masking criteria are described.

4 Online Access Analyzer

Refer to the Information and Analysis Services of the Vanguard Administrator User Guide. This reporting feature is used to determine current user or group access capabilities to a general resource or a data set.

5 Command Scheduler Refer to the Automated Command Scheduler chapter of the Vanguard Administrator User Guide.

6 Vanguard Identity Manager

Refer to the Vanguard Identity Manager chapter of the Vanguard Administrator User Guide.

7 Installation Data Management

Refer to the Installation Data Management chapter of the Vanguard Administrator User Guide.

8 Information & Analysis Services

Refer to the Information & Analysis Services chapter of the Vanguard Administrator User Guide.

9 Vanguard Analyzer This option invokes Vanguard Analyzer after the license is verified. For information on this product, refer to the Vanguard Analyzer User Guide.

10 Vanguard Advisor This option invokes Vanguard Advisor after the license is verified. For information on this product, refer to the Vanguard Advisor User Guide.

11 Data Services Refer to the Data Services chapter in this manual for a full description of Data Services functions.

12 User Data Management

Refer to the User Data Management chapter of the Vanguard Administrator User Guide for information about the User Data fields in RACF profiles.

13 Connect Manager The Controlling Access to Connect Manager section of the Controlling Access to Administrator section explains the administration of this feature.

14 Unix File Manager Refer to the Unix File Manager chapter of the Vanguard Administrator User Guide. This chapter explains how to use Unix File Manager.

15 Registration Manager

Refer to the Registration Manager chapter of the Vanguard Administrator User Guide. This Chapter explains how to use Registration Manager to manager map profiles.

ST Extract Statistics Refer to the VSAM Extract Statistics chapter of the Vanguard Administrator User Guide explains how to access and use the online Extract Statistics report.

Table 1. Administrator Main Menu Options

C h a p t e r 3 . C o n t r o l l i n g A c c e s s t o A d m i n i s t r a t o r F u n c t i o n s


Chapter 3. Controlling Access to Administrator Functions

This chapter explains setting up access to key Administrator functions. It describes the authority checking process when an Administrator function is invoked. Also, the chapter discusses the authority required to run Identity Manager. To help meet the installation's need for access control and accountability, Identity Manager provides the ability to audit its use.

RACF controls execution of Administrator functions. Functions are controlled either individually through discrete profiles or as a group through one or more generic profiles. All profiles are in the RACF FACILITY class. The RACFCMDS member in the Vanguard Sample Library (VANSAMP) includes RACF commands that create all of the RACF FACILITY class profiles and permissions required for controlling access to Administrator functions.

When any function is invoked, Administrator issues an authorization check (RACROUTE REQUEST=AUTH) against profiles in the RACF FACILITY class. Execution is restricted to those RACF user IDs and group IDs with at least READ level access. If a discrete or generic profile is not found in the RACF database, or if the profile is found and the user ID/group ID does not have at least READ access to the resource, the function terminates with an error message.

Profiles controlling access to Administrator functions are in the following table.

Profile Name Administrator Function VRA$.ACSTASK Automated Command Scheduler VRA$.PASSWORD Identity Manager VRA$.REFRESH.* High Level Control of SETROPTS

REFRESH Command Generation VRA$.REFRESH.GENERIC Control Generic SETROPTS REFRESH

Command Generation VRA$.REFRESH.GENLIST Control GENLIST SETROPTS REFRESH

Command Generation VRA$.REFRESH.GLOBAL Control Global SETROPTS REFRESH

Command Generation VRA$.REFRESH.RACLIST Control RACLIST SETROPTS REFRESH

Command Generation VRA$.REFRESH.WHENPROGRAM Control When Program SETROPTS

REFRESH Command Generation VRA$.VRAACCA Batch Access Analyzer VRA$.VRAADUPA Access List Anomaly Analysis VRA$.VRABRPT Batch RACF Reports VRA$.VRACMND Batch Commands VRA$.VRADSNA Data Set Access Analysis VRA$.VRAEXTR Extract Process



Profile Name Administrator Function VRA$.VRAGRPT Batch Group Tree Analysis VRA$.VRAOCMD Online Commands VRA$.VRAORPT Online RACF Reports VRA$.VRASRPT VRA Scope of Authority Analysis VRA$.VRAVTOC VTOC Data Set Reports VRA$.VRTRAA Online Access Analyzer VRAADM$.VARIABLES Initialization Variable Maintenance VSA$.VSA Grants access to Analyzer online and batch

reports VSR$.VSR Grants access to Advisor online and batch

reports Table 2. Profiles Controlling Access to Administrator Functions

Controlling Feature Operation

The security administrator can control access to functions and modify the execution behavior of functions within the Administrator through the following RACF FACILITY class profiles.

Profile Description

VRAIDM$.classname. profile

Controls access to the installation data field in RACF profiles when using the Administrator's Installation Data Management function. It is recommended that these profiles be defined with a UACC of NONE, specifically permitting users READ or UPDATE access. The classname can be any valid RACF general resource class name, GROUP, USER, or DATASET. The profile can be a specific profile name, or a generic, to limit the profiles that can be administered. For example, if you define the profile VRAIDM$.USER.* with a UACC of NONE, and PERMIT user FREDV to the profile with access of UPDATE, FREDV would be allowed to view and alter the installation data fields of any RACF user profiles.

Note: Asterisks (*) or percent signs (%) encountered in a Dataset or General Resource profile are replaced by a lowercase x. If an ampersand (&), which indicates the presence of a &RACFVARS symbolic is encountered, the return and reason codes will be set to produce the USER NOT AUTHORIZED message on the panel. Therefore, profiles that contain these symbolics will not have their Installation Data updated via this method.

VIP$.NOEDIT. COMMAND

Controls the Security Server Command component. If READ access or greater is allowed, the user will not be presented with an ISPF edit session and the generated commands will be executed immediately. It is recommended that this profile be defined with a UACC of NONE.



Profile Description

VRA$.LIVE.USER Controls the use of live RACF database access in the Administrator. If READ access or greater is allowed, the Administrator user may access the live RACF database where available. It is recommended that this profile be defined with a UACC of NONE. It must have the APPLDATA field populated with a string userid/groupid. Userid is a RACF defined user who has READ access to the RACF database. Groupid is a RACF defined group, that userid is connected to. This userid/groupid combination is used to gain access to the live RACF database.

VRA$.ACSTASK Specifies user(s) who are permitted to execute the Administrator Automated Command Scheduler, VRAAJACS. A user with READ access or greater has authority to execute the Administrator Automated Command Scheduler. It is recommended that this profile be defined with a UACC of NONE. This profile is required for the Automated Command Scheduler.

VRAUD$.classname Controls access to the User Data fields in the base segment of RACF profiles, when using the Administrator's User Data Management function. It is recommended that these profiles be defined with a UACC of NONE. You must define specific access to permit users READ or UPDATE access. The classname can be any valid RACF general resource class name, GROUP, USER, or DATASET. These profiles allow initial access to the User Data of each class.

VRAUD$.classname. fieldname

Controls access to a specific User Data field in a given class and must be discrete. E.g., if you define the profile VRAUD$.USER.FIRSTNME with a UACC of NONE, and PERMIT user FREDV to the profile with access of UPDATE, FREDV would be allowed to view and alter the User Data field named FIRSTNME of any RACF user profile.

Table 3. Profiles Controlling Administrator Feature Operation

Support for Decentralized Administration This support is optional and is activated by adding a profile named VRA$.SCOPE to the RACF FACILITY class. Decentralization within Administrator causes reports to display only the information that a user has scope of authority over. Similarly, it allows users to issue Task Oriented Commands for only the resources that they have scope of authority over. The authority to display report information or issue commands is based on ownership, the system or group SPECIAL attribute and the system or group AUDITOR attribute. It is important to note that this differs slightly from RACF. Administrator does NOT authorize a user who is only in the access list of a profile, to view that profile.



Users or groups may need to bypass the scoping support, and have the ability to report on all resources defined to RACF. To bypass scooping support, grant these users or groups READ access to the VRA$.SCOPE profile in the RACF FACILITY Class.

Profile Description

VRA$.SCOPE When this profile is defined with a UACC of NONE, GROUP SPECIAL administrators are only allowed to see those profiles within their RACF scope of authority. To allow a user or group to override scoping support, PERMIT the user/group READ access to this profile.

Table 4. Profiles Controlling Decentralized Administration

It is the responsibility of the security administrator to define Administrator function access and execution control profiles to RACF in the RACF FACILITY resource class and to ensure that the RACF FACILITY class is active. The security administrator must have at least Class Authority (CLAUTH) to the RACF FACILITY class to create these profiles.

Controlling SETROPTS REFRESH Command Generation

Five discrete profiles or one generic profile, shown below, can be used to control the generation of SETROPTS REFRESH commands.

VRA$.REFRESH.*

VRA$.REFRESH.GENERIC

VRA$.REFRESH.GENLIST

VRA$.REFRESH.GLOBAL

VRA$.REFRESH.RACLIST

VRA$.REFRESH.WHENPROGRAM

These profiles are initially setup with a UACC of NONE. This can be seen in the JCL Sample library (VANSAMP) member RACFCMDS. This setting initially prevents anyone from generating SETROPTS REFRESH commands. Specific PERMIT commands must be issued to permit specific users or groups to generate the SETROPTS REFRESH commands. These PERMIT commands may be issued to update the access lists of the generic profile or one or more of the discrete profiles described in the table below.

Note: GENLIST and RACLIST are mutually exclusive.

The SPECIAL attribute is typically required to initiate the refreshing of profiles. Users or groups who are granted READ access to one or more of the profiles listed below are able to initiate the refreshing of the corresponding profile.



Profile Description

VRA$.REFRESH.* This profile is the High Level Control of SETROPTS REFRESH Command Generation.

VRA$.REFRESH.GENERIC This profile pertains to in-storage generic profiles. By permitting a user or group access to this profile with at least READ access, you enable the automatic generation of SETROPTS REFRESH commands for in-storage generic profiles within the specified general resource class that has had a change within one of its profiles.

VRA$.REFRESH.GENLIST By permitting user or group access to this profile with at least READ access, you enable the automatic generation of SETROPTS REFRESH commands for GENLISTed profiles when there has been a change within one of its profiles.

VRA$.REFRESH.GLOBAL This profile controls frequently accessed profiles for public resources. By permitting user or group access to this profile with at least READ access, you enable the automatic generation of SETROPTS REFRESH commands for this class of resources when a profile within this class has been changed.

VRA$.REFRESH.RACLIST This profile controls general resource class profiles. By permitting user or group access to this profile with at least READ access, you enable the automatic generation of SETROPTS REFRESH commands for the particular general resource class which has had any of its profiles changed.

VRA$.REFRESH.WHENPROGRAM This profile has to do with activating program control. By permitting a user or group access to this profile with at least READ access, you enable the automatic generation of SETROPTS REFRESH commands for activating program control that provides both access control to load modules and program access to data sets.

Table 5. Profiles Controlling SETROPTS REFRESH Command Generation



Controlling Access to Identity Manager

In order to access any Identity Manager function, the user must have READ access to the VRA$.PASSWORD profile in the FACILITY class. This rule applies to all users, including users with the RACF SPECIAL attribute.

The authority required to access an Identity Manager function is based on several types of information:

• User’s RACF System SPECIAL attribute.

• User ID that is the target of the operation.

• Default group or connect group of the affected User ID.

• Read access to profiles in the RACF FACILITY class.

A user who has the RACF System SPECIAL attribute does not need access to any additional FACILITY class profiles to use Identity Manager.

If the function requested does not require RACF System SPECIAL and the user issuing the command does not have RACF System SPECIAL, Identity Manager checks the following profiles in the order listed:

• Profiles Allowing Identity Management

• Profiles Disallowing Identity Management

• Checking New Passwords

Note: The terms Identity Management and Password Management are used interchangeably in this publication.

Profiles Allowing Identity Management

To allow users who do not have the RACF System SPECIAL attribute to use Identity Manager, the user must be granted READ authority to one or more the following FACILITY class profiles. Refer to sample library (VANSAMP) member VIMRACF.

The following profiles allow administration of users, based upon connection groups, specific users, or all users.



Profile Description

VRAPW$.Userid User ID is the User ID specified in the command.

VRAPW$.Groupid Groupid is the ID of the default group of the user specified in the command. An optional profile, VRAPWCON.CONGRP, can be defined in the RACF FACILITY class to change the meaning of the VRAPW$.Groupid profile. If the user has read access to this optional profile, the Group ID in the VRAPW$.Groupid profile changes to mean any group a user is connected to, not just their default group.

VRAPW$.ALL Allows access to ALL users. Table 6. Profiles Allowing Identity Management

You can optionally authorize non-System SPECIAL users to use NOEXPIRE. To use NOEXPIRE, you must allow UPDATE access to the IBM FACILITY class profile IRR.PASSWORD.RESET.

In addition to one of the profiles listed above, you can authorize non-System SPECIAL users to set and remove the Vanguard Hard Revoke attribute. To set and remove the Hard Revoke attribute, you must build profiles based upon connection groups or specific user IDs.

Profile Description

VRAPW$.ALLOW. HREVOKE

Any non-System SPECIAL user that requires Hard Revoke authority must have READ access to this profile. In addition, the user needs READ access to an appropriate VRAPWHR$ profile.

VRAPWHR$.Userid User ID is the User ID specified in the command.

VRAPWHR$.Groupid Groupid is the ID of the default group of the user specified in the command. An optional profile, VRAPWCON.CONGRP, can be defined in the RACF FACILITY class to change the meaning of the VRAPWHR$.Groupid profile. If the user has read access to this optional profile, the Group ID in the VRAPWHR$.Groupid profile changes to mean any group a user is connected to, not just their default group.

Table 7. Profiles Allowing Hard Revoke for Non-System SPECIAL Users

Failures are not logged on the first two profiles above. They are logged on the VRAPW$.ALL profile if the profile has the audit options set to do so. Even if a user fails the authority check on a profile, the next one is checked. Once authority is granted, a check is made on the VRAPW$.AUDIT profile to allow auditing.



Profiles Disallowing Identity Management

After Identity Manager passes the allow checks described above, the following profiles are then checked to see if the operation should not be performed. You may exclude a user from using Identity Manager functions for specific users or groups of users even though they are permitted to use Identity Manager via the VRAPW$.Userid, the VRAPW$.default-group, or VRAPW$.ALL profiles in the RACF FACILITY class. Exclusion is accomplished through additional profiles in the RACF FACILITY class. To exclude users from administering passwords, grant them READ access to one of the following profiles:

Profile Description

VRAPW$.NONE.SPECIAL By permitting user or group access to this profile with at least READ access, you prevent the user or group from administering passwords for any user with the RACF System SPECIAL attribute, regardless of other granted authority.

VRAPW$.NONE.AUDITOR By permitting user or group access to this profile with at least READ access, you prevent the user or group from administering passwords for any user with the RACF System Auditor attribute, regardless of other granted authority.

VRAPW$.NONE.OPERATIONS By permitting user or group access to this profile with at least READ access, you prevent the user or group from administering passwords for any user with the RACF Operations attribute, regardless of other granted authority.

VRAPW$.NONE.target-User ID By permitting user or group access to this profile with at least READ access, you prevent the user or group from administering passwords for this target User ID, regardless of other granted authority. You can therefore, prevent a user with READ access to the VRAPW$.ALL profile from administering the password of a specific user, while allowing them to administer all other user passwords.

VRAPW$.NONE.target-User IDs-default-group

By permitting user or group access to this profile with at least READ access, you prevent the user or group from administering passwords for a target User ID that has this group as a default group, regardless of other authority granted. You can, therefore, prevent a user with READ access to the VRAPW$.ALL profile from administering the password for all users with a specific default group, while allowing them to administer all other users’ passwords.

Table 8. Profiles Disallowing Identity Management



Checking New Passwords

Comparing a new password to a current password and password history is under profile control. You can control the checking of current passwords and passwords in the password history on an individual administrator basis. By default, the new passwords are compared to the current password and the history. The following profile, defined in the RACF FACILITY class, controls the checking of new passwords against previous passwords:

Profile Description

VRAPW$.NOHISTCHK By permitting user or group access to this profile with at least READ access, passwords changed by that user or group are not compared to the current password or the password history. If you want this to be the default action for all users that administer passwords, create the profile with a UACC of READ.

Table 9. Profile Controlling the Checking of New Passwords

Auditing Identity Manager

To help meet the installation's need for access control and accountability, Identity Manager provides the ability to audit its use. These audit records contain information that can be used by an auditor to ensure that the controls established for the use of Identity Manager are meeting the installation's access control policies.

Audit Records

Identity Manager can create two types of audit records:

• Identity Manager SMF Audit Records

• RACF Processing SMF Audit Records

The audit records are created based on the settings of the RACF options of the following FACILITY class profiles:

Profile Description

VRAPW$.SMFAUDIT Controls the creation of Identity Manager Audit SMF record

VRAPW$.AUDIT Controls the creation of a RACF Processing Audit SMF record.

Table 10. Profiles Auditing Identity Manager

Identity Manager audit information is written into the LOGSTRING portion of the SMF record.



Note to Vanguard Advisor Users: The Advisor Identity Manager Usage Report provides this audit trail online, in a user-friendly manner. It identifies the changes made to each User ID and indicates which User ID made the change(s).

Identity Manager Audit SMF Record

An Identity Manager audit SMF record is created if the user has READ access to the FACILITY class profile, VRAPW$.SMFAUDIT. The format of this record is similar to the RACF ALTUSER command SMF record type 80. This is an SMF type 80, data type 6, with an event code of 13. The record is generated with a reason of CLASS.

Identity Manager audit SMF record only audits the REVOKE, RESUME, HARD REVOKE, and PASSWORD functions of Identity Manager.

An Identity Manager audit SMF record is created for successful and unsuccessful processing.

RACF Processing SMF Record

The RACF Processing SMF record is created depending on how you set the AUDIT, UACC, and access list options of the FACILITY class profile, VRAPW$.AUDIT. For each authority failure, and successful and unsuccessful use a function, Identity Manager makes an authority check requesting READ access to the VRAPW$.AUDIT profile in the FACILITY class. The actual return code from the authority check performed on this profile is ignored.

The following recommendation makes it possible to obtain a complete audit trail of all Identity Manager usage.

Recommendation: Set auditing for this profile to AUDIT(ALL(READ)) attempts by issuing the following command:

RALTER FACILITY VRAPW$.AUDIT AUDIT(ALL(READ))

Use the following sample RACF Report Writer input statements to format the audit records: RACFRW TITLE ('Usage of the Identity Manager') SELECT VIOLATIONS EVENT ACCESS CLASS(FACILITY) NAME(VRAPW$.AUDIT) SELECT SUCCESSES EVENT ACCESS CLASS(FACILITY) NAME(VRAPW$.AUDIT) LIST SORT(USER) END



Information Contained in the LOGSTRING

Identity Manager places information that describes the function performed in the LOGSTRING portion of the SMF records. The LOGSTRING has two formats:

• Successful and unsuccessful completion

• Insufficient authority

Successful and unsuccessful completion

• User ID who issued the command.

• User ID affected by the command.

• Function performed.

• Date the function was performed.

• Time the function was performed.

Insufficient authority

• User ID who issued the command.

• User ID that was to be affected by the command.

• Functions that were attempted.

• Date the functions were attempted.

• Time the functions were attempted.

Controlling Access to Connect Manager

Connect Manager Authorization Checks

A system SPECIAL user has full access to any Connect Manager function. For non-system SPECIAL users, authority checking occurs first for profiles allowing Connect Manager functions, and then for profiles that disallow Connect Manager Functions. These profiles are used only for non-system SPECIAL users.

The VRA$.CONNECT.MANAGER profile controls whether or not a user can use general Connect Manager functions. To use Connect Manager, users must have READ access to the VRA$.CONNECT.MANAGER profile.



Permitting Access to Connect Manager Functions

To permit access to specific Connect Manager functions, update the following profiles as described.

Profile Description

VRACO$.groupid VRACO$.ALL

These profiles determine the groups that can be used for general Connect Manager functions. Users need READ access to the VRACO$.ALL profile to use Connect Manager to connect users to any group.

VRACOSP$.groupid To use the SPECIAL keyword or panel field, users must have READ access to a profile that covers the Group ID being manipulated. Note that this is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

VRACOAU$.groupid To use the AUDITOR keyword or panel field, users need READ access to a profile that covers the Group ID being manipulated. Note that this update is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

VRACOOP$.groupid To use the OPERATIONS keyword or panel field, users need READ access to a profile that covers the Group ID being manipulated. Note that this update is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

VRACOCR$.groupid To use the CREATE value in the AUTHORITY keyword or panel field, users need READ access to a profile that covers the Group ID being manipulated. Note that this update is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

VRACOCO$.groupid To use the CONNECT value in the AUTHORITY keyword or panel field, users need READ access to a profile that covers the Group ID being manipulated. Note that this update is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

VRACOJN$.groupid To use the JOIN value in the AUTHORITY keyword or panel field, users need READ access to a profile that covers the Group ID being manipulated. Note that this update is in addition to the VRACO$.groupid or VRACO$.ALL profiles.

Table 11. Connect Manager Access Profiles



Denying Access to Connect Manager Functions

To deny access to specific Connect Manager functions, update the following profiles as described.

Profile Description

VRACO$.NONE.SPECIAL VRACO$.NONE.OPERATIONSVRACO$.NONE.AUDITOR VRACO$.NONE.userid VRACO$.NONE.groupid

By permitting user or group READ access to these profiles, you prevent the user or group from administering users who have system-SPECIAL, system-OPERATIONS, system-AUDITOR. You can also prevent a specific user, and/or a specific group from administering users. READ access to a VRACO$.NONE.userid and VRACO$.NONE.groupid profile prevents a user, who has READ access to the VRACO$.ALL profile, from using Connect Manager for that specific User ID or Group ID.

Table 12. Connect Manager Deny Access Profiles

About the CMLOCKOUT Parameter in VRAOPT00

When you deny access to Connect Manager functions, the system-SPECIAL administrator has the means to prevent specific Connect Manager users from administering certain users connect profiles. However, constantly having to build FACILITY class profiles may not be an appropriate way to handle certain situations.

To provide an easier way to prevent this situation, a new parameter, CMLOCKOUT(<Group ID>), exists for option member VRAOPT00.

To work properly the parameter must contain a valid Group ID, for example:

CMLOCKOUT(LOCKGRP)

In this example, LOCKGRP is a valid RACF Group ID. Connect Manager will not function for users connected to this group. By specifying this parameter in VRAOPT00, a system-SPECIAL user can issue a standard SecureWay Security Server (RACF) CONNECT command, anywhere in ISPF/TSO, to lock out Connect Manager users from that User ID.



Permitting Access to Auditing Profiles

To generate SMF records, for auditing purposes, update the following profiles as described.

Profile Description

VRAPW$.SMFAUDIT VRAPW$.AUDIT

The VRAPW$.SMFAUDIT profile is optional. Connect Manager uses the same Auditing Profile as Identity Manager. If the user has READ access to the profile, an SMF record (Type 80) similar to a standard RACF CONNECT command is generated with a reason of CLASS. Even SPECIAL users must be permitted to allow this. The VRAPW$.AUDIT profile check is made in all cases. An authority check asking for READ access is made to this profile. The actual return code from this check is ignored. Auditing occurs according to the options set in the profile. It is recommended that the user set the auditing for this profile to AUDIT(ALL(READ).

Table 13. Connect Manager Auditing Access Profiles

Controlling Unix AUTOUID, AUTOGID and SHARED Options

The RACF component of the IBM S/390 Security Server and z/OS Security Servers supports UNIX Security Management Usability. This enhancement helps RACF administrators ensure unique UNIX identifiers for RACF user and group IDs through the AUTOUID, AUTOGID, and SHARED keywords in the OMVS segment. For detail information regarding these options, refer to the documentation for APAR OW52135, IBM UNIX Security Management Usability Enhancements Support SPE for Security Server RACF.

System Requirements

Before using these options, your system must meet the following requirements:

• z/OS 1.4

- or -

• OS/390 2.10, z/OS 1.1, z/OS 1.2, z/OS 1.3 with APAR OW52135 applied

• RACF Application Identity Mapping (AIM) level set to at least Stage 2.



• The RACF database needs to be converted to AIM stage 2 or 3.

Your system programmer can use the IBM IRRIRA00 utility to convert the database. If you try to use these new features and your RACF database is not at AIM stage 2 or 3, you will receive appropriate error messages.

AUTOUID and AUTOGID Options

The AUTOUID keyword within the OMVS segment of a user profile and the AUTOGID keyword within the OMVS segment of a group profile allow RACF to automatically generate UNIX User Identifiers (UIDs) or Group Identifiers (GIDs). AUTOUID and AUTOGID help insure unique UNIX identifiers by having RACF create and manage the IDs. For detail information regarding these options, refer to the documentation for APAR OW52135, IBM UNIX Security Management Usability Enhancements Support SPE for Security Server RACF.

Enabling AUTOUID and AUTOGID Options

To enable the AUTOUID and AUTOGID keyword, create a profile in the FACILITY class as follows:

RDEFINE FACILITY BPX.NEXT.USER APPLDATA(‘data’)

RACF uses the APPLDATA of the FACILITY class profile BPX.NEXT.USER to obtain unused UID and GID values. You determine the starting value. APPLDATA is verified at the time of use, not when defined.

The APPLDATA value consists of 2 qualifiers separated by a slash (/).

• Left qualifier specifies the starting UID value or range of UID values. A range is separated by a dash (-).

• Right qualifier specifies the starting GID or range of GID values

• Qualifiers can be null, or specified as NOAUTO to prevent automatic assignment of a UID or GID. You may want to use NOAUTO for a UID if you have convention for users such as assigning a UID as an employee serial number.

For example, valid values for APPLDATA could be:

• 1/0

• 1-50000/1-50000

• NOAUTO/100000

• /10000

• 10000-20000/NOAUTO



• 10000-20000/

For further information on controlling UNIX UID’s or GID’s, contact your UNIX administrator.

When you issue AUTOUID or AUTOGID, RACF:

• Extracts the APPLDATA from BPX.NEXT.USER

• Parses the starting value for UID or GID

• Checks to see if the UID or GID is already in use. If so, the value is incremented and checked again until an unused value is found.

• Assigns the value to the new UID or GID as appropriate

• Replaces the APPLDATA with the new starting value

RACF administrators can change the APPLDATA at anytime by using the RALTER command against the BPX.NEXT.USER profile.

Using AUTOUID and AUTOGID Options in Administrator

The Administrator options member (VRAOPT00) in the Vanguard Options Library (VANOPTS) includes two parameters: SETAUTOUID and SETAUTOGID. SETAUTOUID controls the default settings for the AUTOUID field and SETAUTOGID controls the default settings for AUTOGID field of the Clone panels. These fields are for display only.

When SETAUTOUID and SETAUTOGID in VRAOPT00 are set to Y, Administrator includes the AUTOUID keyword to the OMVS operand of the RACF commands generated to clone a user and the AUTOGID keyword to the OMVS operand of the RACF commands generated to clone a group.

Using AUTOUID and AUTOGID in VRC

VRC panels contain the AUTOUID field for a User profile and the AUTOGID field for a Group profile. However, these fields operate independently of the SETAUTOGID and SETAUTOUID parameters in VRAOPT00.

To initiate the AUTOUID or AUTOGID keywords when you edit or add a user or group in VRC, type Y in the AUTOUID field for a user profile or AUTOGID field for a group profile.



SHARED Option

The SHARED keyword in the OMVS segment of a user or group profile allows you to create duplicate UNIX User Identifiers (UIDs) and Group Identifiers (GIDs).

Note: For the same reason that you would not want to share RACF User IDs, it is recommend that you do not share UNIX UIDs.

Enabling the SHARED Option

To enable the SHARED option, create a discrete General Resource profile named SHARED.IDS in the UNIXPRIV class with a UACC of NONE. This profile controls the use of shared IDs.

To define this profile, issue the following RACF commands:

RDEFINE UNIXPRIV SHARED.IDS UACC(NONE) SETROPTS CLASSACT (UNIXPRIV) RACLIST (UNIXPRIV) SETROPTS RACLIST(UNIXPRIV) REFRESH

To be able to specify the SHARED keyword, you must have the RACF SPECIAL attribute or READ access to the SHARED.IDS profile in the UNIXPRIV class:

PERMIT SHARED.IDS CLASS(UNIXPIV) ID(user_ID) ACCESS(READ) SETROPTS RACLIST(UNIXPRIV) REFRESH

Using the SHARED Option in Administrator The Clone panels in Vanguard Administrator for user and group profiles include the SHARED field to specify the SHARED keyword when cloning a user or group.

The SHARED field on the panels defaults to N. To override the default and create a shared UID or GID, type Y. When you type Y in the SHARED field of these panels, Administrator includes the SHARED keyword with the OMVS operand it generates to clone the profile.

This option resets itself to N after use.

Mutually Exclusive Options

The SHARED option is mutually exclusive with the AUTOUID and AUTOGID options.

C h a p t e r 4 . D a t a S e r v i c e s


Chapter 4. Data Services Data Services deals with the data that the Administrator uses to accomplish its functions. It consists of the following functions:

• Performing the Administrator Extract

• Loading a set of DB2 tables

• Performing Initialization Variable Maintenance

• Tailoring the Administrator batch JCL

• Installing or reinstalling the DB2 option

• Customizing and working with DB2 Objects

These functions are accessed from the Data Services menu, Option 11 on the Administrator Main Menu. Each function is described in detail in this chapter.

Data Services Menu VANGUARD ADMINISTRATOR Date: 01/03/11 COMMAND ===> Time: 13:17 DATA SERVICES 1 Extract Program 2 Load DB2 Tables 3 Initialization Variable Maintenance 4 Tailor VRA Batch JCL 5 Install / Re-install DB2 Option

Data Services Functions The following list summarizes each Data Services function. Refer to the specific section in this chapter for full descriptions.

Extract Program

The EXTRACT reads the RACF database and stores its information in VSAM files usable as input to the Administrator.



Load DB2 Tables

The DB2 component of the Administrator provides installation facilities for managing RACF security. This function loads a set of DB2 tables and DB2 security catalog tables using the VSAM files produced by the Administrator Extract function.

Initialization Variable Maintenance

Allows you to propagate installation-defined values to all Administrator users, the next time a user logs-on.

The security administrator must have READ access to the VRAADM$.VARIABLES profile, defined in the RACF FACILITY class, to invoke this option.

Tailor Administrator Batch JCL

Allows you to customize the batch JCL members within Vanguard's JCL library.

The user must have READ access to the VRAADM$.VARIABLES profile, defined in the RACF FACILITY class, to invoke this option.

Install / Re-install DB2 Option

Allows you to activate the DB2 Option or change the installation-defined values for the DB2 Option. This will also (re)tailor the DB2 JCL members in Vanguard's DB2 JCL library.

The user must have READ access to the VRAADM$.VARIABLES profile, defined in the RACF FACILITY class, to invoke this option.

Note: The Extract function MUST be run prior to other Administrator functions.

Extract Program

The Extract program reads the RACF database and stores its information in a form usable as input where needed; i.e., RACF command and reports, Authority Analysis and the DB2 Load Utility. Selecting Option 1 on the Data Services menu will display the Extract Program services setup and execution.

Note: Due to the withdrawal of RACF 1.9 support by IBM in April 1997, Administrator does not support NON-RDS databases.



Creating RACF Extract Files

The Extract function MUST be run prior to any other Administrator function.

When determining how often to create an extracted copy of the RACF database, you must consider your requirements for accurate reporting and frequency of RACF database updates.

Administrator uses option member VAMOPT00 to control the storage requirements for the Vanguard Access Method used by both the Extract and Live processing.

Note: Vanguard recommends that you restrict access to the Extract database because it is a logical copy of your RACF database.

Invoking and Processing the Extract Program

The Extract Program panel is invoked by selecting option 1 from the Data Services Menu.

Extract Program VANGUARD ADMINISTRATOR Date: 01/02/12 COMMAND ===> Time: 14:45 EXTRACT PROGRAM Default to Live RACF Database ? ===> YES (YES/NO) (You will be prompted for Dsns if no) Select/Exclude Profile Classes? ===> NO (YES/NO) (You will be prompted if yes) Database ID ===> 00030301 (Blank defaults to Customer number) Extract Small VSAM ===> DOVEC.DEV10.SVSAM Extract Medium VSAM ===> DOVEC.DEV10.MVSAM Extended Access List ===> Y (Y/N) (Y create alternate index records) Region Size Set For ===> 5M Report Will Go To ===> SYSOUT=X (Enter "SYSOUT=X" Or An Existing Fully Qualified Dsn ) Extract Jcl Will Be Placed In: Data Set: DOVEC.VRA.EXTRACT.JCL

To override Administrator’s Extract process when allocating the RACF data sets, the following must be considered:

If there is only one RACF data set, and the current system has multiple RACF data sets, the following control card is required:

RANGETBL=NONE

If there are multiple RACF data sets that use the same range table as the current system, no control card is needed.



If there are multiple RACF data sets that do not use the same range table as the current system, the following control card is required:

RANGETBL=table name

Panel Descriptions

• Default to Live RACF Database This field indicates the location of the RACF database from which the Extract program information obtains its data. Specify NO, to display the Extract Override Datasets Panel (see below). Here you can specify up to nine fully qualified RACF data sets. Specify YES, to query the RACF Data Set Name Table is for the actual RACF data sets to read.

Extract Override Data Sets VANGUARD ADMINISTRATOR Date: 00/10/22 COMMAND ===> Time: 07:34 EXTRACT OVERRIDE DATA SETS Enter the data set names below to be used as input to this run of Extract. DSN 1 ===> DSN 2 ===> DSN 3 ===> DSN 4 ===> DSN 5 ===> DSN 6 ===> DSN 7 ===> DSN 8 ===> DSN 9 ===>

• Select/Exclude Profile Classes? This field allows you to either select or exclude RACF database classes for the extract. Specify YES, to display the Extract Class Select/Exclude Overrides panel (see below) where included and excluded classes are entered. Specify NO, to extract all RACF classes.



Extract Class Select/Exclude Overrides VANGUARD ADMINISTRATOR Date: 01/03/23 COMMAND ===> Time: 07:36 EXTRACT CLASS SELECT/EXCLUDE OVERRIDES Valid class names are USER, GROUP, DATASET, and classes in the CDT. You may not SELECT and EXCLUDE in the same Extract. Enter the CLASS names below to SELECT as input to this run of Extract. ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ Enter the CLASS names below to EXCLUDE as input to this run of Extract. ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________

Only classes specified for selection are included in the extracted data set. The opposite is true for excluded classes. All classes not excluded are included in the extracted data set.

Caution: If you elect to extract from other than the active RACF database or to Select/Exclude profile classes, a warning panel is displayed. Please refer to Results of Marking a Partial Extract as Full below.

Extract Runtype Specif icat ion VANGUARD ADMINISTRATOR Date: 01/03/23 COMMAND ===> Time: 07:38 EXTRACT RUNTYPE SPECIFICATION You have selected either user defined data sets for this Extract, or you have chosen to select or exclude certain classes of profiles. This Extract can potentially create erroneous commands if used as input to the command generator program. Indicate below if you still wish this Extract to be marked as a full run. Marking this Extract as a full run will allow it to be used as input to the command generator program. Do you want this Extract marked as a Full Run ? ==> NO (Yes/No) Use EXTREME caution if you answer YES

Results of Marking a Partial Extract as Full

If you do not mark the Extract as a Full Run, no Administrator commands can be executed against it and all reports will carry a notation of this fact. When a part of the RACF database is not reflected in the output data sets, reports may be in error and commands may lead to disastrous results. The following paragraphs contain an example of what can happen if the Extract is erroneously marked as a Full Run.

Caution: The following is an example of what not to do.

Scenario: Assume that the user omitted one of the specified data sets that make up the database. He then said it was a Full Run. Assume that there were several Group and User profiles in the omitted data set.



When the Extract program runs it does not extract and does not produce records for those users and groups. Since the Extract file was marked as Full Run, commands use it for input. Now, suppose that the OBSOLETE command is run. Since OBSOLETE removes invalid users and groups from all access lists, it removes the users and groups that were not extracted anywhere it finds them. Users permitted to resources by means of a deleted group would no longer have access to those resources.

This type of an error can be time consuming to debug and fix. Until the problem is resolved, those users may not be able to fully utilize the system.

• Databaseid This field uniquely identifies an extracted RACF database. This allows for multiple RACF databases to be loaded into Administrator DB2 tables. By default, the databaseid is your Administrator customer number; however, you can customize it with any 8-character string.

• Extract Small VSAM Specify the unquoted fully qualified data set name containing the small VSAM data. It will contain information about Users and Groups.

• Extract Medium VSAM Specify the unquoted fully qualified data set name containing the medium VSAM data. It will contain information about Datasets and Resources.

• Extended Access List If YES is entered, additional Access List and Conditional Access List records are created. Record ID 912 and 915, respectively, are indexed VSAM records providing added performance where Access records are retrieved. Additional DASD space is required when the Extended Access List records are selected; this feature is optional when creating Extract Records.

• Region Size Set For A minimum region size of 6M is required for the Extract batch job.

• Reports Will Go To Indicate where reports generated during the Extract process are written. Specify either a SYSOUT class, or a pre-allocated, fully qualified data set name, without quotes.

• Extract JCL Will Be Placed In Indicate the data set that contains the Extract batch JCL. It allows you to browse, edit, or submit the extract job.

When you complete the Extract definitions, the following panel will display. You must submit this panel to process the Extract.

RACF Classes That No Longer Exist

When the Extract program runs, it produces VSAM records for all profiles in the RACF database. This includes profiles that may have been defined for classes no



longer defined to RACF. The Extract program produces one or more error messages when this occurs. This same situation could occur if you run the Extract program against a RACF database from a different system. Note that the Extract file is usable. Any RACF commands generated for profiles in the invalid class are rejected by RACF when they are executed.

The Extract Audit Report

The Extract program produces a report called the Extract Audit Report. In addition to specifying the record type of the profiles and segments extracted from the RACF database, it also specifies the record count for each generated extract file.

When you complete the Extract definitions, the following panel will display. You must submit this panel to process the Extract.

Administrator JCL Processing VANGUARD ADMINISTRATOR Date: 01/03/30 COMMAND ===> Time: 14:11 A D M I N I S T R A T O R J C L P R O C S S I N G Processing Dataset: QA.VRA420.EXTRACT.JCL Select one of the following options: E Edit The Generated JCL File B Browse The Generated JCL File S Submit The Generated JCL File Notice: If you select the S option, VRA will delete the JCL file.

Load the Administrator Extract into DB2 Tables

Administrator DB2 reporting facilities help you manage RACF security. These facilities load Administrator DB2 tables and provide a way to customize reports and develop a database for Administrator reports.

Administrator DB2 tables and associated objects are created during installation of the Administrator DB2 product. The installer specifies the names chosen for the DB2 objects during a systematic panel-driven installation procedure. In-depth knowledge of DB2 is not required to install or maintain the DB2 component.

Note: The DB2 tables have changed with Administrator 3.1 and later versions. DB2 tables created with prior releases of the Administrator will not function in Administrator 3.1 and later versions.

Before you can load the Administrator extract into the DB2 tables, you must first:

• Complete the Initialization Variable Maintenance-DB2 panel (see page 61).



• Install/Reinstall DB2 option (see page 64).

• Create and maintain Administrator DB2 objects (see page 71).

• Run the Extract Program option on the Data Services menu (see page 48).

The base tables are populated with data from the RACF database, using the VSAM files produced by the Administrator Extract function. Extract files from multiple RACF databases can be loaded into the same set of DB2 tables, since the records are prefaced with a database ID that makes them unique. The database ID defaults to the Administrator customer number that can be overridden, for a specific Extract run on the Extract ISPF panel, with a user-defined value. By specifying the unique database IDs, when you run the Extract function, you can load multiple copies of the same RACF database extracted on different dates.

The Administrator Shadow Catalog is an optional feature designed to reduce contention for DB2 Catalog tables. If this option is chosen during installation, additional DB2 tables are generated and populated with data from the SYSIBM IBM DB2 Catalog authorization tables, of the subsystem specified.

DB2 authorization reports are produced via an ISPF menu driven facility. These reports provide detailed information on DB2 privileges granted to a user or group.

The resources provided by the Administrator DB2 component help you develop custom facilities that address installation security requirements. Sample Query Management Facility (QMF) queries (described below) are shipped with the product.

Load Administrator DB2 Tables

Depending on the options that have been selected, the Administrator load process generates either four or six job steps.

• Unloads all other DBID's for the database (optional).

• Load the Administrator DB2 base tables, using the extract files as input.

• Load all other DBID's.

• Loads the Administrator shadow catalog tables (optional).

• Run the IBM DB2 RUNSTATS.

• REBIND the Administrator DB2 application plans.

Invoking and Processing the DB2 Load Function



If the Administrator DB2 component was installed (see page 64), the Load DB2 Tables panel can be invoked by choosing option 2 from the Data Services Menu. This panel allows you to choose Administrator VSAM files and DB2 identifiers for the DB2 Load Function.

Administrator DB2 JCL library member VDBLOAD may also be executed to load Administrator DB2 tables.

Load DB2 Tables VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 15:36 LOAD DB2 TABLES Retain current data ===> YES (Keep all data for other DBIDs) Extract Small VSAM DSN ===> QA.VRA320.SVSAM Extract Medium VSAM DSN ===> QA.VRA320.MVSAM DB2 Subsystem ID ===> DB32 DB2 DSNLOAD DSN ===> SYS1.DB2.SDSNLOAD DB2 DSNEXIT DSN ===> SYS1.DB2.SDSNEXIT DB2 Object Prefix ===> DB2 Plan Prefix ===> VRA DB2 Load JCL Will Be Placed In: DATASET: ORG.VRA.DB2LOAD.JCL

Note: The Administrator VSAM Extract files you specify must exist before continuing. The DB2 Load Function opens the Extract files, counts the number of each of the record types, and calculates the optimum space requirements for the DB2 PRIQTY values. Additionally, the DBID of the Extract files is extracted and placed in the job (see below).

The DB2 LOAD utility loads Administrator DB2 base tables with the data contained in Administrator VSAM Extract files. These tables are then available for other processes, including user generated SQL queries. Prior to loading data from Administrator VSAM Extract files, all rows in the tables with the same database ID as the extract file database are deleted. This ensures that no residual rows remain. The program performs a DB2 commit after each unit of work.

Note: If Administrator scoping is in effect, only data that is viewable by the submitter of the DB2 Load Function is loaded into the DB2 tables. If the DB2 LOAD process is run under the authority of a GROUP SPECIAL user, then the data loaded into the DB2 tables is only the subset of data that is within this user's scope.

If Yes is specified for Retain current data, a REORG utility is executed to unload Administrator DB2 base tables. All unloaded files with the same database ID as the extract file database ID are omitted by way of a sort control statement. If NO is specified, the REORG and SORT steps are not generated. The LOAD utility writes over existing rows in the database. The LOAD and REORG LOAD utilities provide a count of the records inserted per table.



When you complete the Load DB2 Tables definitions, the Administrator JCL Processing panel will display. You must submit this panel to process the Load DB2 Tables function.

Administrator JCL Processing VANGUARD ADMINISTRATOR Date: 01/03/30 COMMAND ===> Time: 14:11 A D M I N I S T R A T O R J C L P R O C S S I N G Processing Dataset: ORG.VRA.DB2LOAD.JCL Select one of the following options: E Edit The Generated JCL File B Browse The Generated JCL File S Submit The Generated JCL File Notice: If you select the S option, VRA will delete the JCL file.

Initialization Variable Maintenance

Initialization Variable Maintenance contains a series of panels that allow the security administrator to change installation-defined values. These values are propagated to each Administrator user when they start their next Administrator session.

Note: STEPLIB and SYSEXEC data set names are specified during Administrator customization. For information, see the Vanguard Security Solutions Installation Guide appendix.

Invoking and Processing Initialization Variable Maintenance

Initialization Variable Maintenance is invoked from option 3 on the Data Services Menu.



Initialization Variable Maintenance – General

Init ial ization Variable Maintenance – General VANGUARD ADMINISTRATOR Date: 04/04/27 COMMAND ===> Time: 09:28 INITIALIZATION VARIABLE MAINTENANCE - GENERAL Permanent Data Set Unit Name ===> SYSALLDA or Storage Class ===> Data Class ===> Management Class ===> Sortwork Data Set Unit Name ===> SYSALLDA or Storage Class ===> Data Class ===> Management Class ===> Allow ADMINISTRATOR's "GORACF" command? ===> YES (Yes or No) Display Future Events? ===> N (Y or N) <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• Permanent Data Set Unit Name The unit name to be used for permanent Administrator data sets, such as the submit JCL library, and the Command files. For SMS managed systems, do not enter UNIT. Enter only one or more SMS Class variables:

• SMS Storage Class

• SMS Data Class

• SMS Management Class

• Sortwork Data Set Unit Name The unit name to be used for Sortwork data sets. For SMS managed systems, do not enter UNIT. Enter only one or more SMS Class variables:

• SMS Storage Class

• SMS Data Class

• SMS Management Class

• Allow Administrator's “GORACF” command? Indicates the user's intent to use the Administrator's GORACF command, which allows a user to invoke IBM's RACF ISPF/PDF panels within Administrator. If YES is entered, the GORACF panel is displayed in a later step that requires you to specify the IBM RACF panel, message, skeleton and CLIST library names.

• Display Future Events If Future Events are scheduled for a given day, the Command Scheduler panel will automatically display these when Administrator is invoked. This gives the user the opportunity to execute those event commands. If your installation wants this panel to display automatically when Administrator starts up, enter Y.



Initialization Variable Maintenance – VSAM

After Enter is pressed on the Initialization Variable Maintenance - General panel, the Initialization Variable Maintenance - VSAM panel appears.

This panel defines the VSAM files where the information extracted from the RACF database is placed. The two VSAM files are called Small and Medium. These data sets are input to all Administrator report and command programs.

Init ial ization Variable Maintenance – VSAM VANGUARD ADMINISTRATOR Date: 01/02/12 COMMAND ===> Time: 14:55 INITIALIZATION VARIABLE MAINTENANCE - VSAM Small Extract DSN (vsam) ==> XXXXXXX.V420.SVSAM Small Extract Primary ==> 2 (Number of Cyls - Primary) Small Extract Secondary ==> 1 (Number of Cyls - Secondary) Small Extract VOLSER ==> VIPDV1 (Volume for Small VSAM File) or Storage Class ==> Data Class ==> Management Class ==> Medium Extract DSN (vsam) ==> XXXXXXX.V420.MVSAM Medium Extract Primary ==> 4 (Number of Cyls - Primary) Medium Extract Secondary ==> 1 (Number of Cyls - Secondary) Medium Extract VOLSER ==> VIPDV2 (Volume for Medium VSAM File ) or Storage Class ==> Data Class ==> Management Class ==> Extended Access List ==> N (Y/N) (Y create alternate index records) <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• Small Extract DSN Name of the data set that contains the small VSAM data, fully qualified without quotes.

• Small Extract Primary Size of the primary space allocation for the small VSAM file, in cylinders. Typically, an allocation of 2,1 can handle up to 10,000 users. Review a IDCAMS list of the cluster after the first extract to ensure that secondary extents are not used. Then adjust the size of the primary allocation accordingly.

• Small Extract Secondary Size of the secondary space allocation for the small VSAM file, in cylinders. Typically, an allocation of 2,1 can handle up to 10,000 users. Review a IDCAMS list of the cluster after the first extract to ensure that secondary extents are not used. Then adjust the size of the primary allocation accordingly.

• Small Extract VOLSER Volser for the small VSAM file. For SMS managed systems, do not enter VOLUME. Enter only one or more SMS Class variables:

SMS Storage Class



SMS Data Class SMS Management Class

• Medium Extract DSN Name of data set that contains the medium VSAM data, fully qualified without quotes.

• Medium Extract Primary Size of the primary space allocation for the medium VSAM file, in cylinders. Typically, an allocation of 2,1 can handle up to a 10,000 data set and general resource profiles. Review an IDCAMS list of the cluster after the first extract to ensure that secondary extents are not used. Then adjust the size of the primary allocation accordingly.

• Medium Extract Secondary Size of the secondary space allocation for the medium VSAM file, in cylinders. Typically, an allocation of 2,1 can handle up to a 10,000 data set and general resource profiles. Review an IDCAMS list of the cluster after the first extract to ensure that secondary extents are not used. Then adjust the size of the primary allocation accordingly.

• Medium Extract VOLSER Volser for the medium VSAM file. For SMS managed systems, do not enter VOLUME. Enter only one or more SMS Class variables:

SMS Storage Class SMS Data Class SMS Management Class

• Extended Access List If YES is entered, additional Access List and Conditional Access List records will be created. Record ID 912 and 915, respectively, are indexed VSAM records providing added performance where Access records are retrieved. Additional DASD space is required when the Extended Access List records are selected. This feature is therefore optional when creating Extract Records.



Initialization Variable Maintenance – GORACF

After Enter is pressed on the Initialization Variable Maintenance – VSAM panel, the Initialization Variable Maintenance - GORACF panel appears.

It contains parameters used to specify the fully qualified DSNs of the IBM RACF ISPF/PDF libraries.

Init ial ization Variable Maintenance – GORACF VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 14:50 INITIALIZATION VARIABLE MAINTENANCE - GORACF RACF Panel Library DSN ===> SYS1.HRFPANL RACF Message Library DSN ===> SYS1.HRFMSG RACF Skeleton Library DSN ===> SYS1.HRFSKEL RACF CLIST Library DSN ===> SYS1.HRFCLST <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• RACF Panel Library DSN Library where IBM's RACF ISPF/PDF panel component resides, fully qualified without quotes.

• RACF Message Library DSN Library where IBM's RACF ISPF/PDF message component resides, fully qualified without quotes.

• RACF Skeleton Library DSN Library where IBM's RACF ISPF/PDF skeleton component resides, fully qualified without quotes.

• RACF CLIST Library DSN Library where IBM's RACF ISPF/PDF CLIST component resides, fully qualified without quotes.



Initialization Variable Maintenance – DB2

After Enter is pressed on the Initialization Variable Maintenance – GORACF panel, the Initialization Variable Maintenance – DB2 panel will appear. It will display only if the Administrator DB2 component is installed.

Init ial ization Variable Maintenance – DB2 VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 14:51 INITIALIZATION VARIABLE MAINTENANCE - DB2 DB2 Subsystem ID ===> DB32 (1-4 Character DB2 Subsystem ID) DB2 Version and Release ===> 3.5 (3 Character DB2 Version & Release (x.x)) DB2 Load Library DSN ===> SYS1.DB2.SDSNLOAD (DSN of DB2 DSNLOAD Library) DB2 Exit Library DSN ===> SYS1.DB2.SDSNEXIT (DSN of DB2 DSNEXIT Library; Optional) DB2 Objects Prefix ===> VRO (3 Character Prefix for VANGUARD DB2 Storage Groups and Database) Create Shadow Catalog? ===> YES (Create VRA DB2 Catalog Tables; YES/NO) DB2 Plan Prefix ===> VRA (3 Character Prefix for VANGUARD Plans; Default - VRA) <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• DB2 Subsystem ID DB2 subsystem where the Administrator DB2 component is installed.

• DB2 Version and Release Specify the DB2 version and release in the three-character format of v.r where v is the version and r is the release. For example, DB2 version 2 release 3 would be entered as 2.3.


• DB2 DSNEXIT DSN Name of the DB2 exit load module name (optional), fully qualified without quotes.

• DB2 Object Prefix Three-character prefix of the Administrator DB2 Storage Group and Database. For example, if you specify XYZ, the Administrator DB2 Storage Group is named XYZSG001 and the Administrator Database is named XYZDB001.



• Create Shadow Catalog? Indicates whether a set of Administrator DB2 tables will be created that replicates the IBM DB2 catalog. Administrator Shadow Catalog tables are created to reduce contention against the IBM DB2 catalog. Type YES, to generate the SQL DDL and the Administrator program JCL that creates and maintains the Administrator Shadow Catalog. Type NO, to cause all requests for catalog information to access the IBM DB2 catalog.

• DB2 Plan Prefix Three-character prefix of Administrator DB2 application plans. For example, if you specify XYZ, the Administrator DB2 Application Plan is XYZLD000.

Initialization Variable Maintenance – UPDATE

Init ial ization Variable Maintenance – UPDATE VANGUARD ADMINISTRATOR Date: 01/03/22 COMMAND ===> Time: 13:48 INITIALIZATION VARIABLE MAINTENANCE - UPDATE INITIALIZATION VARIABLE MAINTENANCE is complete. If you wish to update the variables, enter YES and then press the <ENTER> key. *** WARNING *** Entering YES will re-write the Initialization Variables to the ADMINISTRATOR variable control member and all users will be forced through User Initialization the next time they enter ADMINISTRATOR. NOTE: The VRAINSTV member stored in the ADMINISTRATOR Options Library will also be updated so that it can be used for future installations of ADMINISTRATOR and will always contain your current system defaults. Update the INITIALIZATION control Date-Timestamp? ===> NO (Yes or No)

Panel Descriptions

• Update the INITIALIZATION control Date-Timestamp? If you type YES, users are forced through User Initialization when they invoke administrator. This value allows you to make all changes effective for Administrator users the next time they start Administrator.



Tailor Administrator Batch JCL

Tailor Administrator Batch JCL is invoked by selecting option 4 on the Data Services Menu.

The following panels allow you to customize the batch JCL members within Vanguard's JCL library.

The Administrator Batch Execution Job Statement Information panel is used to establish the JCL job statements for all Administrator batch jobs stored in the Administrator JCL Library.

Administrator Batch Execution Job Statement Information Display VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 14:54 ADMINISTRATOR BATCH EXECUTION JOB STATEMENT INFORMATION ----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- ===> //VRA21JOB JOB (ACCOUNT),'NAME' ===> //* ===> //* ===> //* <Enter> to continue END to exit (without saving changes) HELP for more info

If Enter is pressed, the Administrator Batch Environment panel is displayed, showing the progress of each job, as it is being built in the Batch Command DSN.

Administrator Batch Environment VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 14:56 ADMINISTRATOR BATCH ENVIRONMENT ADMINISTRATOR JCL DSN ===> QA.VRA320.VANJLIB Batch Command DSN ===> QA.VRA320.COMMAND <Enter> to continue END to exit (without saving changes) HELP for more info

The Administrator Batch Environment panel provides the Administrator with the names for two important data sets:

• Administrator JCL DSN The name of the Administrator JCL Library where the JCL is written.

• Batch Command DSN The file used by Administrator batch programs when generating RACF commands, such as Clone User.



Install / Re-install DB2

Install / Re-install DB2 is invoked by selecting option 5, on the Data Services Menu, and press ENTER to invoke the DB2 Variable Maintenance Panel. The Initialization Variable Maintenance must be executed before installing the DB2 option for the first time (see page 56).

The Install / Re-install DB2 function consists of a series of panels that allow the security administrator to activate the DB2 Option, to change the DB2 Option installation defined values, and to customize the DB2 JCL members in the Administrator DB2 JCL library.

The panels are:

• DB2 Batch Execution Job Statement Information

• DB2 Variable Maintenance

• Administrator DB2 Tailoring

• Administrator DB2 Object Profiles

• Administrator DB2 Object Profiles (continued)

• Administrator DB2 Plan Profiles

• DB2 Tailoring - UPDATE

The DB2 SQL (Structured Query Language) members are tailored and stored in the Administrator DB2 JCL Library.

After the DB2 component has been installed for the first time, re-execute the Initialization Variable Maintenance so that the DB2 option will be available to other users (see page 56).

Note: The online customization tutorial contains information that can answer most questions concerning the customization process.

Consult your DB2 DBA to determine the appropriate DB2 values. Information such as the data set names of the DB2 load module library, DB2 exit module library, prefixes for DB2 objects, etc. is necessary to customize the Administrator's DB2 component.

The CREATESG privilege of SYSADM authority is required to create the Administrator DB2 storage group. The CREATEDBA privilege, the CREATEDBC privilege, or SYSADM authority are required to create Administrator DB2 databases. Vanguard recommends that the creation of both the DB2 Storage Group and databases be executed by a DB2 user with SYSADM authority. The DBADM privilege could then be granted for Administrator DB2 databases, to the security administrator customizing the remaining objects.



DB2 Batch Execution Job Statement Information

DB2 Batch Execution Job Statement Information allows the security administrator to establish JCL job statements used for all Administrator DB2 batch jobs stored in the Administrator DB2 JCL Library.

DB2 Batch Execution Job Statement Information VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 14:59 DB2 BATCH EXECUTION JOB STATEMENT INFORMATION ----+----1----+----2----+----3----+----4----+----5----+----6----+----7-- ===> //VRA320DB JOB (ACCOUNT),'NAME' ===> //* ===> //* ===> //* <Enter> to continue END to exit (without saving changes) HELP for more info

DB2 Variable Maintenance

DB2 Variable Maintenance VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 15:00 DB2 VARIABLE MAINTENANCE DB2 Subsystem ID ===> DB32 (1-4 Character DB2 Subsystem ID) DB2 Version and Release ===> 3.5 (3 Character DB2 Version & Release (v.r)) DB2 Load Library DSN ===> SYS1.DB2.SDSNLOAD (DSN of DB2 DSNLOAD Library) DB2 Exit Library DSN ===> SYS1.DB2.SDSNEXIT (DSN of DB2 DSNEXIT Library; Optional) DB2 Objects Prefix ===> VRO (3 Character Prefix for VANGUARD DB2 Storage Groups and Database) Create Shadow Catalog? ===> YES (Create VRA DB2 Catalog Tables; YES/NO) DB2 Plan Prefix ===> VRA (3 Character Prefix for VANGUARD Plans) <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• DB2 Subsystem ID DB2 subsystem where the Administrator DB2 component is installed.

• DB2 Version and Release Specify the DB2 version and release in the 3-character format of v.r where v is the version and r is the release. E.g., DB2 version 2 release 3 would be



entered as 2.3.


• DB2 DSNEXIT DSN Name of the DB2 exit load module name (optional), fully qualified without quotes.

• DB2 Object Prefix Three-character prefix of the Administrator DB2 Storage Group and Database. E.g., if you specify XYZ, the Administrator DB2 Storage Group is named XYZSG001 and the Administrator Database is named XYZDB001.

• Create Shadow Catalog? Indicates whether a set of Administrator DB2 tables will be created that replicated the IBM DB2 catalog. Administrator Shadow Catalog tables are created to reduce contention against the IBM DB2 catalog. Valid values are YES, which generates the SQL DDL and Administrator program JCL to create and maintain the Administrator Shadow Catalog; and NO, which causes all requests for catalog information to access the IBM DB2 catalog.

• DB2 Plan Prefix Three-character prefix of Administrator DB2 application plans. For example, if you specify XYZ, the Administrator DB2 Application Plan is XYZLD000.



Administrator DB2 Tailoring

This panel allows the security administrator to establish Administrator DB2 JCL and Administrator DB2 DBRM Library names.

Administrator DB2 Tailoring VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 15:02 ADMINISTRATOR DB2 TAILORING ADMINISTRATOR DB2 JCL Data Set Name ===> QA.VRA320.VANDB2 ADMINISTRATOR DB2 DBRM Library Data Set Name ===> QA.VRA320.VANDBRM Extract Small VSAM DSN ===> QA.VRA320.SVSAM Extract Medium VSAM DSN ===> QA.VRA320.MVSAM <Enter> to continue END to exit (without saving changes) HELP for more info

Warning: The Administrator VSAM Extract files entered in the above panel must exist before continuing. The DB2 Load Function opens the Extract files, counts the number of each of the record types, and calculates the optimum space requirements for the DB2 PRIQTY values. Additionally, the DBID of the Extract files is extracted and placed in the job.

Panel Descriptions

• Administrator DB2 JCL DSN Name of the Administrator DB2 JCL Library.

• Administrator DB2 DBRM Library DSN Name of the Administrator DB2 DBRM Library.



Administrator DB2 Object Profiles

Two panels are required for this information.

Administrator DB2 Object Profi les VANGUARD Administrator Date: 01/03/25 COMMAND ===> Time: 15:03 ADMINISTRATOR DB2 OBJECT PROFILES DB2 Objects Creator ===> SGRIND (Authid to use as CREATOR of VANGUARD DB2 Objects) DB2 VCAT Name ===> DSN320 (Alias of ICF catalog for VANGUARD DB2 data sets) DB2 VCAT Password ===> (ICF Catalog Password) <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions

• DB2 Objects Creator Authorization Id (Authid) to use when creating Administrator DB2 objects. The SET CURRENT SQLID statement is set to this value during creation of DB2 objects.

• DB2 VCAT Name ICF catalog alias used for Administrator DB2 table spaces and index spaces.

• DB2 VCAT Password If the ICF catalog is password protected specify the password used to access the VSAM catalog. This password does not appear as you type.

Administrator DB2 Object Profi les (continued) VANGUARD ADMINISTRATOR Date: 02/08/09 COMMAND ===> Time: 09:31 ADMINSTRATOR DB2 OBJECT PROFILES (continued) Tablespace Bufferpool ===> BP0 (DB2 Bufferpool for 4K VANGUARD TS's) Index Bufferpool ===> BP0 (DB2 Bufferpool for 4K VANGUARD IX's) Database Bufferpool ===> BP0 (DB2 Bufferpool for 4K VANGUARD DB's) ** Volume Serial 1 or SMS indication Required for VANGUARD DB2 Objects ** Volume Serial 1 ===> VIPQA2 or "SMS" ===> ** (optional: Enter additional Storage group Volumes ** or: Enter "SMS" for SMS to manage the extension of data sets) ** Volume Serial 2 ===> or "SMS" ===> Volume Serial 3 ===> or "SMS" ===> <Enter> to continue END to exit (without saving changes) HELP for more info

Panel Descriptions



• Tablespace Bufferpool This required parameter is used to specify the DB2 buffer pool used for ADMINISTRATOR table spaces. Valid values are: BP0, BP1, or BP2. The default value is BP0.

• Index Bufferpool This required parameter is used to specify the DB2 buffer pool used for ADMINISTRATOR index spaces. Valid values are: BP0, BP1, or BP2. The default value is BP0.

• Database Bufferpool This required parameter is used to specify the DB2 buffer pool used for ADMINISTRATOR index spaces. Valid values are: BP0, BP1, or BP2. The default value is BP0.

• Volume Serial 1 This required parameter is used to specify a DASD volume serial number available for ADMINISTRATOR DB2 table spaces and index spaces via the ADMINISTRATOR storage group.

• Volume Serial 2 & 3 These optional parameters are used to specify additional DASD volumes that will be available for ADMINISTRATOR DB2 table spaces and index spaces via the ADMINISTRATOR storage group.

Administrator DB2 Plan Profiles

Administrator DB2 Plan Profi les VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 15:05 ADMINISTRATOR DB2 PLAN PROFILES DB2 Plan Prefix ===> VRA (3 Character Prefix for VANGUARD Plans) DB2 Plan Owner ===> SGRIND (Authid of VANGUARD Plan Owner; Default - Objects Creator) Grant Execute Authority on VRA Application Plans to: KLANE JJINE JCHO CHAWKS EARRON LOMG -------- -------- -------- -------- -------- -------- <Enter> to continue END to exit (without saving changes) HELP for more info



Panel Descriptions

• DB2 Plan Prefix Three-character prefix for the Administrator DB2 Application Plans. For example, if you specify XYZ, the Administrator DB2 Application Plans are named XYZLD000.

• DB2 Plan Owner Authorization Id (Authid) to use as the owner of Administrator DB2 Application Plans. The owner has EXECUTE, BIND and GRANT authority for all Administrator DB2 Application Plans.

• Grant Execute Authority on Vanguard Application Plans to Additional users to be granted EXECUTE authority on Administrator DB2 Application Plans. The DB2 plan owner authorization Id must not be specified as one of the optional Ids.

DB2 Tailoring – Update

This panel allows you to type Yes, to update the Administrator with the values from the previously displayed panels. Type No, to cancel the process.

DB2 Tailoring – Update VANGUARD ADMINISTRATOR Date: 01/03/25 COMMAND ===> Time: 15:06 DB2 TAILORING - UPDATE The DB2 Variable Maintenance is complete. If you wish to update the variables, enter YES and then press <Enter>. *** WARNING *** Also, the members in the DB2 JCL Library will be updated and manual changes you may have made will be lost. Update the Initialization control Date-Timestamp and recustomize the DB2 JCL Library? ===> NO (Yes or No)

Panel Descriptions

• Update the INITIALIZATION control Date-Timestamp? Type Yes to store all variables from the DB2 Variable Maintenance panels and forces all users to go through the User Initialization panels when they invoke Administrator. The Administrator DB2 JCL library specified on Administrator DB2 Tailoring panel is re-written using the information from these panels. Type No to exit; nothing is saved.

Warning: Manual changes made to the members in the Administrator DB2 JCL library will be lost. To retain manual changes, insure that a different name is entered for the library or that the members have been saved elsewhere.



Administrator DB2 Tailoring

If YES is entered, the Administrator DB2 Tailoring panel is displays the progress of each job, as it is being built in the DB2 JCL library.

Administrator DB2 Customization After completion of the Install/Reinstall DB2 option described in this chapter, the Administrator DB2 JCL library will contain the tailored SQL and JCL used to create and maintain Administrator DB2 objects. The generated members of the Administrator DB2 JCL library are listed below. The $DOC member should be reviewed for the proper execution sequence.

Table 14. Generated Members of the Administrator DB2 JCL library

Member Content Description

$DOC Instructions DB2 Install instructions

DROPPREV SQL Drop for prior releases

DROPOBJS SQL Drop all or selected Administrator DB2 objects

DEFSGDB SQL Create Administrator DB2 storage group and databases

DEFTBLS SQL Create Administrator DB2 Table spaces

DEFVIEWS SQL Create Administrator DB2 Views

DB2BIND JCL JCL to Bind Administrator DB2 Application Plans

DB2GRANT SQL Grant EXECUTE authorization to Administrator DB2 Application Plans

VDBLOAD JCL Load Administrator DB2 tables and execute DB2 RUNSTATS utility

DB2ALTER SQL SPUFI member DB2ALTER may be modified to reflect table space and index space values for multiple Administrator VSAM extracts. The values furnished in the VBDLOAD and DB2ALTER members have been optimized to the values required for the VSAM extract entered in the ‘User Initialization’ panel. NOTE: The DB2ALTER member is not required for normal (single VSAM extract) processing.

DB2REORG JCL Reorganize Administrator DB2 Table spaces

QMFPROC QMF QMF Sample Application #1 Proc

QMFFORM QMF QMF Sample Application #1 Form

QMFQUERY QMF QMF Sample Application #1 Query

QMFPROC2 QMF QMF Sample Application #2 Proc

QMFFORM2 QMF QMF Sample Application #2 Form

QMFQRY2 QMF QQMMFF SSaammppllee AApppplliiccaattiioonn ##22 QQuueerryy

Creating Administrator DB2 Objects



Administrator DB2 objects are created using Structured Programming Using File Input (SPUFI). DEFSGDB, DEFTBLS and DEFVIEWS are input to SPUFI in sequence and must have a SQL completion code of 0.

DROPOBJS contains SQL to drop Administrator DB2 objects. It should be used only when an error occurs during object creation that requires the object to be dropped and recreated. It can also be used if the entire Administrator DB2 component is being deleted.

Note: Use caution when you execute this SQL because it deletes all Administrator DB2 objects.

Binding Administrator DB2 Application Plans

DB2BIND contains JCL to bind Administrator DB2 Application Plans. This job must be executed after all Administrator DB2 objects have been created. The DB2 Optimizer uses statistics from the DB2 Catalog to determine the most efficient data access path. Job VDBLD000 also contains JCL to execute the DB2 RUNSTATS Utility that updates the catalog with current statistics.

Loading Administrator DB2 Tables

DB2 RUNSTATS

The IBM RUNSTATS utility is executed after loading the Administrator base tables and shadow catalog tables. This DB2 utility updates the DB2 catalog with statistics related to Administrator DB2 tables. This should improve response time for ad hoc queries since the DB2 Optimizer is using up-to-date statistics.

DB2 Rebind

The last step in the Administrator DB2 load process is a REBIND of all Administrator DB2 application plans. This DB2 subcommand rebinds an application plan when changes have been made that affect the plan, but the SQL statements in the program have not changed.



Sample DB2 Queries

Once a copy of the RACF database exists in DB2 you can use powerful query languages such as QMF (Query Management Facility) to view RACF data in a meaningful format. Two sample QMF procedures are shipped with the Administrator product to provide examples of the type of reports that can be generated. These samples are contained in the Administrator DB2 JCL (VANDB2J) library. Member names are prefixed with QMF, (QMFPROC, QMFFORM, QMFQUERY, QMFPROC2, QMFFORM2 and QMFQRY2). To execute these queries and view the generated reports, take the following steps:

1. Enter the QMF Main Panel. You may have to contact your DBA to determine how to enter QMF at your site.

2. From the QMF Main Panel type: IMPORT PROC FROM 'xxxxxxxx(QMFPROC)'

or IMPORT PROC FROM 'xxxxxxxx(QMFPROC2)'

Note: xxxxxxxx is the Administrator DB2 JCL library chosen during installation.

3. Press F2 to run the procedure.

Query 1

This query allows the specification of a User ID that is defined to RACF. It then finds all of the groups that the user is connected to and lists the following for each group:

• User ID specified.

• Name of the User ID specified.

• Owner of the group.

• Any group attributes the user has in the group (SPECIAL, OPERATIONS, AUDITOR, and REVOKE).

• Whether ADSP and TERMUACC are in effect.

• Group UACC for the user.

• Group authority the user has (USE, CREATE, JOIN, and CONNECT).

• Date the group was created.



Query 2

This query allows the specification of a User ID that is defined to RACF. It then finds all of the occurrences of access lists that contain the User ID or Group ID that they are connected to. This query allows an installation to quickly see if a user has multiple access paths to a resource and if the access via each of those paths is consistent. The following information is displayed for each access list entry.

• Class of the resource.

• Name of the resource.

• User ID of the user.

• Name of the user.

• User ID or Group ID via which the user has access to the resource.

• Level of access the user has to the resource.

DB2 Tables and Views

DB2Base Table Name View Name Description E000_RECORD VRAVW000 Active Class E100_RECORD VRAVW100 Group Profile E103_RECORD VRAVW103 Group Profile Subgrp E104_RECORD VRAVW104 Group Profile Usrdata E110_RECORD VRAVW110 Group Profile Dfp E170_RECORD VRAVW170 Group Profile Omvs E175_RECORD VRAVW175 Group Profile Ovm E180_RECORD VRAVW180 Group Profile Tme E200_RECORD VRAVW200 User Profile E203_RECORD VRAVW203 User Profile Clauth E204_RECORD VRAVW204 User Profile Usrdata E205_RECORD VRAVW205 User Profile Rrsfdata E210_RECORD VRAVW210 User Profile Dfp E215_RECORD VRAVW215 User Profile Digcert E220_RECORD VRAVW220 User Profile Tso E225_RECORD VRAVW225 User Profile Lnotes E230_RECORD VRAVW230 User Profile Cics E235_RECORD VRAVW235 User Profile Nds E240_RECORD VRAVW240 User Profile Language E250_RECORD VRAVW250 User Profile Operparm E251_RECORD VRAVW251 User Profile Mscope E260_RECORD VRAVW260 User Profile Workattr



DB2Base Table Name View Name Description E270_RECORD VRAVW270 User Profile Omvs E275_RECORD VRAVW275 User Profile Ovm E280_RECORD VRAVW280 User Profile Netview E281_RECORD VRAVW281 User Profile Domain E282_RECORD VRAVW282 User Profile Opclass E290_RECORD VRAVW290 User Profile Dce E291_RECORD VRAVW291 User Profile Kerberos E292_RECORD VRAVW292 User Proxy Segment E300_RECORD VRAVW300 Dataset Profile E304_RECORD VRAVW304 Dataset Profile Userdata E310_RECORD VRAVW310 Dataset Profile Dfp E380_RECORD VRAVW380 Dataset Profile Tme E400_RECORD VRAVW400 General Resource Profile E404_RECORD VRAVW404 General Resource Profile Usrdata E406_RECORD VRAVW406 General Resource Profile Tapevol E410_RECORD VRAVW410 General Resource Profile Session E411_RECORD VRAVW411 General Resource Profile Entity E415_RECORD VRAVW415 General Resource Profile Digcert E420_RECORD VRAVW420 General Resource Profile Dlfdata E430_RECORD VRAVW430 General Resource Profile Ssignon E440_RECORD VRAVW440 General Resource Profile Started E450_RECORD VRAVW450 General Resource Profile Svfmr E480_RECORD VRAVW480 General Resource Profile Tme E491_RECORD VRAVW491 General Resource Kerberos

Segment E492_RECORD VRAVW492 General Resource Proxy Segment E900_RECORD VRAVW900 User Group Connect E901_RECORD VRAVW901 Categories E902_RECORD VRAVW902 Standard Access List E904_RECORD VRAVW904 General Resource Profile Member E905_RECORD VRAVW905 Conditional Access E912_RECORD VRAVW912 Std Access In User/Group Seq E915_RECORD VRAVW915 Cond Access In User/Group Seq

Table 15. DB2Base Table Names and Corresponding View Name



Load Administrator Shadow Catalog Tables

Program VDBCAT00 (in the Administrator DB2 DBRM library) reads the IBM DB2 Catalog authorization tables and inserts all rows into the corresponding Administrator DB2 Shadow Catalog tables. The IBM and corresponding Administrator authorization tables are:

DB2 Shadow Catalog Table Name

Administrator DB2 Shadow Catalog Table Name

SYSIBM.SYSCOLAUTH VRA_SYSCOLAUTH, SYSIBM.SYSDBAUTH VRA_SYSDBAUTH, SYSIBM.SYSPLANAUTH VRA_SYSPLANAUTH, SYSIBM.SYSTABAUTH VRA_SYSTABAUTH, SYSIBM.SYSRESAUTH VRA_SYSRESAUTH, SYSIBM.SYSUSERAUTH VRA_SYSUSERAUTH, SYSIBM.SYSPACKAUTH VRA_SYSPACKAUTH

Table 16. Corresponding IBM and Administrator Shadow Catalog Tables

Note: Administrator SYSPACKAUTH is created only if your installation is running at least DB2 Version 2 Release 3.

If the shadow catalog option was chosen during installation process, the JCL to execute VDBCAT00 is generated as a step of the Administrator DB2 load process (see DB2 Load Display shown previously). VDBCAT00 produces an audit report with detail record counts of rows inserted. An example of the DB2 Audit Report follows.

Administrator Shadow Catalog Audit VDBCAT00 the RACF administrator Page 1 VER 1.08.0 VRA shadow catalog audit display INSERT DATE: 09/06/96, 19:09:02 VRA_COLAUTH ROWS INSERTED: 192 VRA_DBAUTH ROWS INSERTED: 287 VRA_PLANAUTH ROWS INSERTED: 980 VRA_RESAUTH ROWS INSERTED: 152 VRA_TABAUTH ROWS INSERTED: 11,877 VRA_USERAUTH ROWS INSERTED: 48 VRA_PACKAUTH ROWS INSERTED: 46 ************************* END OF DISPLAY ********************

C h a p t e r 5 . V a n g u a r d S e c u r i t y S e r v e r C o m m a n d s B a s e l i n e C o n f i g u r a t i o n


Chapter 5. Vanguard Security Server Commands Baseline Configuration

The Vanguard Security Server Command Facility allows the user to view and alter online information contained on the RACF database. This chapter discusses the process where THE SECURITY SERVER COMMAND FACILITY panel displays can be configured to contain only those fields that are meaningful to a specific user.

Overview of Vanguard Security Server Command Facility

The Vanguard Security Server Command Facility (VRC) allows the user to view and alter online information contained on the RACF database. This information is displayed on the Administrator's Security Server Command Facility panels. The user can alter the RACF database by over-typing fields. The newly entered values are automatically formatted into RACF commands, which can be executed in the foreground or in a batch job. The Security Server Command Facility provides normal RACF authority checking and logging, as well as interfacing to any installation defined RACF exit.

The information that a specific user is allowed to view and alter may be established in installation-wide baseline configurations. This is controlled by the access level (normal or group special) that a user has. Group-special users (i.e. users that are group-special over any connected group) will have one baseline while normal users will have another, more restricted, baseline. Both may be set up identically.

It is the function of the Security Server Command Facility administrator to establish these installation-wide baseline configurations, i.e., the information that the user is allowed to view and alter. This chapter describes this process.

Establishing Installation Baseline Configurations The baseline profiles are saved in the data set allocated to the VIPOPTS DD. To prevent tampering with the profiles, this data set should be protected as Read Only to all users, except the TSECURITY SERVER COMMAND FACILITY administrator(s).



To activate the global baseline configurations, the following line must exist in the VRAOPT00 member of the VANOPTS library within the data set allocated to the VIPOPTS DD:

VRCGLOBALCONFIG

If this line does not exist, the baseline configuration members will not be interrogated or used. See Table 17. Baseline Configurable User Configuration Process on page 79.

The baseline profiles are generated and maintained by using the SAVE command on each configurable panel (i.e. wherever the CONFIG command is currently allowed). This command is allowed only if the user has read access to the facility class profile VRAADM$.VRC.ADMIN (i.e. the user is considered the administrator).

Issuing the SAVE command triggers a test for the VRCGLOBALCONFIG line, in the VRAOPT00 member. If it does not exist, a baseline warning informs the Security Server Commands administrator that global baseline configuration is not in effect.

Baseline Warning Baseline Warning COMMAND ===> WARNING: The "VRCGLOBALCONFIG" statement was NOT found in the VRAOPT00 member. Baseline configurations can be set up but they will not be usable until activated by the above statement. Press ENTER to continue or END to cancel.

Note: An alternate form of the SAVE command--VSAVE--is available for installations where the original SAVE command is used for other processes.

• VRAOPT00 parameters are described in the Vanguard Security Solutions Installation Guide.

• If the VRAADM$.VRC.ADMIN profile does NOT exist and there is a covering profile with a UACC of read (or higher), all users are able to issue the SAVE command.

After the SAVE command is issued, a message directs the Security Server Commands administrator to select either Group Special users or All other users.

Baseline User Type Baseline User type COMMAND ===> Select one of the following: 1 Group Special users 2 All other users Press ENTER to continue or END to cancel.

C h a p t e r 5 . V a n g u a r d S e c u r i t y S e r v e r C o m m a n d s B a s e l i n e C o n f i g u r a t i o n


If a baseline member already exists for the selected user type, a message informs the Security Server Commands administrator of this and requests confirmation of the replacement.

Replace Confirmation Replace Confirmation COMMAND ===> Baseline configuration already exists. Press ENTER to replace or END to cancel.

The displayed configuration is saved to the appropriate VANOPTS member and constitutes the baseline configuration profile. This member name consists of the combination of panel name and user type, as shown in the Baseline Configurable Panels table below.

The configuration process should be performed twice, once for Group Special users and once for all other users.

Panel Group Special Members All Other Members User VRCUG00 VRCUO00 Connect VRCCG00 VRCCO00 Dataset VRCDG00 VRCDO00 StdPerm VRCPG00 VRCPO00 CndPerm VRCAG00 VRCAO00 Setropts VRCSG00 VRCSO00 ClassOps VRCKG00 VRCKO00 PWRules VRCLG00 VRCLO00 General Res VRCNG00 VRCNO00 Members VRCMG00 VRCMO00 StdPerm VRCEG00 VRCEO00 CndPerm VRCFG00 VRCFO00 Group VRCGG00 VRCGO00 Connect VRCHG00 VRCHO00

Table 17. Baseline Configurable

User Configuration Process When you select a RACF profile type to process, a test is made for the VRCGLOBALCONFIG line, in the VRAOPT00 member. If it does not exist, further Global configuration baseline testing is not performed. This allows easy activation/deactivation of the global configuration process and prevents unnecessary processing when global configuration is not in effect.

If global baseline configuration is in effect, a test is made to determine which of four categories the user is assigned: system special, administrator, group special, or all others.

In the following discussion, testing is done only if the user's category is not SYSTEM SPECIAL or ADMINISTRATOR.



Note: Global baseline configuration does NOT apply to system special and administrator users. VRAOPT00 is described in the Vanguard Security Solutions Installation Guide.

As each configurable panel (listed above in Table 17) is entered, a test is made to see if a profile (based on panel name and user type) stored in the VANOPTS data set. If it is, the date/time of that baseline profile is compared with the date/time of the user's saved configuration from the ISPF profile variable pool. If there is no saved configuration, the date/time is assumed to be zero.

If the baseline profile date/time is greater than the user's saved configuration date/time, the configuration processing is executed (without showing the user the configuration panel) in order to reset the user's saved configuration with the newer Global baseline configuration. If the baseline profile date/time is zero (i.e. does not exist) and the user's saved configuration date/time is not zero, the configuration processing is executed (without showing the user the configuration panel). This is done in order to reset the user's saved configuration with all of the fields/segments possible. Note that the displayed fields/segments should not change. This insures that all changes to the Global Configuration(s) will be enforced on the end users.

User-Entered CONFIG Command

System special users are allowed to totally configure their displays. If a baseline profile exists, Non-system special users are allowed to configure in or out only the fields/segments that were displayed to the security administrator when the SAVE command was issued, i.e., if the administrator can not see the field/segment on his/her display, the user will not be able to configure in the field/segment.

Base segment fields for each type, user, group, data set, general resource or SETROPTS are configurable on a field-by-field basis. All other segments are configurable only on a segment basis (i.e. for User profiles, the TSO segment as a whole may be configured in or out, but not individual fields within the segment).

C h a p t e r 6 . D i s t r i b u t e d I d e n t i t y M a n a g e r


Chapter 6. Distributed Identity Manager The Distributed Identity Manager allows CICS Terminal Users to use the Vanguard Identity Manager to perform RACF password management on local and remote hosts. The Distributed Identity Manager also gives TSO users the ability to use the Vanguard Identity Manager on remote hosts.

Overview of the Distributed Identity Manager

Vanguard’s Distributed Identity Manager is an enhancement to the Vanguard Identity Manager function within the Administrator.

Note: The terms Identity Management and Password Management may be used interchangeably in this manual.

The Distributed Identity Manager provides two benefits:

• Extends the ability of TSO Users to perform RACF Password Administration on defined remote host(s).

• Gives CICS Terminal Users the ability to perform RACF Password Administration on a local and/or defined remote host(s).

Distributed Identity Manager has been implemented using client/server technology. Client/server software is usually more complex to install than typical host based software because of the communications used to allow the client process to connect to a server process.

Vanguard implements this feature by defining one or more RACF database ID’s and relating the RACF database IDs to hosts accessible through a communications path. The RACF database ID is a construct created by Vanguard's Administrator to relieve the RACF administrator from having to understand the communications related terminology. The user of Identity Manager must only be knowledgeable of installation defined RACF database IDs.

When the password management function is performed against a remote database, the RACF defined user performing the function must be defined as a valid user on the remote database with the same User ID. The user requesting the function on the remote host must have the required authorization on that host implemented through the Administrator’s use of the RACF FACILITY class profiles for Identity Manager.

It is important to understand the implications of using the Administrator’s Distributed Identity Manager in a RACF Remote Sharing Facility (RRSF)



environment. If RRSF password synchronization is in effect, there may be a conflict of password updates. Distributed Identity Manager affects its updates immediately, if it is able to connect to the remote host. If it cannot establish a connection, the function will not be performed. RACF with password synchronization through RRSF may effect a password change almost immediately, but if no connection exists between hosts, the request will be delayed with no indication as to when it will or can occur.

If you have RRSF active and have enabled it for application updates, then Identity Manager updates will be propagated to all your remote databases.

Note: You must perform a SET AUTOAPPL command for Identity Manager to work with RRSF.

This chapter has several sections. The first section is an overview of how the client/server mechanism works. The second section contains information to complete the installation. The rest of the chapter is organized by skill set or major subsystem; it refers to the information gathered in the second step. Several skill sets are required to complete the installation of Distributed Identity Manager.

Distributed Identity Manager provides CICS users the ability to perform all password management functions by using APPC/MVS to carry out the functions on CICS’s behalf. This allows the actual authorized process to occur outside the CICS environment. In effect, the CICS transaction is the client, and the server transaction executes under APPC/MVS. Through this process the server transaction can run on the same host, or a different host, from where the CICS user is executing.

CICS to APPC/MVS relat ionship with Distr ibuted Identity Manager

SYSTEM 1

RACFDa ta ba se

CICS

Clien tTr an sa ct ion

AP PC/MVS

ServerTra n sa ct ion

With the Distributed Identity Manager in the TSO and ISPF environment, Identity Management can be performed upon another host’s RACF database, by additionally specifying a valid RACF database ID field on the ISPF panel, or in the AT(...) parameter for the TSO command processor, VIM.



TSO to APPC/MVS Relationship with Distr ibuted Identity Manager

TSO

Clien tTr a n sa ct ion

AP P C/MVS

Ser verTr a n sa ct ion

RACFDa t a ba se

SYSTE M 1 SYSTE M 2

Together, CICS and TSO Distributed Identity Manager provide two ways to administer passwords on the local host, and defined remote hosts.

Software Requirements

These prerequisites are assumed to be in place before the installer moves forward:

• Base Administrator product installed and operational on all RACF hosts that will be involved with the installation effort.

• VTAM network is set up and connectivity between the hosts involved has been verified. It is strongly recommended that the communication links between hosts are secure.

• CICS/ESA V3.3 or above. The CICS regions where the CICS client will be installed are expected to be configured and operational. There may not yet be a connection definition to the destination APPC/MVS server.

• MVS 4.3 (with APAR OW01674) or higher with APPC/MVS configured and running on all target RACF database hosts.

For additional software requirements refer to the Product Compatibility section in the Copyright statement of this manual.



Reference Documentation

The following documents will have details on configuration:

APPC/MVS

MVS/ESA V5 Planning: APPC Management GC28-1503 There are books by the same title for other

releases of MVS and z/OS (OS/390) CICS/ESA 3.3

CICS/ESA 3.3 Resource Definition online SC33-0666

CICS/ESA 3.3 Operations Guide SC33-0668 CICS/ESA 4.1

CICS/ESA 4.1 Resource Definition Guide SC33-1166

CICS/ESA 4.1 Operations & Utilities Guide SC33-1167 Assembler

High Level Assembler for MVS & VM & VSE

Language Reference MVS and VM SC26-4940 VTAM and RACF

Refer to documentation of the release that applies to your environment. Table 18. Identity Management Reference Documentation

Distributed Identity Manager Configuration Overview

Although both the CICS and TSO implementation of Distributed Identity Manager have much in common, differences occur when installing in the client environment. Therefore, each component will have its own installation instructions.

Since APPC is used to provide communications between client and server, many of the definitions required will relate to VTAM in some way. The major subsystems/skill sets involved are:

RACF All installations.

VTAM All installations.

APPC/MVS All installations.

CICS If CICS Identity Manager support is required.

TSO If TSO Distributed Identity Manager is required.



The installation must consider which hosts will be involved in the configuration. If it is to be configured on only one host, the installation is somewhat simpler, because only one RACF Database host will be defined.

If the local host is the only host you wish to manage, then effort put forth to install this feature will be concentrated on the CICS part. The effect of this would be to add CICS support for the Administrator's Identity Manager.

Each RACF Database host must have a one to eight character name associated with it. This name will be input by a user of the Administrator's Identity Manager to indicate the destination of the request to be performed. These names have no meaning outside of Distributed Identity Manager.

Security between client and server is required. Since APPC is entrusted to carry the request between client and server, the APPC link must have APPCLU class profiles defined with a SESSION segment, specifying CONVSEC(ALREADYV). It is strongly suggested that the use of session keys be implemented.

RACF

It is recommended that the RACF administrator(s) lead the installation effort. This is because the real endpoint(s), or effected data elements, are RACF databases.

The RACF administrator must perform the following tasks:

• Determine on which RACF Database host(s) Distributed Identity Manager will be implemented. This will help determine the personnel required to participate in the installation.

• Define the VRATPMAP module (see Appendix C. VRATPMAP Configuration Module) that contains the definitions of RACF database ID’s and their related CICS SYSIDs and VTAM LU names. The CICS administrator will provide the CICS SYSIDs and the password administrator of VTAM and/or APPC/MVS will provide the VTAM LU names. The information is coded using provided macros, then assembled and link-edited. The resulting load module must be available during execution in the CICS and TSO environments.

• Define RACF APPCLU profiles representing the possible connections between APPC/MVS based LUs and/or CICS APPLID’s on client hosts, and APPC/MVS servers on foreign hosts. The SESSION segment, specifying CONVSEC(ALREADYV), is required. It is strongly suggested that session keys be used. The RACF APPCLU profiles must be defined in matching pairs, one on each host that will be communicating.

• Ensure that the APPC/MVS transaction program definitions are protected. Note that the utility program that loads the transaction



program definitions should also be protected. Please refer to MVS/ESA Planning: APPC Management for details.

• Modify the VRAOPT00 member of your VANOPTS options library adding keywords required by Distributed Identity Manager.

• Define RACF FACILITY class profiles on all hosts that Distributed Identity Manager will run. See page 30 for details.

• Ensure that all users of Distributed Identity Manager have the same User IDs defined on all the hosts he/she will be making updates to, and permitted to the Vanguard RACF FACILITY class profiles to perform Identity Manager function.

• Define a default user for the APPC/MVS multi-transaction program.

• Define the APPC/MVS FACILITY class APPCMVS.TP.MULTI.*, and APPCMVS.TP.MULTI.userid profiles.

CICS

The CICS administrator must perform the following tasks:

• Define the CICS transaction.

• Define the CICS programs and map definition. This includes the VRATPMAP load module (see Appendix C. VRATPMAP Configuration Module), which was built by the RACF administrator.

• Create CICS connection and session definitions for connections to the related APPC/MVS servers that will be employed.

• Make the Administrator load library (or just the CICS programs and mapset) available to the CICS region.

• Ensure that the CICS region has SIT options SEC=YES and XAPPC=YES specified.

TSO

The only task that must be done by the TSO administrator in the TSO/E environment following a standard Administrator installation is to make the VRATPMAP load module, built by the RACF administrator, available to the Administrator.



VTAM

The VTAM administrator must perform the following tasks:

• Map out the Logical Units that will be communicating in the network to assist the RACF administrator in defining the RACF APPCLU profiles.

• Ensure that route availability between the communication end points.

• Ensure that any CICS region that will be involved has PARSESS=YES coded in the APPL minor node definition. This is to enable APPC support for CICS.

• Ensure that all involved APPC/MVS servers have APPL minor node definitions on their respective hosts. The APPL definitions MUST have VERIFY=OPTIONAL specified.

APPC/MVS

The APPC/MVS administrator must perform the following tasks:

• Customize the supplied VIMAPPC sample to define the APPC/MVS transaction programs.

• Make available a copy of Administrator load library and VANOPTS options library.

Note: The Administrator load library must be APF authorized.

• Ensure that the target APPC/MVS LU is defined using SCHED(ASCH).

• Ensure that the transaction class used by the APPC/MVS transaction is defined to the address space scheduler (ASCH).



Distributed Identity Manager Configuration Details

Preliminary Considerations

It is important for the RACF administrator to lead the project, because this is a RACF application that is to be implemented.

It is important to determine the endpoints involved with the implementation. The following questions will help you to determine some of the general direction.

• Who will lead the project? As this project implements a RACF application, we recommend the RACF administrator.

• Which CICS regions will be running the CICS Distributed Identity Manager client?

• Which MVS systems will be running the TSO Distributed Identity Manager client?

• Which RACF databases will be within a Distributed Identity Manager client’s scope of view?

• Which hosts(s) managing remote RACF databases will be APPC/MVS server hosts?

• What will be the default RACF database ID for CICS Distributed Identity Manager users?



A CICS Example

The diagram below shows a CICS to APPC/MVS relationship on the same platform, an example of a proposed connection to implement Distributed Identity Manager using a CICS client.

The CICS system that will implement the use of the client has a VTAM APPLID of CICSPROD. The APPC/MVS system that will implement the use of the server has an APPLID of AVIPQA1. In this case, both subsystems reside on one host.

CICS will require a CONNECTION definition that describes the link between the client CICS subsystem and the server APPC/MVS subsystem. When this definition is made, a SYSID is associated with a VTAM LU (i.e., APPLID). In this case, the CONNECTION named APRD (A CICS SYSID is limited to four characters) relates to an LU (APPLID) of AVIPQA1. This allows this CICS system to view the APPC/MVS server as a remote connection named APRD.

P R O D S Y S

C I C S R e g i o nA P P L I D = C I C S Q A 1

N e t w o r k I D = M Y N E TS y s I D = A P R D

C o n n e c t i o n D e f i n i t i o nC o n n e c t i o n = A P R D

A P P L I D = A V I P Q A 1

V R A T P M A P

A P P C / M V S A P P L I D = A V I P Q A 1

N e t w o r k I D = M Y N E T

R A C F D a t a b a s e



A TSO example

This diagram shows a TSO or ISPF Distributed Identity Manager client running on one system connecting to APPC/MVS on another system. Although the client can operate against the same MVS platform, it does not offer any additional functionality over standard use of Identity Manager.

The TSO client is connected outbound through the BASELU defined on APPC/MVS on the PRODSYS system; its APPLID is AVIPQA1. The APPC/MVS destination system TESTSYS will run the Distributed Identity Manager server; its APPLID is AVIPQAT.

P R O D S YS (AP R D )

T S O

VR AT P M AP

AP P C /M VS B AS E L U = AVI P Q A1 N e t w or k I D =M YN E T

T E S T S YS (AT S T )

AP P C /M VS B AS E L U = AVI P Q AT N e t w or k I D =M YN E T

R AC F D a t a b a s e

The above figures show the relationship between the TSO/ISPF client and the CICS client to the APPC/MVS server subsystem. The RACF administrator must understand these relationships since it provides:

• Basic information needed to define the VRATPMAP configuration module.

• LU relationships to define RACF APPCLU profiles.

The VRATPMAP Configuration Module

The VRATPMAP configuration module is central to Distributed Identity Manager. This module relates RACF database ID’s to communication destinations.

For TSO clients, a RACF database ID will resolve to a VTAM fully qualified name (LU name) that represents the APPC/MVS server at the location of the RACF database. This information should be readily available from those responsible for APPC/MVS.



Please refer to Appendix C. VRATPMAP Configuration Module for information on coding and installing the VRATPMAP configuration module.

RACF APPCLU Class Profiles

Security between client and server is a requirement. RACF APPCLU profile pairs must be defined on all hosts participating in the implementation:

• Ensure that a secure link between the client requester environment (CICS and/or APPC/MVS for TSO), and the server environment (APPC/MVS).

• Allow the APPC/MVS server transactions to inherit the RACF User ID requesting the Identity Manager function.

The best introduction to the APPCLU profiles is in the MVS/ESA Planning: APPC Management book, as noted under Reference documentation previously in this chapter.

Since APPC is entrusted to carry the request between client and server, the APPC link must have APPCLU class profiles defined with a SESSION segment, specifying CONVSEC(ALREADYV). It is strongly suggested that session keys be used.

APPCLU profiles must always be defined in pairs. One profile on the RACF database that the client application runs on, and one on the RACF database the server application runs on. In the event both applications operate under the same database, then both APPCLU profiles will be defined in the one database.

In the example VRATPMAP configuration, shown in Appendix C. VRATPMAP Configuration Module, there is a reference to Logical Unit AVIPQA1. The client Logical Unit is CICSPROD, where the CICS Distributed Identity Manager client will run. In this case, both of these LUs reside on the same host, which means both APPCLU profiles will be defined in this database. RDEFINE APPCLU MYNET.AVIPQA1.CICSQA1 UACC(NONE) - SESSION(CONVSEC(ALREADYV) SESSKEY(MYKEY)) RDEFINE APPCLU MYNET.CICSQA1.AVIPQA1 UACC(NONE) - SESSION(CONVSEC(ALREADYV) SESSKEY(MYKEY))

Again using the VRATPMAP configuration example in Appendix C. VRATPMAP Configuration Module, suppose we wish to execute the TSO or ISPF Vanguard Identity Manager on the host represented by AVIPQA1, and use the TESTSYS RACF database ID, which represents the AVIPQAT LU, as a potential target of a Distributed Identity Manager request. AVIPQA1 is assumed to be the BASELU on this system.



The following definition must be made on the host representing the LU AVIPQA1: RDEFINE APPCLU MYNET.AVIPQA1.AVIPQAT UACC(NONE) - SESSION(CONVSEC(ALREADYV) SESSKEY(MYKEY))

The following definition must be made on the host representing the LU AVIPQAT: RDEFINE APPCLU MYNET.AVIPQAT.AVIPQA1 UACC(NONE) - SESSION(CONVSEC(ALREADYV) SESSKEY(MYKEY))

You may have to issue a SETROPTS RACLIST(APPCLU) REFRESH command after defining these profiles on all the hosts involved. You must inform VTAM of changes to the APPCLU class as well.

The APPCLU class may not have been specifically RACLISTed through SETR RACLIST(APPCLU). Later releases of CICS no longer require CEMT PERFORM SECURITY REBUILD to be performed by each CICS region. Instead, CICS does a GLOBAL=YES RACLIST ONLY for the class in question, and all CICS regions using the same technique may share the same in-storage profiles. Specifically, when the CICS SIT option XAPPC=YES is specified for a region, and this region has been activated, the APPCLU class will appear in a SETROPTS LIST command output, with GLOBAL=YES RACLIST ONLY=APPCLU being shown. This indicates that CICS has globally RACLISTed this class. To refresh it only requires a SETROPTS RACLIST(APPCLU) REFRESH command to be performed to activate the changes system wide.

VTAM must be notified of the changes to the APPCLU class, but only for those that specify APPC=YES on the APPL minor node definition. For our purposes, this only applies to the APPC/MVS minor node. Once you have made updates to the APPCLU class, you must inform VTAM of these changes through an operator command. This may be accomplished through an MVS system console, or through some other command input source to VTAM. If your APPC/MVS applid is AVIPQA1, then to inform VTAM of the changes, enter the operator command:

"F net,PROFILES,ID=AVIPQA1" "F net,PROFILES,ID=AVIPQAT"

where net is the VTAM identifier you have assigned to VTAM in your environment. You may refer to the VTAM operator command reference for more information.



Administrator Options

Additional keywords can be specified in the VRAOPT00 member of your VANOPTS options library:

• VIOUNIT(xxxxxxxx) - This keyword is required on all hosts participating in the use of Distributed Identity Manager. Specify a one to eight character MVS unit name that reflects a VIO unit name in place of xxxxxxxx. This is for temporary file allocations.

• VIMDEBUG(x) - This keyword is optional. Specify a one-character value of Y or N. If this keyword is not specified, N is assumed. If you wish to enable debugging, specify Y. If trying to do problem determination, it is strongly recommended that this option be specified in the options library on both the client and server hosts involved.

RACF FACILITY Class Profiles

RACF FACILITY class profiles must be defined on all MVS hosts participating in the implementation. There are two general types of profiles that must be defined:

• Identity Manager profiles. These profile definitions protect the usage of both Identity Manager and Distributed Identity Manager. These profiles must be defined on the RACF defined hosts. See page 30 for details.

• APPC/MVS profiles. These profile definitions must exist on all RACF database hosts to be configured.

It will be prudent to define a RACF FACILITY profile on each of the RACF hosts that will be defining APPC/MVS transaction programs. This profile is required to control the users who can specify the use of a RACF User ID that will be specified as the GENERIC_ID for an APPC/MVS transaction program definition. Typically, you will permit your APPC/MVS administrator RACF UPDATE access to this profile.

For example, the following definition protects all generic users specified that do not have a profile. This prevents everyone from specifying any GENERIC_ID: RDEFINE FACILITY APPCMVS.TP.MULTI.* UACC(NONE)



The following profile and permit will allow the RACF User ID APPCADM to specify GENERIC_ID(VIMADMIN) when defining the APPC/MVS multi-transaction program. RDEFINE FACILITY APPCMVS.TP.MULTI.VIMADMIN UACC(NONE) PERMIT APPCMVS.TP.MULTI.VIMADMIN CLASS(FACILITY) ACCESS(UPDATE) ID(APPCADM)

Note: Please refer to MVS/ESA Planning: APPC Management for other APPC/MVS related RACF profiles. Most are necessary, but may be desirable. The Vanguard Identity Manager is controlled through its own RACF FACILITY class profiles.

Defining USER Profiles

All users that will be using Distributed Identity Manager must have the SAME RACF User ID on the destination RACF database environment.

Because of the use of the APPC/MVS multi-transaction facility, a RACF user profile must be defined to represent a generic user while the multi-transaction program is waiting for work. This is similar to the CICS default user. This user does not require any special access, other than to create a dataset in the event of an error. In the previous section, the User ID APPCADM was permitted update access to APPCMVS.TP.MULTI.VIMADMIN. VIMADMIN is the RACF User ID that would be associated with the APPC/MVS multi-transaction program.

Note: Again refer to MVS/ESA Planning: APPC Management for details on this subject in the security section.



CICS Administrator

The minimum level of CICS to use is V3.3. External security must be enabled, thus allowing RACF defined users to sign on to CICS. This is critical to the CICS Identity Manager operation. The CICS transactions have no requirements for APF authorization. The VIMCICS member in the Administrator sample library may be used as input to the CICS batch resource definition program, DFHCSDUP.

The following elements must be defined to CICS:

• The CICS transaction: VIM, which invokes program VRAACIP0.

• The CICS programs and mapset, inclusive of VRATPMAP. See Appendix C. VRATPMAP Configuration Module for more information

• At least one set of CICS CONNECTION and SESSION definitions. The CONNECTION definition defines the LU6.2 link between this CICS region and the APPC/MVS server. The SYSID(s) chosen for the APPC/MVS servers MUST match the DEST= operand specified on the TPMAP TYPE=CICS macros coded for the VRATPMAP load module. The CONNECTION entry must specify ATTACHSEC(IDENTIFY). If multiple RACF hosts will be configured, there must be one CONNECTION definition for each destination APPC/MVS server.

• Make the Administrator load library available to the CICS region.

• Ensure that SIT options SEC=YES (enables RACF security) and XAPPC=YES (enables secure sessions across APPC sessions) are specified for target regions.

CICS Example of DFHCSDUP Definit ions ********************************* Top of Data ********************************** . . . //DFHCSDUP EXEC PGM=DFHCSDUP,REGION=0M //STEPLIB DD DSN=<CICS.SDFHLOAD>,DISP=SHR //DFHCSD DD DSN=<CICS.DFHCSD>,DISP=SHR,AMP='BUFND=20,BUFNI=5' //SYSUT1 DD UNIT=VIO,SPACE=(1024,(100,100)) //SYSPRINT DD SYSOUT=* //SYSIN DD * DEFINE CONNECTION(<APRD>) GROUP(<$APPC>) NETNAME(<AVIPQA1>) ACCESSMETHOD(VTAM) PROTOCOL(APPC) SINGLESESS(NO) DATASTREAM(USER) RECORDFORMAT(U) QUEUELIMIT(NO) MAXQTIME(NO) AUTOCONNECT(ALL) INSERVICE(YES) ATTACHSEC(IDENTIFY) BINDSECURITY(YES)

CICS Example of DFHCSDUP Definit ions, continued



USEDFLTUSER(NO) PSRECOVERY(SYSDEFAULT) DEFINE SESSIONS(<APRD>) GROUP(<$APPC>) CONNECTION(<APRD>) MODENAME(#INTERSC) PROTOCOL(APPC) MAXIMUM(3,3) SENDSIZE(4096) RECEIVESIZE(4096) SESSPRIORITY(0) AUTOCONNECT(NO) BUILDCHAIN(YES) USERAREALEN(0) IOAREALEN(0,0) RELREQ(NO) DISCREQ(NO) NEPCLASS(0) RECOVOPTION(SYSDEFAULT) DEFINE CONNECTION(<ATST>) GROUP(<$APPC>) NETNAME(<AVIPQAT>) ACCESSMETHOD(VTAM) PROTOCOL(APPC) SINGLESESS(NO) DATASTREAM(USER) RECORDFORMAT(U) QUEUELIMIT(NO) MAXQTIME(NO) AUTOCONNECT(ALL) INSERVICE(YES) ATTACHSEC(IDENTIFY) BINDSECURITY(YES) USEDFLTUSER(NO) PSRECOVERY(SYSDEFAULT) DEFINE SESSIONS(<ATST>) GROUP(<$APPC>) CONNECTION(<ATST>) MODENAME(#INTERSC) PROTOCOL(APPC) MAXIMUM(3,3) SENDSIZE(4096) RECEIVESIZE(4096) SESSPRIORITY(0) AUTOCONNECT(NO) BUILDCHAIN(YES) USERAREALEN(0) IOAREALEN(0,0) RELREQ(NO) DISCREQ(NO) NEPCLASS(0) RECOVOPTION(SYSDEFAULT) DEFINE MAPSET(VRAACIM) GROUP(<$PROGRAM>) RESIDENT(NO) USAGE(NORMAL) USELPACOPY(NO) STATUS(ENABLED) DEFINE PROGRAM(VRAACIP0) GROUP(<$PROGRAM>) LANGUAGE(ASSEMBLER) RELOAD(NO) RESIDENT(NO) USAGE(NORMAL) USELPACOPY(NO) STATUS(ENABLED) CEDF(NO) DATALOCATION(ANY) EXECKEY(USER)

CICS Example of DFHCSDUP Definit ions, continued EXECUTIONSET(FULLAPI) DEFINE PROGRAM(VRAACIP1) GROUP(<$PROGRAM>) LANGUAGE(ASSEMBLER) RELOAD(NO) RESIDENT(NO) USAGE(NORMAL)



USELPACOPY(NO) STATUS(ENABLED) CEDF(NO) DATALOCATION(ANY) EXECKEY(USER) EXECUTIONSET(FULLAPI) DEFINE PROGRAM(VRAACIH1) GROUP(<$PROGRAM>) LANGUAGE(ASSEMBLER) RELOAD(NO) RESIDENT(NO) USAGE(NORMAL) USELPACOPY(NO) STATUS(ENABLED) CEDF(NO) DATALOCATION(ANY) EXECKEY(USER) EXECUTIONSET(FULLAPI) DEFINE PROGRAM(VRATPMAP) GROUP(<$PROGRAM>) LANGUAGE(ASSEMBLER) RELOAD(NO) RESIDENT(NO) EXECUTIONSET(FULLAPI) DEFINE TRANSACTION(VIM) GROUP(<$PROGRAM>) PROGRAM(VRAACIP0) TWASIZE(0) PROFILE(DFHCICST) STATUS(ENABLED) TASKDATALOC(ANY) TASKDATAKEY(USER) STORAGECLEAR(NO) RUNAWAY(SYSTEM) SHUTDOWN(DISABLED) ISOLATE(YES) DYNAMIC(NO) PRIORITY(1) TRANCLASS(DFHTCL00) DTIMOUT(NO) RESTART(NO) USAGE(NORMAL) USELPACOPY(NO) STATUS(ENABLED) CEDF(NO) ) EXECKEY(USER) DATALOCATION(ANY) SPURGE(NO) TPURGE(NO) DUMP(YES) TRACE(YES) CONFDATA(NO) RESSEC(NO) CMDSEC(NO) ******************************** Bottom of Data ********************************



TSO Administrator

If Distributed Identity Manager is available to TSO users, the following must be done.

• Make the VRATPMAP load module, which was defined and built by the RACF administrator, available to the Administrator on TSO.

• Ensure the availability of the VANOPTS options library through allocation to the VIPOPTS DDname prior to execution of Identity Manager.

VTAM Administrator

The VTAM administrator must perform the following tasks:

• Map out the Logical Units that will be communicating in the network to help the RACF administrator define the RACF APPCLU profiles.

• Ensure that each CICS region involved has PARSESS=YES coded in the APPL minor node definition. This enables APPC support for CICS.

• Ensure that all involved APPC/MVS servers have APPL minor node definitions on the chosen server hosts and that these definitions have VERIFY=OPTIONAL, and SECACPT=CONV or IDENTIFY.

• Ensure that all involved platforms using the TSO Distributed Identity Manager have an APPL minor node for the APPC/MVS BASELU and that the APPL definition has VERIFY=OPTIONAL specified.

• Ensure that paths and class of service will support session establishment between clients and servers.

The LU names that define APPC/MVS servers must be coded in the VRATPMAP load module (see Appendix C. VRATPMAP Configuration Module) that is set up by the RACF administrator.

The type of traffic that Distributed Identity Manager incurs can be considered interactive or transaction oriented. At initiation, a CICS or TSO client will ship a request to the server that will consist of no more than 100 bytes. The response will be no larger than 700 bytes. There are no lengthy transfers of information.

The default mode name within Distributed Identity Manager is #INTERSC. This can be altered in the VRATPMAP configuration module that is built by the RACF administrator.



Please refer to the sample member VIMVTAM in the Administrator sample library for an example of a VTAM APPL major node definition, including sample minor nodes for APPC/MVS and CICS.

Example of VTAM Major/Minor Node VBUILD TYPE=APPL * * THIS MEMBER IS FOR LU DEFINITIONS FOR APPC MVS AND CICS ESA. * AVIPQA1 APPL ACBNAME=AVIPQA1, ACBNAME FOR APPC * APPC=YES, * AUTOSES=0, * DDRAINL=NALLOW, * DLOGMOD=#INTERSC, * DMINWNL=10, * DMINWNR=10, * DRESPL=NALLOW, * DSESLIM=20, * LMDENT=19, * PARSESS=YES, * SECACPT=ALREADYV, * SRBEXIT=YES, * VERIFY=OPTIONAL, * VPACING=7 * CICSQA1 APPL ACBNAME=CICSQA1, * AUTH=(ACQ,PASS), * EAS=1000, * PARSESS=YES, PARALLEL SESSIONS * VPACING=7

APPC/MVS

The APPC/MVS administrator must perform the following tasks:

• Determine which APPC/MVS subsystems will participate with Distributed Identity Manager. There must be at least one APPC/MVS subsystem per RACF database participating with Distributed Identity Manager.

• Ensure that there is a BASELU defined on those hosts where TSO users will have access to Distributed Identity Manager. When connecting to another host, the TSO VIM client uses this LU.

• Customize for your installation using the supplied sample member VIMAPPC.

• Submit the customized job to define the APPC/MVS transaction programs, VIMSERVM and VIMSERV, to the selected APPC/MVS servers. When VIMSERVM is defined, a GENERIC_ID must be specified. The RACF administrator must provide you with this ID.

• Ensure that the target APPC/MVS LU is defined using SCHED(ASCH).

• Ensure that the transaction class used by the APPC/MVS transaction is defined to the address space scheduler (ASCH).



VIMSERVM is an APPC/MVS multi-transaction program. It remains active within the ASCH (address space scheduler) after its first invocation for a maximum of five minutes. If another transaction request arrives within five minutes, this already active transaction program processes the request. It will terminate after five minutes of inactivity.

VIMSERVM is the preferred transaction program to use, since it makes response on subsequent requests much quicker.

VIMSERV is a standard APPC/MVS transaction program. Each transaction request passes through initialization and termination. If request activity is low, you may wish to use this transaction program instead, since the address space is active only when a request is being processed.

Please refer to the VIMAPPC member in the Administrator sample library.

APPC/MVS must have at least one LU (Logical Unit) that can act as a server. If Distributed Identity Manager is used from TSO, there must be an APPC/MVS LU defined to act as a client LU. The client LU is denoted by the BASE keyword on the APPC/MVS LUADD statement. If an installation already has a BASE LU defined to APPC/MVS, this existing LU may be used rather than creating a separate one for this specific application.

Distributed Identity Manager uses the Address Space Scheduler (ASCH) for running the server transaction. This must be noted on the LUADD statement. Please refer to the APPC/MVS Logical Unit definition example that follows.

Example of APPC/MVS Logical Unit Definit ions /********************************************************************/ /* */ /* */ /********************************************************************/ SIDEINFO DATASET(SYS1.APPCSI) LUADD ACBNAME(AVIPQA1) SCHED(ASCH) BASE TPDATA(SYS1.APPCTP) TPLEVEL(USER)

A transaction class must be defined to the Address Space Scheduler, since it is used for running transactions. Please refer to the APPC/MVS Address space scheduler example that follows.



Example of APPC/MVS Address Space Scheduler Definit ions /*********************************************************************/ /* */ /* LIB: SYS1.PARMLIB(ASCHPM00) */ /* GDE: CBIPO MVS INSTALLATION */ /* DOC: THIS PARMLIB MEMBER SETS UP A SCHEDULER CLASS. */ /* */ /* THE ASCH PARMLIB MEMBER IS SPECIFIED ON THE START AND SET */ /* OPERATOR COMMANDS. */ /* */ /*********************************************************************/ OPTIONS DEFAULT(A) SUBSYS(JES2) TPDEFAULT REGION(4M) TIME(20) MSGLEVEL(1,1) OUTCLASS(X) CLASSADD CLASSNAME(A) MSGLIMIT(10000) MAX(10) MIN(1) RESPGOAL(.1)

Example of APPC/MVS Transaction Program Definit ions //VIMAPPC JOB ACCT,YOUNG,CLASS=A,MSGCLASS=X,NOTIFY=&SYSUID . . . //APPCUTIL EXEC PGM=ATBSDFMU,REGION=0K //SYSPRINT DD SYSOUT=* //SYSSDLIB DD DSN=<APPCTP>,DISP=SHR //SYSSDOUT DD SYSOUT=* //SYSIN DD DATA,DLM='#1' TPDELETE TPNAME(VIMSERV) SYSTEM TPDELETE TPNAME(VIMSERVM) SYSTEM TPADD TPNAME(VIMSERV) SYSTEM ACTIVE(YES) TPSCHED_DELIMITER(##2) KEEP_MESSAGE_LOG(ERROR) CLASS(<A>) JCL_DELIMITER(###3) //VIMSERV JOB //SINGLE EXEC PGM=IKJEFT01,REGION=4M,PARM=V //STEPLIB DD DISP=SHR,DSN=<VANLOAD> //VIPOPTS DD DISP=SHR,DSN=<VANOPTS> //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSPRT DD DUMMY //SYSTSIN DD DUMMY ###3 ##2 TPADD TPNAME(VIMSERVM) SYSTEM ACTIVE(YES) TPSCHED_DELIMITER(##4) GENERIC_ID(<VIMADMIN>) TPSCHED_TYPE(MULTI_TRANS) KEEP_MESSAGE_LOG(ERROR) CLASS(<A>) JCL_DELIMITER(###5) //VIMSERVM JOB //MULTITRN EXEC PGM=IKJEFT01,REGION=4M,PARM=VRAPWSEM //STEPLIB DD DISP=SHR,DSN=<VANLOAD> //VIPOPTS DD DISP=SHR,DSN=<VANOPTS> //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSPRT DD DUMMY //SYSTSIN DD DUMMY

Example of APPC/MVS Transaction Program Definit ions, continued ###5 ##4 #1 Installation Verification



To verify proper installation, you must exercise the TSO and CICS client programs. This will verify several aspects of the installation:

• End to end connectivity from a TSO and/or CICS client to an APPC/MVS server.

• End to end security from client environment to APPC/MVS.

• The VRATPMAP is properly built (see Appendix C. VRATPMAP Configuration Module).

• Program definitions have been done properly.

• Programs have been properly installed.

CICS

Before starting verification, ensure that the CICS region is started and that the CICS connection(s) to APPC/MVS are in ACQUIRED state.

• Connect to the CICS region where Distributed Identity Manager is installed

• Sign on with the CESN transaction using a valid RACF User ID and password.

• Invoke the VIM transaction. The main Identity Manager screen should be displayed.

• Enter a valid RACF User ID in the User ID to process field. Enter a y in the List Userid field.

• Press the enter key. A default RACF database ID should appear in the RACF Database ID field. If it is correct, press enter again to execute the request.

• Either the request will successfully complete and display the requested user’s information, or it will fail with an error.

• If an error occurs, look up the message returned in the messages manual and take the indicated action.

It may be helpful to enable tracing within Distributed Identity Manager. This is done with the VIMDEBUG(Y) keyword and operand specified in the VRAOPT00 member of your VANOPTS options library. This will provide detailed information from the APPC/MVS transaction and the output should be available in the SYSOUT queue.

If verification fails and you require further assistance, please contact Vanguard Technical Support.



TSO

You must sign on with a TSO User ID that has proper RACF authority to execute the Administrator's Identity Manager. This User ID must also exist on the host represented by the RACF database ID and have the proper authority to run the Administrator's Identity Manager.

• Enter ISPF and invoke the Vanguard Administrator.

• Invoke the Identity Management function.

• The main Identity Manager screen should be displayed.

• Enter a valid RACF database ID that has been defined in the VRATPMAP configuration load module.

• Enter a valid RACF User ID in the User ID to process field. Enter a y in the List userid field.

• Press the enter key.

• Either the request will successfully complete and display the requested user’s information or it will fail with an error.

• If an error occurs, look up the message returned in the messages manual and take the indicated action.

It may be helpful to enable tracing within Distributed Identity Manager. This is done with the VIMDEBUG(Y) keyword and operand specified in the VRAOPT00 member of your VANOPTS options library. This will provide detailed information from the APPC/MVS transaction and the output should be available in the SYSOUT queue.

If verification fails and you require further assistance, please contact Vanguard Technical Support.

C h a p t e r 7 . A u t o m a t e d C o m m a n d S c h e d u l e r


Chapter 7. Automated Command Scheduler The Automated Command Scheduler (also known as ACS) is a feature of the Administrator that gives RACF administrators the ability to sche3dule the execution of TSO commands, CLISTs, and REXX EXECs.

ACS uses APPC/MVS to schedule events on the local or a remote MVS system where a licensed copy of Administrator 3.4 or later is installed.

ACS is not a job scheduling system. ACS is a convenient tool that RACF administrators may use to schedule security related commands. ACS provides an environment that is more secure than a system-wide job scheduler.

Reference Documentation

The following IBM manuals were used as references during the development of ACS. You should refer to these manuals during the ACS configuration process for detailed information on the IBM services used by ACS.

APPC/MVS

• MVS Planning: APPC Management

• MVS Programming: Writing TPs for APPC/MVS

Assembler

• High Level Assembler for MVS(R) & VM & VSE Language Reference

Other MVS Manuals

• MVS Planning: Global Resource Serialization

• MVS Initialization and Tuning Reference

TSO/E

• TSO/E Customization

• TSO/E Programming Services



VSAM

• Access Method Services for the Integrated Catalog Facility

VTAM

• Communications Server SNA Resource Definition Reference

• Communications Server SNA Programmers LU 6.2 Guide

• Communications Server SNA Programmers LU 6.2 Reference

• Communications Server IP and SNA Codes

Software Requirements

These prerequisites are assumed to be in place before the installer moves forward:

• The connectivity between the MVS systems involved within the VTAM network has been verified. It is strongly recommended that the communication links between MVS systems are secure.

• APPC/MVS configured and running on all target MVS systems where there is a RACF database. The APPC/MVS configuration must include the APPC/MVS transaction program scheduler (ASCH).

• A resource serialization management protocol, such as IBM's Global Resource Sharing (GRS).

Overview of the Automated Command Scheduler

Use this overview to become familiar with the components of ACS and the process of executing commands using ACS. Use the following diagram as a reference for this topic.



S E C U R IT YS E R V E R (R A C F )

D A T A B A S E

A d m in is t ra to rIS P F D ia lo g

C V S A M

C M DA CR F

C M D RESPON

A C SS T A R T E D T A S K

A C ST P

V R A L O G S Y S O U T F IL E

C M D R E S P O N S ER A C F C M D

R A C F C M D

C M D R E S P O N S E

P E R IO D IC S C A N& S E L E C T IO N

S T O R E C M DR E S P O N S E

A P P C /M V S A S C H

Figure 1. Automated Command Scheduler Overview



ACS consists of the following five (5) components:

• Administrator ISPF dialog (main menu option 5)

• CVSAM VSAM KSDS data set

• ACS started task

• ACS transaction program (TP)

• VRALOG SYSOUT file

Administrator ISPF Dialog

The Administrator ISPF dialog is the user interface to ACS. The ISPF dialog allows security administrators to add, display, hold, release and delete commands in the CVSAM data set. ACS groups commands into events. An event can consist of one or more commands. For details on using the ACS ISPF dialog, see Chapter 6. Automated Command Scheduler in the Vanguard Administrator User Guide.

CVSAM VSAM KSDS Data Set

The CVSAM file is used to store events and the responses to the commands of the events.

Each event that is added to the CVSAM data set is assigned an event identification. The event identification consists of the:

• Event’s scheduled date and time

• RACF User ID of the RACF administrator that entered the command

• Unique event sequence number assigned by ACS

Events that are added using the Administrator's command scheduler ISPF dialog contain one TSO command. Events that are added using the VRC VRASCHED ISPF edit command may contain more than one TSO command.

Each response from each command of an event is limited to the first ten (10) lines of output from the command.



ACS Started Task

The ACS started task periodically scans the CVSAM data set for events to be executed. An event is selected for execution when the event’s scheduled date and time have arrived.

When an event is selected, a security environment is created using the USER profile of the RACF user ID that entered the event.

ACS then starts an APPC/MVS conversation with the ACS TP. The conversation is allocated using security type SAME so that APPC/MVS uses the RACF security environment created by ACS. The TP can then access any data or resources that the user is allowed to access.

Each command of the event is individually sent to the ACS TP. All commands of an event are executed unless there is an error within ACS or the APPC/MVS conversation. All commands of an event are executed, even when one or more commands do not complete as expected. As each command completes, the ACS started task stores the messages generated by the command into the CVSAM data set.

When all of the commands of an event have been executed, the APPC/MVS conversation is terminated.

The security environment for this USER profile is deleted, and the ACS started task looks for the next event to be selected.

ACS Transaction Program

The ACS TP is started by APPC/MVS transaction scheduler, ASCH, when the ACS started task starts a conversation. The ACS TP remains resident as long as commands are being received from the ACS started task. The ACS TP terminates if a command is not received for a period of five minutes. The five-minute value is a function of ASCH, and cannot be changed by ACS.

The ACS TP executes each command in the event using the RACF USER class profile of the user that entered the event. Commands are executed in an isolated TSO/E environment under the control of the terminal monitor program, IKJEFT01. When a command is executed on a remote MVS system, the user performing the function must be defined as a valid user on the remote MVS system with the same User ID, and must have the required authorizations on that MVS system to execute the command.



The ACS TP captures the first 1 to 10 lines of output from the command's execution and returns them to the ACS started task. If there is no output from the command, the ACS TP generates a default message and sends it to the ACS started task. Limiting the amount of output stored in the CVSAM data set controls the growth of the CVSAM data set. This limitation also discourages the use of ACS for doing report type of processing, such as the RACF LU (*) command.

VRALOG SYSOUT File

The VRALOG SYSOUT file contains a journal of the ACS started task’s activity. This activity includes ACS started task initialization and termination messages, events that are selected for execution, ACS status and error messages, and APPC/MVS conversation error messages.

You may restrict the ability to view the VRALOG SYSOUT file by using the RACF SURROGAT class profile.

The ACS started task’s VRALOG SYSOUT file is irreplaceable as a tool for performing problem diagnosis, so chose a SYSOUT class using the ACS_LOG_SYSOUT_CLASS option in the VRAOPTnn member of the options library that will allow you to keep the log file for several days. The ACS_LOG_MAXLINES option may be used to control the number of lines stored in the VRALOG SYSOUT file before it will be automatically closed and a new VRALOG SYSOUT file started.

Refer to Appendix E. VRALOG SYSOUT File Contents for information about the format of the VRALOG.

ACS Configuration Overview Configuring an APPC/MVS application is more complex than an application that does not use APPC/MVS because of the steps required to define the communication paths used to connect programs in an APPC/MVS environment. The skills necessary for successful configuration include knowledge of RACF, VSAM, VTAM (including APPC/MVS), GRS, and TSO and how they are configured on your system. Some skill with the IBM HLASM (High Level Assembler) may be required if your configuration will be implementing the VRATPMAP configuration module. Refer to Appendix D. VRATPMAP Configuration Module in this manual for information on coding and installing the VRATPMAP configuration module.

APPC/MVS must be installed and running on the MVS system(s) where ACS will be configured.

The Administrator must be installed and operational before ACS can be configured.



The ACS started task must be active to schedule commands and to execute any scheduled commands. The ACS started task may execute as a started task or a batch job. Vanguard strongly recommends that ACS execute as a started task so that the valuable JES initiator resource is not consumed by this long running task.

A minimum of one CVSAM data set is required for ACS operation. Vanguard recommends that all RACF administrators share a single CVSAM data set.

A minimum of one ACS started task is required for ACS operation. Only one ACS started task can execute on a MVS system. An ACS started task can access only one CVSAM data set. You may define multiple ACS started task-CVSAM data set combinations on a single or on multiple MVS systems. Only one ACS started task–CVSAM data set combination can execute within a GRS ring. You can execute different ACS started task-CVSAM data set combinations on different MVS systems within a GRS ring.

A minimum of one ACS TP is required for each RACF database in the configuration. If more than one MVS system shares a RACF database, select the MVS system where you want the ACS TP to execute and define a RACF database ID for this MVS system. You can execute the ACS TP on all of the MVS systems sharing the RACF database by specifying a unique RACF database ID for each MVS system. Vanguard recommends that you do not execute the ACS TP on all MVS systems for RACF database performance reasons.

Determine the overall configuration that will meet the requirements of your environment. The following diagrams depict three possible environments:

• Single MVS system

• Multiple MVS systems sharing a single RACF database

• Multiple MVS systems and multiple RACF databases.



Configuring ACS for a Single MVS System

A single MVS system is one MVS system image that does not share its RACF database. Figure 2. Configuring ACS for a Single MVS System depicts an environment that has one MVS system and one RACF database. This environment requires one CVSAM data set, one ACS started task, and one ACS TP. (ACS always uses APPC/MVS and the ASCH transaction program scheduler, even in a single system environment.) You do not need to code the VRATPMAP configuration module for this environment.

SECURITY SERVER (RACF)

DATABASE

APPC/MVS

ACS STARTED

TASK

ACSTP

CVSAM

TSO

TSO

TSO

MVS

PROD1

Figure 2. Configuring ACS for a Single MVS System



Configuring ACS for Multiple MVS Systems Using a Single RACF Database

A multiple MVS system using a single RACF database is multiple MVS system images that share a common RACF database. Figure 3. Configuring ACS for Multiple MVS Systems Using a Single RACF Database depicts an environment that has three MVS systems and one RACF database. This environment requires a minimum of one CVSAM data set, one ACS started task, and one ACS TP. You are not required to code the VRATPMAP configuration module for this environment.

SEC UR ITY SER V ER (R ACF)

D AT AB AS E

AP PC /M VS

AC SST ART ED

T ASK

AC S T P

CVS AM

TSO

TSO

TSO

TSO

TSO

TSO

TSO

TSO

TSO

M VS

PRO D1

M VS

PRO D2

M VS

TEST1

Figure 3. Configuring ACS for Multiple MVS Systems Using a Single RACF Database



Configuring ACS for Multiple MVS Systems with Multiple RACF Databases

A multiple MVS system using multiple RACF databases is multiple MVS system images that do not share a common RACF database. Figure 4. Configuring ACS for Multiple MVS Systems Using Multiple RACF Databases depicts an environment that has four MVS systems and two RACF databases. This environment requires a set of one CVSAM data set, one ACS started task, and one ACS TP for each MVS system where events will be executed. The MVS systems may be in the same or different geographic locations.

The VRATPMAP is required if commands entered into the CVSAM data set from the:

• PROD1, PROD2, and/or TEST1 system are to be executed for the RACF database on the PROD7 system,

or

• PROD7 system is to be executed for the RACF database on the PROD1 system.

If you do not have a requirement to schedule events on one MVS system and execute them on another MVS system, a VRATPMAP configuration module is not required.

SECURITYSERVER (RACF)

DATABASE

APPC/MVS

ACS STD TASK

ACSTP

CVSAM

TSO

TSO

TSO

TSO

TSO TSO

TSO

TSO

TSO

MVS PROD1

MVS PROD2

MVSTEST1

SECURITY SERVER (RACF)

DATABASE

APPC/MVS

ACS TP

CVSAM

TSO

TSO

TSO

MVSPROD7

ACS

STD TASK

Figure 4. Configuring ACS for Multiple MVS Systems Using Multiple RACF Databases



ACS Configuration Tasks The ACS configuration tasks are designed to meet the Vanguard requirements for using ACS in a production environment. Your installation may have other requirements for APPC/MVS applications, including the use of profiles in the following classes:

• APPCPORT

• APPCSI

• APPCTP

• APPL

• VTAMAPPL

Table 20. ACS Configuration Checklist may be used to keep track of your progress in configuring ACS.

The column labeled Configuration Task lists the tasks needed to complete the configuration of ACS. The tasks are listed in the sequence that they should be completed. Some of these tasks are optional.

The column labeled Page contains the page number where you can find the details for that configuration task.

The column labeled Skill(s) lists the skill(s) required to successfully complete the task. Table 19. ACS Configuration Skills contains a brief description of the knowledge needed for each skill.

Skill Knowledge

HLASM The person(s) should have a working knowledge of IBM’s High Level Assembler Language.

RACF The person(s) should have a working knowledge of the commands used to define and alter information in the RACF database at your installation. The person’s RACF user ID must have the RACF SPECIAL attribute.

VTAM The person(s) should have a working knowledge of the commands and definition statements used to configure VTAM and APPC/MVS at your installation.

Table 19. ACS Configuration Skills

The column labeled Reference Name contains the resource’s name used in this chapter and in the VANSAMP library members referenced in this chapter. The resource’s name appears on the row of the checklist of the configuration task where the name is defined.

Use the column labeled Defined Name to enter the name you selected for the resource.



The column labeled VANSAMP Example contains a member name of the VANSAMP library that contains an example that is supplied by Vanguard for that configuration task.

Step Page Skill(s) Reference Name Defined Name

VANSAMP Example

Step 1: Inventory the Network.

117 RACF VTAM

NETID

APPCTPDSN

Step 2: Define the RACF Database ID(s).

118 RACF VTAM

Step 3: Propagate RACF Administrator User IDs.

118 RACF

Step 4: Define a User ID for the ACS Started Task.

119 RACF ACSTASKUID

Step 5: Define a User ID for the ACS TP.

119 RACF ACSTPUSERID

Step 6: Define Logon Mode Table.

120 VTAM #BATCHSC

Step 7: Define an ACS VTAM Application Program Major Node.

120 VTAM ACSVTAM

Step 8: Define the ACS LUs to VTAM.

121 VTAM ACSLUSTC

ACSLUTP

ACSVTAM

Step 9: Define the ACS LUs to APPC/MVS.

122 VTAM ACSLUADD

Step 10: Define ACS TP Transaction Class.

123 VTAM ACSTPCLASS ACSCLASS

Step 11: Define ACS APPC/MVS TP.

124 RACF VTAM

ACSTPNAME ACSAPPC

Step 12: Define CVSAM Data Set.

126 VSAM CVSAMCLUSTER CVSAMDEF

Step 13: Define VRATPMAP Configuration Module.

127 VTAM HLASM

Table 20. ACS Configuration Checklist



Configuration Task Page Skill(s) Reference Name Defined

Name VANSAMP Example

Step 14: Add ACS Started Task JCL

127 RACF ACSTASK

LOGCLASS

TRACECLASS

DUMPCLASS

ACSTASK

Step 15: Update VRAOPT00 Options.

129 RACF

Step 16: Define APPCLU Profiles.

130 RACF VTAM

SESSIONKEY

SESSKEYINTVL

ACSRDEFA

Step 17: Control Access to the ACS TP Error Log.

131 RACF

Step 18: Control Access to the CVSAM Data Set.

132 RACF

Step 19: Control Access to ACS Started Task Execution.

132 RACF ACSRDEFF

Step 20: Dynamically Update RACF, VTAM and APPC/MVS.

132 RACF

Table 20. ACS Configuration Checklist, continued

Step 1: Inventory the Network.

Determine your VTAM network ID. This value is referred to as the NETID throughout this chapter. You can determine the network ID by using the MVS DISPLAY NET,VTAMOPTS command. The current value of the VTAM NETID is listed in the command’s response.

Determine the name of the APPC/MVS TP profile data set on each MVS system. The name of the TP profile data set is referred to as APPCTPDSN throughout this chapter. You can determine the name of the TP profile data set by using the MVS DISPLAY APPC,LU,ALL command. The names of the TP profile data sets in use are returned in the TPDATA= parameter in the command’s response.

Count the number of MVS systems in your VTAM network. Then count the number of RACF databases in your VTAM network. (More than one MVS system may share a RACF database.) Now determine which RACF database(s) you want in the ACS configuration. The number of RACF databases in the ACS configuration is the number of RACF database IDs you will need.



Step 2: Define the RACF Database ID(s).

The Administrator uses a construct called a RACF database ID to aid in the configuration and use of ACS. The RACF database ID relates a RACF database on a MVS system to that MVS system’s destination APPC/MVS LU name. This provides a convenient method for the RACF administrator to identify where an event is to be executed without having to know the APPC/MVS LU names that make up the connection to that MVS system.

If there is only one RACF database, you do not have to define a RACF database ID regardless of the number of MVS systems that share that RACF database. The system provides the default RACF database ID LOCAL. The VRATPMAP configuration module is not required for this configuration.

If there is more than one RACF database, then define a RACF database ID for each RACF database and create a worksheet for each RACF database ID. Choose a 1 to 8-character name for each RACF database in the configuration. The name can consist of the characters A to Z, the numbers 0 to 9, and the national characters @, #, and $. Do not use LOCAL for a RACF database ID. RACF database ID LOCAL is reserved for ACS.

As a suggestion, use the value of the SYSNAME= parameter from member IEASYSnn or member IEASYMnn of the MVS PARMLIB data set, or the SID() parameter from member SMFPRMnn of the PARMLIB data set for a MVS system’s RACF database ID. You can determine the names of the MVS PARMLIB data set(s) of the PARMLIB concatenation on each MVS system by using the MVS DISPLAY PARMLIB command. The command lists the data sets in member name search order. To review an example, see member VPWTPMAP in the Vanguard Sample Library (VANSAMP).

Step 3: Propagate RACF Administrator User IDs.

Ensure that all RACF administrators who use ACS have the same User ID defined on all the MVS systems where commands may be executed. Also, be sure that all of the User IDs have the proper RACF authorities and attributes to perform the commands that will be scheduled.

If there is only one RACF database, you do not have to propagate RACF User IDs.



Step 4: Define a User ID for the ACS Started Task.

The ACS started task’s user ID is referred to as ACSTASKUID throughout this chapter. You may choose any RACF User ID for your configuration. An ACSTASKUID user ID is required on each MVS system where the ACS started task will run.

User ID ACSTASKUID does not require any special RACF attributes or authorities. User ID ACSTASKUID may be defined with the RESTRICTED and NOPASSWORD attributes. User ID ACSTASKUID requires the following permissions:

• READ access to the VRA$.ACSTASK profile in the FACILITY class (see Step 19).

• CONTROL access to the CVSAM data set (see Step 12).

• READ access to the OPTIONS data set, VANOPTS

• EXECUTE access to programs in the Administrator load library, VANLOAD

Step 5: Define a User ID for the ACS TP.

The ACS TP’s user ID is referred to as ACSTPUSERID throughout this chapter. You may choose any RACF User ID for your configuration. An ACSTPUSERID user ID is required on each MVS system where the ACS TP will run.

User ID ACSTPUSERID is only used by APPC/MVS during ACS TP initialization. It is not used to execute any commands. The IBM APPC/MVS manuals refer to this user ID as a TP’s generic user ID. User ID ACSTPUSERID does not require any special RACF attributes or authorities.

User ID ACSTPUSERID requires the following permissions:

• ALTER access to the APPC/MVS error log (see Step 17).

• READ access to the Administrator OPTIONS data set, VANOPTS.

• EXECUTE access to programs in the Administrator load library, VANLOAD.

Note: Do not assign the RESTRICTED attribute to the ACS TP’s user ID.



Step 6: Define Logon Mode Table.

Vanguard recommends that you use the IBM-supplied logon mode table, #BATCHSC. #BATCHSC is a part of the ISTINCLM member of the VTAMLIB. #BATCHSC is defined as: An APPN COS for LU-LU sessions that specifies a general batch-oriented COS that uses low transmission priority, and for which high bandwidth and low cost are considered more important than short delay. A minimum security level is required.

You may choose another logon mode table for your configuration. The type of traffic that ACS creates is considered to be batch oriented with basic security requirements. An ACS started task will send a request to the ACS TP that will consist of no more than 320 bytes. The response from the ACS TP will be no larger than 16384 bytes.

Verify route availability between the communication end-points.

Step 7: Define an ACS VTAM Application Program Major Node.

Vanguard recommends that you create a separate VTAM application program major node for ACS. The VTAM major node for ACS is referred to as ACSVTAM throughout this chapter. You may choose any VTAM major node name that will conform to your installation’s naming standard.

VTAM major nodes are defined in members of the VTAMLST data set. You can find the data set name(s) of the VTAMLST from the MVS JCL DD statement VTAMLST in the procedure used to start VTAM. Be sure to get the data set name(s) from the VTAM procedure on each MVS system in the ACS configuration. The name of the procedure used to execute VTAM was determined when VTAM was configured.

Add entry ACSVTAM in member ATCCONnn, of the MVS VTAMLST data set, to define the ACSVTAM VTAM major node. Member ATCCONnn is the configuration list specified at VTAM startup. The value of nn is the value specified in the CONFIG= operand of the VTAM START command.

A VTAM major node is needed on each system where the ACS started task and/or ACS TP will execute. The ACS VTAM major node contains a set of two VTAM APPL statements for each ACS started task and ACS TP pair as described in Step 8.



Step 8: Define the ACS LUs to VTAM.

The VTAM LU name for the ACS started task is referred to as ACSLUSTC and the VTAM LU name for the ACS TP is referred to as ACSLUTP throughout this chapter. Choose any valid LU name that will conform to your installation’s naming standard. The ACBNAME= parameter of the VTAM APPL statement must be the same as the LU name in order for APPC/MVS to operate properly.

The VTAM APPL definitions for ACS can be added to the ACSVTAM VTAM major node created in Step 7, or added to an existing VTAM major node. VTAM major nodes are defined as members of the VTAMLST data set. You can find the data set name(s) of the VTAMLST from the MVS JCL DD statement VTAMLST in the procedure used to start VTAM. Be sure to get the data set name(s) from the VTAM procedure on each MVS system in the ACS configuration. The name of the procedure used to execute VTAM was determined when VTAM was configured on each MVS system.

Member ACSVTAM in the VANSAMP library contains an example of the VTAM APPL statements needed to define the VTAM application program major node for ACS. Both APPL statements must specify VERIFY=REQUIRED and SECACPT=ALREADYV. Refer to the figure below as a reference for the example. The variables listed in the table below must be replaced with the names you chose before the example can be executed.

Variable Description

<ACSLUSTC> ACS started task's LU and ACBNAME

<ACSLUTP> ACS APPC/MVS TP LU and ACBNAME Table 21. Variables for Example ACSVTAM



VBUILD TYPE=APPL <ACSLUSTC> APPL ACBNAME=<ACSLUSTC>, * APPC=YES, * AUTOSES=0, * DDRAINL=NALLOW, * DLOGMOD=#BATCHSC, * DMINWNL=10, * DMINWNR=10, * DRESPL=NALLOW, * DSESLIM=20, * LMDENT=19, * MODETAB=ISTINCLM, * PARSESS=YES, * SECACPT=ALREADYV, * SRBEXIT=YES, * VERIFY=REQUIRED, * VPACING=7 * <ACSLUTP> APPL ACBNAME=<ACSLUTP>, * APPC=YES, * AUTOSES=0, * DDRAINL=NALLOW, * DLOGMOD=#BATCHSC, * DMINWNL=10, * DMINWNR=10, * DRESPL=NALLOW, * DSESLIM=20, * LMDENT=19, * MODETAB=ISTINCLM, * PARSESS=YES, * SECACPT=ALREADYV, * SRBEXIT=YES, * VERIFY=REQUIRED, * VPACING=7

Figure 5. ACSVTAM – VTAM Application Program Major Node APPL Definition

Step 9: Define the ACS LUs to APPC/MVS.

The APPC/MVS LU names for the ACS started task and ACS TP were defined in Step 8. The APPC/MVS LU name for the ACS started task is ACSLUSTC. The APPC/MVS LU name for the ACS TP is ACSLUTP.

APPC/MVS LUs are defined in member APPCPMnn of the MVS PARMLIB with an LUADD statement. The value of nn is the value specified on the APPC= parameter of the MVS START command used to start APPC. You can determine the names of the MVS PARMLIB data set(s) of the PARMLIB concatenation on each MVS system by using the MVS DISPLAY PARMLIB command. The command lists the data sets in member name search order.

The LUADD statement for ACSLUSTC must specify NOSCHED and NONQN.

The LUADD statement for ACSLUTP must specify SCHED(ASCH) and NONQN.

Member ACSLUADD in the VANSAMP library contains the following example of the APPC/MVS LU definitions. Refer to the definition example below as a reference. The variables listed in Table 22. Variables for Example ACSLUADD below, must be replaced with the names you chose before the example can be executed.




<ACSLUSTC> ACS started task's LU and ACBNAME

<ACSLUTP> ACS APPC/MVS TP LU and ACBNAME

<APPCTPDSN> The name of the TP profile data set. Table 22. Variables for Example ACSLUADD

ACSLUADD – APPC/MVS LU Definit ion Example LUADD ACBNAME(<ACSLUSTC>) TPDATA(<APPCTPDSN>) NOSCHED NONQN TPLEVEL(SYSTEM) LUADD ACBNAME(<ACSLUTP>) TPDATA(<APPCTPDSN>) SCHED(ASCH) NONQN TPLEVEL(SYSTEM)

Step 10: Define ACS TP Transaction Class.

The ACS TP transaction class name is referred to as ACSTPCLASS throughout this chapter. Choose any transaction class name that will conform to your installation’s naming standard, or choose an existing transaction class for use by ACS.

APPC/MVS transaction classes are defined in member ASCHPMxx of the MVS PARMLIB. You can determine the names of the MVS PARMLIB data set(s) of the PARMLIB concatenation on each MVS system by using the MVS DISPLAY PARMLIB command. The command lists the data sets in member name search order.

Use the following parameters of the CLASSADD statement to define the scheduling characteristics of the transaction class for the ACS TP. If you decide to use an existing transaction class, be sure that the minimum scheduling characteristics are satisfied.

CLASSNAME: Choose a valid APPC/MVS TP class name.

MAX: Vanguard recommends one (1) transaction initiator per ACS started task.

MIN: Vanguard recommends a value of one (1).

RESPGOAL: Vanguard recommends a value of five seconds (5)

MSGLIMIT: Vanguard recommends a value of one hundred (100) to begin with.

Member ACSCLASS in the VANSAMP library contains the following example of the APPC/MVS transaction class definition. Refer to the figure below as a reference for the example. The variables listed in Table 23. Variable for Example ACSCLASS below, must be replaced with the names you chose before the example can be executed.




<ACSTPCLASS> The TP transaction class. Table 23. Variable for Example ACSCLASS

ACSCLASS – APPC/MVS TP Class Definit ion Example CLASSADD CLASSNAME(<ACSTPCLASS>) MSGLIMIT(100) MAX(10) MIN(1) RESPGOAL(5)

Step 11: Define ACS APPC/MVS TP.

The ACS APPC/MVS TP name is referred to as ACSTPNAME throughout this chapter. Choose any TP name that will conform to your installation’s naming standard.

APPC/MVS TP profiles are defined in the APPC/MVS TP profile data set. This is the data set name assigned to variable <APPCTPDSN> in Step 1.

The IBM ATBSDFMU utility is used to define APPC/MVS TPs. The functions of the IBM ATBSDFMU utility are controlled by profiles in the RACF DATASET, FACILITY, PROGRAM, APPCTP, and APPCSI classes. Refer to topic Controlling User Access to TP Profiles and Side Information on MVS in the IBM MVS Planning: APPC/MVS Management manual before attempting to execute this utility.

The following RACF commands are the minimum commands necessary to allow you to use the ATBSDFMU utility. Replace the variable <ACSTPUSERID> with the name you chose. RDEFINE FACILITY APPCMVS.TP.MULTI.<ACSTPUSERID> UACC(NONE) PERMIT APPCMVS.TP.MULTI.<ACSTPUSERID> CLASS(FACILITY) + ACCESS(UPDATE) ID(yourid) SETROPTS RACLIST (FACILITY) REFRESH

The first RDEFINE prevents everyone from running the ATBSDFMU utility for the ACS APPC/MVS TP. Before using the first RDEFINE, make sure that you will not be undercutting an existing profile. The second RDEFINE and PERMIT will allow the RACF User ID yourid to use the ATBSDFMU utility to define the TPUSERID multi-transaction TP. The value of yourid is your RACF User ID.

Member ACSAPPC of the VANSAMP library contains the following example of the APPC/MVS TP definitions. Refer to the definition example below as a reference. Execute the example job on each MVS system where an ACS TP will execute. The variables, listed in Table 24. Variables for Example ACSAPPC below, must be replaced with the names you chose before the example can be executed.




<VANLOAD> The name of the Administrator load library.

<VANOPTS> The name of the Vanguard Options library.

<ACSTPNAME> The ACS TP name.

<ACSTPUSERID> The ACS TP user ID.

<ACSTPCLASS> The ACS TP transaction class.

<APPCTPDSN> The MVS TP profile data set. Table 24. Variables for Example ACSAPPC

The first time you run this job, the TPDELETE statement will fail, causing the job to end with a return code of 8.

ACSAPPC – APPC/MVS TP Definit ion Example //ACSAPPC JOB ,'ACSAPPC' //APPCUTIL EXEC PGM=ATBSDFMU,REGION=0M //SYSPRINT DD SYSOUT=* //SYSSDLIB DD DISP=SHR,DSN=<APPCTPDSN> //SYSSDOUT DD SYSOUT=* //SYSIN DD DATA,DLM='#1' TPDELETE TPNAME(<ACSTPNAME>) SYSTEM TPADD TPNAME(<ACSTPNAME>) SYSTEM ACTIVE(YES) TPSCHED_DELIMITER(##4) GENERIC_ID(<ACSTPUSERID>) TPSCHED_TYPE(MULTI_TRANS) KEEP_MESSAGE_LOG(ERROR) CLASS(<ACSTPCLASS>) JCL_DELIMITER(###5) //<ACSTPNAME> JOB ,'ACS TP' //VRAAJSRV EXEC PGM=IKJEFT01,REGION=4M,PARM=VRAAJSRV //STEPLIB DD DISP=SHR,DSN=<VANLOAD> //VIPOPTS DD DISP=SHR,DSN=<VANOPTS> //VIPWORK DD UNIT=VIO,SPACE=(TRK,(2,5)), // DCB=(BLKSIZE=14497,LRECL=133,BUFNO=21,RECFM=FB) //VRALOG DD SYSOUT=* //SRVTRACE DD SYSOUT=* //CMDTRACE DD SYSOUT=* //ATPTRACE DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSPRINT DD DUMMY,DCB=(BLKSIZE=14497,LRECL=133,BUFNO=1) //SYSTSPRT DD DUMMY,DCB=(BLKSIZE=14497,LRECL=133,BUFNO=1) //SYSTSIN DD DUMMY ###5 ##4 #1



Step 12: Define CVSAM Data Set.

The CVSAM data set is referred to as CVSAMCLUSTER throughout this chapter. Choose any data set name that conforms to your installation’s naming standard.

ACS only supports SHAREOPTIONS(2 3) for the CVSAM data set. Cross-region share option 2 allows any number of users to access the CVSAM data set for read processing, but only one user at a time for update access. This SHAREOPTION strategy provides maximum protection against accidental, non-ACS concurrent updates of the CVSAM data set when the CVSAM data set is defined on a shared device.

ACS also uses the MVS ENQ/DEQ services to serialize update access to the CVSAM data set so that only one Administrator task can update the CVSAM data set at time. The ENQ/DEQ qname is VANGUARD. The ENQ/DEQ rname is the VSAM CLUSTER name. DO NOT add the ACS CVSAM data set's qname and rname to the Global Resource Sharing (GRS) SYSTEMS exclusion list. The qname and rname are given for information purposes only.

Member CVSAMDEF of the VANSAMP library contains the following example to define a CVSAM data set. The variables listed in Table 25. Variables for Example CVSAMDEF below must be replaced with the names you chose before the example can be executed.


<VANLOAD> The name of the Administrator load library

<VANOPTS> The name of the Administrator options library

<CVSAMCLUSTER> The name of the CVSAM CLUSTER.

<PRIMARY> The number of cylinders for the CVSAM CLUSTER's primary allocation.

<SECONDARY> The number of cylinders for the CVSAM CLUSTER's secondary allocation.

<VOLSER> The volume serial number to use for the CVSAM CLUSTER allocation.

Table 25. Variables for Example CVSAMDEF

Vanguard recommends minimum values of five (5) cylinders for the primary and two (2) cylinders for the secondary. The actual size of the CVSAM data set will depend on the number of scheduled commands and the amount of output from each command and the frequency that you delete information from the CVSAM data set.



CVSAMDEF – CVSAM Cluster Definit ion Example //CVSAMDEF JOB ,'CVSAMDEF' //STEP01 EXEC PGM=IDCAMS,REGION=2M //SYSPRINT DD SYSOUT=* //SYSIN DD * DELETE <CVSAMCLUSTER> CLUSTER SET LASTCC = 0 SET MAXCC = 0 DEFINE CLUSTER (NAME(<CVSAMCLUSTER>) - CYL(<PRIMARY> <SECONDARY>) - KEYS(26 0) - INDEXED - RECORDSIZE(148 16380) - VOLUME(<VOLSER>) - SHAREOPTIONS(2 3) - BUFFERSPACE(102400) - SPEED - REUSE - IMBED - NOERASE - NOREPLICATE) - INDEX (NAME(<CVSAMCLUSTER>.INDEX) - CISZ(4096)) - DATA (NAME(<CVSAMCLUSTER>.DATA) - CISZ(20480)) //STEP02 EXEC PGM=VRAAJCIA,REGION=2M //STEPLIB DD DISP=SHR,DSN=<VANLOAD> //VIPOPTS DD DISP=SHR,DSN=<VANOPTS> //CVSAM DD DISP=SHR,DSN=<CVSAMCLUSTER> //VRALOG DD SYSOUT=*

Step 13: Define VRATPMAP Configuration Module.

This configuration step is optional. A VRATPMAP configuration module is only required when you wish to enter events on one MVS system with it's own RACF database and execute those commands on another MVS system with it's own RACF database. If you have only one RACF database or your ACS configuration does not require cross-system event execution, you should bypass this step.

The APPC/MVS communications path from the ACS started task to the ACS TP is specified in the VRATPMAP configuration module. Refer to Appendix C. VRATPMAP Configuration Module in this manual, for information on coding and installing the VRATPMAP configuration module. Vanguard’s Distributed Identity Manager also uses the VRATPMAP configuration module.

Note: Be sure to make the VRATPMAP load module available to the RACF administrators’ TSO sessions.

Step 14: Add ACS Started Task JCL to PROCLIB.

The ACS started task’s name is referred to as ACSTASK throughout this chapter. Choose any procedure name that will conform to your installation’s naming standard.

You may have special security requirements for a started task, such as defining profiles in the RACF STARTED class. The following RACF commands are the minimum commands necessary to allow you to assign ACSTASKUID as the user ID assigned to ACSTASK, when the task is started. Replace the variables



<ACSTASK> and <ACSTPUSERID> with the names you chose. Replace the variable (group) with the name of a group or user that owns profile RACF GROUP you assigned to the ACSTASKUID user ID. RDEFINE STARTED <ACSTASK>.** UACC(NONE) + STDATA(USER(<ACSTASKUID>) GROUP(group) + TRUSTED(NO) PRIVILEGED(NO) TRACE(YES)) SETROPTS RACLIST (STARTED) REFRESH

For ACS to execute as a started task, the JCL for the procedure must be added as a member of the PROCLIB data set concatenation. For JES2 systems, PROCLIB data set concatenation is defined by the PROC00 MVS JCL DD statement of the procedure used to start JES2.

The ACS started task produces a log SYSOUT file and can also produce dump and/or trace SYSOUT files. The log SYSOUT file is referred to as LOGCLASS. The dump SYSOUT class is referred to as DUMPCLASS. The trace SYSOUT class is referred to as TRACECLASS.

The size of the LOGCLASS files is controlled by the ACS_LOG_MAXLINES VRAOPT00 options. Choose a SYSOUT class that is HELD and kept for a week or more.

The DUMPCLASS and TRACECLASS SYSOUT files can produce a substantial amount of data when they are used. Choose a SYSOUT class that is HELD and the output is not kept for more than a few days.

Member ACSTASK, in the VANSAMP library, contains example JCL to run the ACS started task. Refer to the definition example below as a reference. The variables listed in Table 26. Variables for Example ACSTASK below, must be replaced with the names you chose before the example can be executed.


<ACSTASK> The name chosen for the ACS started task.


<VANOPTS> The name of the Administrator options library.

<DUMPCLASS> A JES SYSOUT HOLD class for large listings.

<TRACECLASS> A JES SYSOUT HOLD class. Table 26. Variables for Example ACSTASK



ACSTASK – ACS Started Task JCL Example //<ACSTASK> EXEC PGM=VRAAJACS,REGION=4M //STEPLIB DD DISP=SHR,DSN=<VANLOAD> //VIPOPTS DD DISP=SHR,DSN=<VANOPTS> //VRALOG DD SYSOUT=<LOGCLASS> //SYSABEND DD SYSOUT=<DUMPCLASS> //ACSTRACE DD SYSOUT=<TRACECLASS> //ANLTRACE DD SYSOUT=<TRACECLASS> //MGRTRACE DD SYSOUT=<TRACECLASS> //CIOTRACE DD SYSOUT=<TRACECLASS> //ATPTRACE DD SYSOUT=<TRACECLASS>

Step 15: Update VRAOPT00 Options.

Please refer to VRAOPT00 – Administrator Customization Parameters, on page 17, for parameter definitions.

The following options are required for the ACS started task:

• CVSAM_DATA_SET_NAME(<CVSAMCLUSTER>) Replace <CVSAMCLUSTER> with the name you chose for the CVSAM CLUSTER.

• ACS_SMF_RECORD_NUMBER(nnn|NO)

Warning: If you choose NO, you cannot recover the CVSAM data set.

• ACS_APPC_DEFAULT_LOCAL_LU(<ACSLUSTC>) Replace <ACSLUSTC> with the name you chose for the ACS started task’s APPC/MVS LU.

• ACS_APPC_DEFAULT_DEST(<NETID>.<ACSLUTP>) Replace <NETID> with the VTAM network ID. Replace <ACSLUTP> with the name you chose for the ACS TP’s APPC/MVS LU.

• ACS_APPC_TP_NAME(<ACSTPNAME>) Replace <ACSTPNAME> with the name you chose for the ACS TP in step Step 11: Define ACS APPC/MVS TP..

The following ACS started task options have default values:

ACS_APPC_ALLOCATE_RETRIES(004)

ACS_APPC_DEFAULT_MODE_NAME(#BATCHSC)

ACS_BYPASS_COMMAND_IF_OLDER_THAN(240000)

ACS_COMMAND_CHECK_INTERVAL(002000)

ACS_LOG_MAXLINES(0)

ACS_LOG_SYSOUT_CLASS(X)

ACS_SUBSYSTEM_NAME(VACS)

DATEFORMAT

TIMESEPARATOR

The ACS TP uses the following option:



• ACS_LOG_SYSOUT_CLASS(X)

Step 16: Define APPCLU Profiles.

Since APPC/MVS is entrusted to carry RACF security requests and responses between the ACS started task and the ACS TP, Vanguard strongly recommends that you implement APPC/MVS session keys as a means to control LU-to-LU access. When VTAM receives requests to establish a session with an LU that has an active session key, VTAM verifies that the requesting LU has a matching session key. If the requesting LU does not have a matching session key, VTAM denies the connection and VTAM and RACF send appropriate messages.

Security keys are defined by adding profiles to the RACF APPLCU class. Be sure that the APPCLU class is active on all MVS systems where the ACS started task and/or ACS TP will execute. Use the following RACF SETROPTS command to activate the APPCLU class. SETROPTS CLASSACT(APPCLU)

Since ACS defines its APPC/MVS LUs in pairs, the profiles defined in the APPCLU class need to be defined in pairs. An ACS LU pair consists of the ACS started task's LU, ACSLUSTC and the ACS TP's LU, ACSLUTP. Define RACF APPCLU class profiles for all ACS LU pairs in the network on all MVS systems that are defined to the ACS configuration. Specify the same session key for each LU pair. Different session keys may be used for different LU pairs.

The session key is referred to as SESSIONKEY throughout this chapter. Chose a session key for each ACS started task and ACS TP LU pair. A session key can be expressed in two ways:

• SESSION(SESSKEY(X’hex’)), where hex is a 1 to 16-digit hexadecimal number

• SESSION(SESSKEY(’char’)), where char is a 1 to 8-character string

If the entire 16 digits or 8 characters are not used, the field is padded to the right with binary zeros.

The session key interval is referred to as SESSKEYINTVL throughout this chapter. Chose a session key interval for each ACS started task and ACS TP LU pair. The session key interval can be a number from 1 to 32767, but must be equal to or less than the value of the SETROPTS SESSIONINTERVAL option. The SESSIONINTERVAL option is listed as the PARTNER LU-VERIFICATION SESSIONKEY INTERVAL DEFAULT in response the SETROPTS LIST command.

Member ACSRDEFA in the VANSAMP library contains example RACF commands necessary to enable LU-to-LU security. Refer to the definition example below as a reference. There are no PERMIT commands needed for



APPLCU class profiles. The variables listed in the table below must be replaced with the names you chose before the example can be executed.

Variable Description <NETID> VTAM’s network ID.

<ACSLUSTC> The name of the ACS started task's VTAM LU application name.

<ACSLUTP> The name of the ACS TP's VTAM LU application name.

<SESSIONKEY> The session key for this LU pair.

<SESSKEYINTVL> The session key interval for this LU pair. Table 27. Variables for Example ACSRDEFA

ACSRDEFA – APPC/MVS LU Session Key Definit ion Example RDEFINE APPCLU <NETID>.<ACSLUSTC>.<ACSLUTP> + SESSION(SESSKEY(<SESSIONKEY>) + INTERVAL(<SESSKEYINTVL>)) + UACC(NONE) RDEFINE APPCLU <NETID>.<ACSLUTP>.<ACSLUSTC> + SESSION(SESSKEY(<SESSIONKEY>) + INTERVAL(<SESSKEYINTVL>)) + UACC(NONE)

Step 17: Control Access to the ACS TP Error Log.

The sample job that defines the ACS TP (member ACSAPPC of the VANSAMP library) specifies KEEP_MESSAGE_LOG(ERROR). This means that if the ACS TP cannot be activated or fails during execution, the APPC/MVS transaction scheduler (ASCH) will create a data set that contains messages that pertain to the error.

Vanguard recommends that you create a DATASET class profile to allow the ACS TP user ID, ACSTPUSERID, to create the error log data set. The MESSAGE_DATA_SET specifies the data set name format used by ASCH. The default format of the data set name is: &SYSUID.&SYSWUID.&TPDATE.&TPTIME.JOBLOG

The value of '&SYSUID' is the generic user ID for the ACS TP, ACSTPUSERID. Create a generic DATASET class profile <ACSTPUSERID>.*.**. Permit READ access to any user who would need to see the error log.

ACS does not require the use of the error log. If you desire, you may change the error log options to conform to your installations standards.



Step 18: Control Access to the CVSAM Data Set.

All RACF administrators who use ACS require UPDATE access. The ACS started task requires CONTROL access. The ACS TP does not access the CVSAM data set.

Step 19: Control Access to ACS Started Task Execution.

The VRA$.ACSTASK ACS FACILITY class profile controls which user IDs are permitted to execute the ACS started task program. ACS started task initialization fails if the current user ID does not have READ access to the profile. Define this profile on all MVS systems where Administrator is installed.

Member ACSRDEFF in the VANSAMP library contains example RACF commands to control which users are permitted to execute the ACS started task program. Refer to the access control example below as a reference. The variables listed in Table 28. Variables for Example ACSRDEFF below, must be replaced with the names you chose before the example can be executed.


< ACSTASKUID > The user ID of the ACS started task. Table 28. Variables for Example ACSRDEFF

ACSRDEFF – ACS Started Task Access Control Example RDEFINE FACILITY VRA$.ACSTASK UACC(NONE) PERMIT VRA$.ACSTASK CLASS(FACILITY) ACCESS(READ) ID(<ACSTASKUID>)

Step 20: Dynamically Update RACF, VTAM and APPC/MVS.

The last ACS configuration step is to dynamically update all of the MVS system(s) in the ACS configuration to enable the changes made during the configuration process. Alternatively, you could perform an IPL on each affected MVS system.

Refresh RACF Profiles

Use the RACF SETROPTS REFRESH command to rebuild any RACLISTed and/or GENERIC classes. Issue the following commands that apply to your ACS configuration: SETROPTS GENERIC (DATASET) REFRESH SETROPTS RACLIST (FACILITY) REFRESH



Activate the ACS VTAM LUs

From an MVS console, issue the following command to activate the ACS major node: V NET,ACT,ID=<ACSVTAM>,SCOPE=ALL

Replace <ACSVTAM> with the major node name used in the configuration step Define the ACS major node LUs to VTAM.

Activate the ACS APPC/MVS Transaction Class

From an MVS console, issue the following command to activate the APPC/MVS transaction class: SET ASCH=nn

nn with the suffix of the ASCHPM member of the MVS PARMLIB that was updated in Step 10: Define ACS TP Transaction Class..

Activate the ACS APPC/MVS LUs

From an MVS console, issue the following command to activate the APPC/MVS LUs: SET APPC=nn

Replace nn with the suffix of the APPCPM member of the MVS PARMLIB that was updated in Step 9.

Refresh RACF Profiles in VTAM

From an MVS console, issue the following commands to tell VTAM to refresh the security profiles for the ACS started task and ACS TP LUs. F procname,PROFILES,ID=<ACSLUSTC> F procname,PROFILES,ID=<ACSLUTP>

Replace procname with the procedure name used to start VTAM. Replace <ACSLUSTC> with the name of the ACS started task's VTAM LU. Replace <ACSLUTP> with the name of the ACS TP's VTAM LU.



Controlling the ACS Started Task

The ACS started task is controlled using the MVS system START, MODIFY, and STOP commands.

Starting the ACS Started Task

The ACS started task may be started from the console using the MVS START command or may be started by submitting a batch job. Vanguard strongly recommends that ACS execute as a started task so that the valuable JES initiator resource is not consumed by this long running task.

ACS parameters cannot be modified by the MVS START command.

Modifying the ACS Started Task

The ACS started task supports the MVS MODIFY command for the following functions:

• ANALYZE This function causes the ACS started task to scan the CVSAM data set immediately without waiting for the ACS_COMMAND_CHECK_INTERVAL to expire. Once the scan is complete, the ACS_COMMAND_CHECK_INTERVAL is restarted.

• DISPLAY This function causes the ACS started task to display the current values of the VRAOPT00 options upon the system console, system log, and the VRALOG SYSOUT file.

• REFRESH This function causes the ACS started task to reinitialize only those options found in the VRAOPT00 member of the VANOPTS option library that are refreshable. If the option is not found in the VRAOPT00 member, the current value of the option is not changed. Refreshable ACS options are listed below.

• RESET This function causes the ACS started task to reinitialize all of the VRAOPT00 options that are refreshable. If the option is not found in the VRAOPT00 member, the option's value is set to its default value. Refreshable ACS options are listed below.

• SHUTDOWN | STOP This function causes the ACS started task to terminate.



• SPINLOG This function causes the ACS started task to SPIN the VRALOG SYSOUT file and create a new file.

ACS Options That Can Be Modified After Start

The following ACS options can be modified while the ACS started task is running:

ACS_APPC_ALLOCATE_RETRIES

ACS_APPC_DEFAULT_LOCAL_LU

ACS_APPC_DEFAULT_DEST

ACS_APPC_DEFAULT_MODE_NAME

ACS_APPC_TP_NAME

ACS_BYPASS_COMMAND_IF_OLDER_THAN

ACS_COMMAND_CHECK_INTERVAL

ACS_LOG_MAXLINES

ACS_LOG_SYSOUT_CLASS

ACS_SMF_RECORD_NUMBER

DATEFORMAT

TIMESEPARATOR

Stopping the ACS Started Task

The ACS started task may be stopped using the MVS STOP command or the MVS MODIFY <ACSTASK>, STOP command, where <ACSTASK> is the name of the ACS started task step name or batch job name.

ACS will wait for active conversations to end before shutdown is complete.

ACS CVSAM Utility Program – VRAABCSU VRAABCSU is the Command Scheduler utility program. It may be used to perform any one of the following functions on the CVSAM file, where all Command Scheduler commands are maintained:

• Backup the CVSAM file

• Restore the CVSAM file

• Reorganize the CVSAM file

• Recover the CVSAM file



VRAABCSU is a batch stand-alone program. The input and output files are determined by the function specified in the first seven bytes of the input control statement. The input control file and an output control report are common to all functions. Other files are used during the individual functions as described below.

These functions can also be executed online. For more information, refer to the Perform Command Scheduler Maintenance section in the Automated Command Scheduler chapter of the Vanguard Administrator User Guide.

BACKUP

The utility program sequentially reads the CVSAM file, and writes those records out to a variable length sequential backup file. The first record of the backup file is a header record containing the Administrator version number, Julian date and time of backup, and customer number. To execute this function, type BACKUP in positions 1 through 6 of the control statement and submit.

RESTORE

The utility program loads the CVSAM from the backup file created in the backup process. As a first step of this function, the program validates the version and customer numbers. To execute this function, type RESTORE in positions 1 through 7 of the control statement and submit.

REORG

In this function the utility program performs the backup and restore processes one after the other. The user has the option of entering a purge-before date on the control statement. When the program detects a valid date in the control card (one byte after the REORG literal, starting in column 7), it will copy only those event records that occur on or later than the specified date. The program will always copy the entire CVSAM file to the backup file. If the program does not find a date in the control statement, it will recopy the entire backup file to the CVSAM file.

Sample REORG control statement: REORG 02/27/2001 (CVSAM event records prior to this date to be purged)



RECOVER

In this function, the utility program first performs the restore process from a backup file. The program then establishes its position on the SMF file based on the date/time in the backup file header. From that location on the SMF file, the program sequentially reads SMF records and updates the CVSAM file as determined by each SMF record. Erroneous SMF records that attempt to update or delete non-existent records, or add existing records, are recorded on an error report. Successful execution of the recovery process depends whether users regularly back up of the CVSAM file.

A p p e n d i x A . U s e r E x i t s


Appendix A. User Exits Several security-related exits are shipped with Vanguard Administrator. Samples of these exits along with the JCL to compile and link the exits are located in the VANSAMP library, created during the SMP/E install phase.

These exits are optional and are not related to the execution of Administrator. They are provided as a customer service to Administrator users. The functions provided by the exits are described in this appendix and the prologs of the exits. You will require the assistance of your systems programmer to install any of the exits you wish to use.

Important:

These exits are provided on an as-is basis. Vanguard MAKES NO OTHER WARRANTIES, EXPRESSED OR IMPLIED, RELATING TO ITS PRODUCTS, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR USE. In no event shall Vanguard be liable to the Customer for any damages, including any lost profits, or other incidental or consequential damages arising from the use of Vanguard's products.

The exits have been tested on an MVS/ESA 5.2.2 system with RACF 2.2.0, and earlier systems.

ICHPWX01 This exit is the RACF new password exit. As supplied, the exit will require new passwords to be at least 6 characters long, and to not contain any 3 consecutive keyboard characters. You may modify the code to do additional checking.

The JCL to compile and link this exit is in member ASMLPWX1.

ICHRCX01 This exit is the RACF RACROUTE REQUEST=AUTH preprocessing exit. As supplied, the exit provides a facility for a FAILSOFT user ID to logon to the system and pass all RACF checks with no console messages to repair the system. Normal FAILSOFT processing would require a response from the operator to allow access to resources. The exit does nothing unless RACF is in the FAILSOFT mode.

The JCL to compile and link this exit is in member ASMLRCX1.



ICHRCX02 This exit is the RACF RACROUTE REQUEST=AUTH post processing exit. As supplied, the exit provides a READ ALL facility. This will allow selected users the ability to read all data sets on the system without having the OPERATIONS attribute, or specific authorization. The authority to use this facility is granted by connecting a user to a specific group. The group name or names are imbedded in the exit code. A facility to exclude certain data sets from this facility is also provided. If the exit grants access, a RACF type 80 SMF record is produced, with a logging reason of EXIT.

The JCL to compile and link this exit is in member ASMLRCX2.

IEFUJI This exit is the MVS Job initiation exit. As supplied, the exit checks a user’s authority to use the account number in a batch job, against profiles in the ACCTNUM class, just as TSO does for logons.

The JCL to compile and link this exit is in member ASMLUJI.

A p p e n d i x B . R A C F N e w P a s s w o r d E x i t ( I C H P W X 0 1 )


Appendix B. RACF New Password Exit (ICHPWX01)

If the RACF New Password Exit (ICHPWX01) is installed, the Administrator's Identity Manager invokes this exit prior to changing either a user's password or password interval. Your installation can use this exit to perform additional checking on the new password and interval value. For additional information about the RACF New Password Exit, see the IBM Systems Programming Library: Resource Access Control Facility (RACF) manual.

The following table shows the parameters available to the ICHPWX01 exit when called from the Administrator's Identity Manager.

Offset (decimal)

Parameter (address)

Available?

0 Length Yes

4 Caller Yes

8 Command Processor PLIST No

12 NEWPASS Yes

16 INTERVAL Yes

20 User ID Yes

24 Work Area No

28 Current Password No

32 Password Last Change Date No

36 ACEE No

40 Group Name No

44 Installation Data No

48 Password History No

52 Flag Byte No

56 Password Last Change Date No Table 29. Identity Manager Exit Parameters

The ICHPWX01 exit is invoked from Identity Manager in Problem State, not Supervisor State. Return codes 0, 4, and 8 are valid and honored by the Administrator's Identity Manager. Any other value in register 15 is ignored.

Note: The address in the Caller field points to a one byte field containing the hex value X'99' used to identify the Administrator's Identity Manager. The new password (NEWPASS) is passed in clear text.

A p p e n d i x C . V R A T P M A P C o n f i g u r a t i o n M o d u l e


Appendix C. VRATPMAP Configuration Module

The VRATPMAP configuration module is used by the Automated Command Scheduler (ACS) and the Distributed Identity Manager. VRATPMAP relates a Vanguard construct called a RACF database ID to a communication destination.

For the Automated Command Scheduler and Distributed Identity Manager TSO clients, a RACF database ID will translate to a VTAM network qualified name (netid.LU_name) that represents the APPC/MVS server at the location of the RACF database. The information required to code this should be available from those responsible for APPC/MVS configurations.

For the Distributed Identity Manager CICS client, a RACF database ID will resolve to a CICS system ID (SYSID) that represents the APPC/MVS server at the location of the RACF database. The information required to code this should be available from those responsible for CICS configurations.

The VRATPMAP configuration module is coded in MVS Assembler using macro instructions supplied in the VANSAMP library. Vanguard supplies an example VRATPMAP in member VRATPMAP of the VANSAMP library. The VRATPMAP sample contains example entries for both the Distributed Identity Manager and the Automated Command Scheduler.

VRATPMAP contains sample JCL and control statements for the assembler and linkage editor. You must substitute the following variables in the sample prior to submitting the job.



<VANSAMP> The name of the Administrator sample library. Table 30. VRATPMAP Substitution Variables

VRATPMAP Macros There are two VRATPMAP macro instructions: TPMAP and TPENTRY. The macro instructions are in the sample library. The TPMAP macro instruction is used to identify a host system. The TPENTRY macro is used to define the server(s) on that host.



The TPMAP Macro

Syntax

Note: There must be at least one instance of the TPMAP macro.

• The first instance of the TPMAP macro represents the default RACF database ID for the CICS Distributed Identity Manager client.

TPMAP DBNAME=RACF-database-ID, X TEXTID=‘Description’

Required Parameters

• DBNAME Specify the one to 8-character name of RACF database ID that identifies an MVS host that has access to a RACF database.

• TEXTID Specify a one to 54-character string enclosed in apostrophes that is a textual description of the host being defined.

The TPENTRY Macro

Syntax

Note: There must be at least one instance of the TPENTRY macro, and it must follow a TPMAP macro.

TPENTRY TYPE=[CPIC|CICS], X SERVID=[VIM|ACS], X DEST=destination, X TPNAME=transaction-program-name, X MODENAME=mode-entry-name, X LOCALLU=local-LU-name



Required Parameters

• TYPE Specifies the connection type. The value may be either CPIC or CICS. Use CPIC to define an APPC/MVS connection to a server running under control of the APPC/MVS transaction scheduler. Use CICS to define an APPC/MVS connection to a CICS subsystem.

• SERVID Specify the type of server on the destination host. The value may be either VIM or ACS. Use VIM to define an APPC/MVS destination as a Distributed Identity Manager server. Use ACS to define an APPC/MVS destination as an Automated Command Scheduler server.

• DEST For TYPE=CPIC, specify the 3 to 17-character network qualified LU name representing the destination APPC/MVS LU. The network-qualified name is specified as netid.luname, where netid is the SNA network ID, and luname is the application ID (VTAM APPL ACBNAME) of the destination APPC/MVS host. This value should be provided by the VTAM group. For TYPE=CICS, specify a 1 to 4-character SYSID that represents the target CICS subsystem. This value should be provided by the CICS group.

Optional Parameters

• TPNAME The 1 to 64-character APPC/MVS transaction program name. The value specified must match the transaction program name defined to APPC/MVS. The default when SERVID=VIM is specified is TPNAME=VIMSERV. The default when SERVID=ACS is specified is TPNAME=VRAVACS.

• MODENAME The 1 to 8-character name of the Logmode table to be used for establishing an APPC/MVS connection to the destination host. The default when SERVID=VIM is specified is #INTERSC. The default when SERVID=ACS is specified is #BATCHSC. #INTERSC and #BATCHSC are supplied with z/OS (OS/390) by IBM and should exist in your VTAM networks. The VTAM group may wish to use a different mode name

• LOCALLU This 1 to 8-character name of the outbound local APPC/MVS logical unit name used by the Distributed Identity Manager and Automated Command Scheduler clients. The value only has meaning when TYPE=CPIC is specified. The default is blanks, which will cause the client to use the APPC/MVS BASELU. #BASELU is supplied with z/OS (OS/390) by IBM and should exist in your VTAM networks. The VTAM group may wish to use a different local LU name.



VRATPMAP Example TPMAP DBNAME=PRODSYS, X TEXTID='THE PRODUCTION RACF DATABASE' TPENTRY TYPE=CPIC, X SERVID=ACS X DEST=MYNET.ACSLU1 TPENTRY TYPE=CPIC, X SERVID=VIM X DEST=MYNET.AVIPQA1 TPENTRY TYPE=CICS, X SERVID=VIM X DEST=APRD TPMAP DBNAME=TESTSYS, X TEXTID='THE TEST RACF DATABASE' TPENTRY TYPE=CPIC, X SERVID=ACS X DEST=MYNET.ACSLU2 TPENTRY TYPE=CPIC, X SERVID=VIM X DEST=MYNET.AVIPQAT TPENTRY TYPE=CICS, X SERVID=VIM X DEST=ATST END

Example VRATPMAP Source

• The first TPMAP macro defines a host system which was assigned the RACF database ID PRODSYS. The description of this host is THE PRODUCTION RACF DATABASE.

• Since this is the first TPMAP entry, it is also the default target host for the CICS Distributed Identity Manager client. If the Distributed Identity Manager for CICS is implemented, the first TPMAP in the VRATPMAP configuration module should contain one TPENTRY TYPE=CICS definition.

• The first TPENTRY macro defines an Automated Command Scheduler server destination for the Automated Command Scheduler TSO client. The DEST parameter identifies the fully qualified VTAM network name for the server on the remote host. The defaults for MODENAME (#BATCHSC), TPNAME (VIMSERV), and LOCALLU (blanks) are generated for this TPENTRY macro.

• The second TPENTRY macro defines a Distributed Identity Manager server destination for a Distributed Identity Manager TSO client. The DEST parameter identifies the fully qualified VTAM network name for the server on the remote host. The defaults for MODENAME (#INTERSC), TPNAME (VRAVACS), and LOCALLU (blanks) are generated for this TPENTRY macro.



• The third TPENTRY macro defines a Distributed Identity Manager server destination for a Distributed Identity Manager CICS client. The DEST parameter identifies the fully qualified VTAM network name for the server on the remote host. The defaults for MODENAME (#INTERSC), TPNAME (VRAVACS), and LOCALLU (blanks) are generated for this TPENTRY macro.

• The second TPMAP macro defines a host system which was assigned the RACF database ID TESTSYS. The description of this host is THE TEST RACF DATABASE.

• The TPENTRY macros define a server configuration that is identical to the configuration of the servers on the PRODSYS host.

A p p e n d i x D . V R A L O G S Y S O U T F i l e C o n t e n t s


Appendix D. VRALOG SYSOUT File Contents The ACS Client's VRALOG SYSOUT File is used to record activity. The format of the report is a single title line, a single heading line, and information records. Refer to diagram VRALOG SYSOUT File Report for the examples referenced in this discussion.

Line 1 is the title line. The first 1 to 80-characters of the title line is called the log title and varies for each VRA function. The value Vanguard Administrator Automated Command Scheduler (ACS) Message Log indicates that this VRALOG is for the ACS client task. After the log title, the date and time that this VRALG was started is displayed in the form Date date. Time time. where date is formatted according to the value of the DATEFORMAT keyword, and time is formatted as HH?MM?SS and ? is the value of the TIMESEPARATOR keyword.

Line 2 is the header line that identifies the four (4) columns of the VRALOG SYSOUT file.

The first column, Date, contains the date that the VRALOG entry was written to the VRALOG. The format of this date is yyyymmdd, where, yyyy is the year, mm is the month of the year, and dd is the day of the month. The DATEFORMAT keyword does not affect the format of this date.

The second column, Time, contains the time that the VRALOG entry was written to the VRALOG. The format of this time hhmmssth, where hh is the hour of the day, mm is the minute of the hour, ss is the second of the hour, t is the tenth of the second, and h is the hundredth of the second.

The third column, Entry ID, is a 1 to 8-character field and describes the contents of column 4. An event ID may be a numbered message, a conversation ID, a TSO user's ID, or an MVS system console number.

The fourth column contains the information of the VRALOG entry. The information includes ACS messages, APPC/MVS messages, and commands being sent for a conversation.



Vanguard recommends that you prevent the VRALOG from being viewed by unauthorized personnel. If your installation uses IBM's SDSF, you can use the FACILITY class userid.SUBMIT profiles to control access to the VRALOG SYSOUT file.

In the VRALOG SYSOUT File Report diagram, lines 2 through 38 are ACS client initialization messages that detail the processing of Administrator OPTION keywords from the VRAOPT00 member of the VANOPTS options library. Lines 39 through 42 are ACS client initialization messages that detail subtask startup. Line 43 indicates that the CVSAM file event analysis (scan) has started. Line 44 indicates that the ACS client is ready for communication with the MVS console operator. Line 45 indicates that ACS client initialization completed successfully. Line 46 indicates that the CVSAM file event analysis is complete.

Lines 47 through 50 represent the activity of conversation CID#0001. There was only one command sent to the PROD1 host system for user VRAUSR.

Lines 51 and 52 indicate that another CVSAM file event analysis was done.

Lines 53 through 68 represent the activity of conversation CID#0002. This conversation failed because the ACS client was unable to start a conversation with the PROD2 host system for user VRAUSR2.

Lines 69 through 77 represent the activity of the conversation CID#0003. This conversation failed because user VRAUSR2 was not able to execute the ACS server on host TEST1. Possible reasons for the security error are: 1) user VRAUSR2 is not a valid RACF User ID on host TEST1, or 2) user VRAUSR2 is not authorized to execute the ACS server on host TEST1.

Lines 78 through 92 represent the activity of conversation CID#0004. This conversation failed because the ACS client was unable to start a conversation with the PROD7 host system for user VRAUSR2.

Lines 93 through 95 represent the activity of conversation CID#0005. This was a successful conversation with host PROD1 for user VRAUSR3. Two commands were sent to the ACS client. The CVSAM file contains the response(s) from the command.

Lines 96 and 97 indicate that the ACS client performed another CVSAM file event analysis.

The remainder of this VRALOG file shows other activities including more APPC/MVS conversations and other CVSAM file event analyses.

Note: The log, which begins on the next page, has been edited to fit on an 81/2 by 11 page in portrait orientation.

A p p e n d i x E . V R A L O G S Y S O U T F i l e C o n t e n t s


1. Vanguard Administrator Automated Command Scheduler (ACS) Message Log. Date 01/20/2001. Time 21:10:41.

① ② ③ ④ 2. Date Time Entry ID 3. 20000120 21104122 VRA2000I Vanguard Administrator Automated Command Scheduler (ACS)

initialization started. 4. 20000120 21104164 VRA2101I OPTION ACS_APPC_ALLOCATE_RETRIES is not defined in the VRAOPT00

member of the VIPOPTS data set. 5. 20000120 21104164 VRA2100W Using default of 004 for the ACS_APPC_ALLOCATE_RETRIES OPTION. 6. 20000120 21104174 VRA2101I OPTION ACS_APPC_DEFAULT_DEST is not defined in the VRAOPT00 member

of the VIPOPTS data set. 7. 20000120 21104174 VRA2100W Using default of blanks for the ACS_APPC_DEFAULT_DEST OPTION. 8. 20000120 21104183 VRA2101I OPTION ACS_APPC_DEFAULT_LOCAL_LU is not defined in the VRAOPT00

member of the VIPOPTS data set. 9. 20000120 21104183 VRA2100W Using default of blanks for the ACS_APPC_DEFAULT_LOCAL_LU OPTION. 10. 20000120 21104191 VRA2101I OPTION ACS_APPC_DEFAULT_MODE_NAME is not defined in the VRAOPT00

member of the VIPOPTS data set. 11. 20000120 21104191 VRA2100W Using default of #BATCHSC for the ACS_APPC_DEFAULT_MODE_NAME

OPTION. 12. 20000120 21104199 VRA2101I OPTION ACS_APPC_TP_NAME is not defined in the VRAOPT00 member of

the VIPOPTS data set. 13. 20000120 21104199 VRA2100W Using default of VRAVACS for the ACS_APPC_TP_NAME OPTION. 14. 20000120 21104207 VRA2101I OPTION ACS_BYPASS_COMMAND_IF_OLDER_THAN is not defined in the

VRAOPT00 member of the VIPOPTS data set. 15. 20000120 21104207 VRA2100W Using default of 240000 for the ACS_BYPASS_COMMAND_IF_OLDER_THAN

OPTION. 16. 20000120 21104221 VRA2101I OPTION ACS_COMMAND_CHECK_INTERVAL is not defined in the VRAOPT00

member of the VIPOPTS data set. 17. 20000120 21104221 VRA2100W Using default of 002000 for the ACS_COMMAND_CHECK_INTERVAL OPTION. 18. 20000120 21104349 VRA2101I OPTION ACS_LOG_MAXLINES is not defined in the VRAOPT00 member of

the VIPOPTS data set. 19. 20000120 21104349 VRA2100W Using default of 0 for the ACS_LOG_MAXLINES OPTION. 20. 20000120 21104368 VRA2101I OPTION ACS_LOG_SYSOUT_CLASS is not defined in the VRAOPT00 member

of the VIPOPTS data set. 21. 20000120 21104368 VRA2100W Using default of X for the ACS_LOG_SYSOUT_CLASS OPTION. 22. 20000120 21104465 VRA2101I OPTION ACS_SUBSYSTEM_NAME is not defined in the VRAOPT00 member of

the VIPOPTS data set. 23. 20000120 21104465 VRA2100W Using default of VACS for the ACS_SUBSYSTEM_NAME OPTION. 24. 20000120 21104535 VRA2001I OPTIONS display: 25. 20000120 21104535 VRA2017I ACS_APPC_ALLOCATE_RETRIES....... 004 26. 20000120 21104535 VRA2017I ACS_APPC_DEFAULT_DEST........... 27. 20000120 21104535 VRA2017I ACS_APPC_DEFAULT_LOCAL_LU....... 28. 20000120 21104535 VRA2017I ACS_APPC_DEFAULT_MODE_NAME...... #BATCHSC 29. 20000120 21104535 VRA2017I ACS_APPC_TP_NAME................ VRAVACS 30. 20000120 21104535 VRA2017I ACS_BYPASS_COMMAND_IF_OLDER_THAN 240000 31. 20000120 21104535 VRA2017I ACS_COMMAND_CHECK_INTERVAL...... 002000 32. 20000120 21104535 VRA2017I ACS_LOG_MAXLINES................ 000000 33. 20000120 21104535 VRA2017I ACS_LOG_SYSOUT_CLASS............ X 34. 20000120 21104535 VRA2017I ACS_SMF_RECORD_NUMBER........... 200 35. 20000120 21104535 VRA2017I ACS_SUBSYSTEM_NAME.............. VACS 36. 20000120 21104535 VRA2017I CVSAM_DATA_SET_NAME............. VRA.V420.CVSAM 37. 20000120 21104535 VRA2017I DATEFORMAT...................... MM/DD/CCYY 38. 20000120 21104535 VRA2017I TIMESEPARATOR................... : 39. 20000120 21104618 VRA2049I Starting the EVENT-MANAGER. 40. 20000120 21104628 VRA2300I EVENT-MANAGER started. 41. 20000120 21104710 VRA2049I Starting the EVENT-ANALYZER. 42. 20000120 21104719 VRA2200I EVENT-ANALYZER started. 43. 20000120 21104965 VRA2201I Event analysis starting. 44. 20000120 21104967 VRA2002I ACS operator communications available. 45. 20000120 21104967 VRA2003I ACS initialization complete. 46. 20000120 21105045 VRA2202I Event analysis completed. 47. 20000120 21140047 VRA2301I Command(s) selected - scheduled execution date=01/20/2001

time=21:14:00 for userid=VRAUSR 48. 20000120 21140055 VRA2307I APPC conversation id CID#0001 started with the PROD1 host for

userid=VRAUSR. 49. 20000120 21140055 CID#0001 LISTC ENTRY('VRAUSR.ACS.VSAMDATA') 50. 20000120 21140349 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=21:14:00 for userid=VRAUSR 51. 20000120 21304975 VRA2201I Event analysis starting. 52. 20000120 21305019 VRA2202I Event analysis completed.



53. 20000120 21320037 VRA2301I Command(s) selected - scheduled execution date=01/20/2001 time=21:32:00 for userid=VRAUSR2

54. 20000120 21320056 VRA2705E APPC service ATBALC2 failed. RC=2. RS=10. Error_extract information follows.

55. 20000120 21320056 CID#0002 ATB80100I From VTAM macro APPCCMD: Primary error return code: 0008, secondary error return code: 0001, sense code: 08570003.

56. 20000120 21320071 VRA2705E APPC service ATBALC2 failed. RC=2. RS=10. Error_extract information follows.

① ② ③ ④ 57. 20000120 21320071 CID#0002 ATB80100I From VTAM macro APPCCMD: Primary error return code:

0008, secondary error return code: 0001, sense code: 08570003. 58. 20000120 21320085 VRA2705E APPC service ATBALC2 failed. RC=2. RS=10. Error_extract

information follows. 59. 20000120 21320085 CID#0002 ATB80100I From VTAM macro APPCCMD: Primary error return code:



0008, secondary error return code: 0001, sense code: 08570003. 62. 20000120 21320110 VRA2702E APPC conversation start retry limit exceeded for conversation id

CID#0002 with the PROD2 host for us erid=VRAUSR2 63. 20000120 21320114 VRA2303E Command(s) execution failed - scheduled execution date=01/20/2001

time=21:32:00 for userid=VRAUSR2 64. 20000120 21320114 VRA2301I Command(s) selected - scheduled execution date=01/20/2001

time=21:32:00 for userid=VRAUSR2 65. 20000120 21320116 VRA2307I APPC conversation id CID#0003 started with the TEST1 host for

userid=VRAUSR2. 66. 20000120 21320116 CID#0003 LU (JUNK123) 67. 20000120 21320150 VRA2705E APPC service ATBRCVW failed. RC=6. RS=10. Error_extract


0004, secondary error return code: 0005, sense code: 080F6051. 69. 20000120 21320150 CID#0003 ATB70017I TP security violation. Partner LU AVIPQA1 rejected the

allocate request because authorization checks failed. 70. 20000120 21320154 VRA2303E Command(s) execution failed - scheduled execution date=01/20/2001


time=21:42:00 for userid=VRAUSR 72. 20000120 21420155 VRA2705E APPC service ATBALC2 failed. RC=2. RS=10. Error_extract






0008, secondary 78. 20000120 21420204 VRA2705E APPC service ATBALC2 failed. RC=2. RS=10. Error_extract


0008, secondary error return code: 0001, sense code: 08570003. 80. 20000120 21420204 VRA2702E APPC conversation start retry limit exceeded for conversation id

CID#0004 with the PROD7 host for userid=VRAUSR2 81. 20000120 21460127 VRA2301I Command(s) selected - scheduled execution date=01/20/2001

time=21:46:00 for userid=VRAUSR3 82. 20000120 21460138 VRA2307I APPC conversation id CID#0005 started with the PROD1 host for

userid=VRAUSR3. 83. 20000120 21460138 CID#0005 SEND 'HOWDY GENE #A1B' USER(VRAUSR2) 84. 20000120 21460679 CID#0005 SEND 'HOWDY GENE #A1A' USER(VRAUSR) 85. 20000120 21460722 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=21:46:00 for userid=VRAUSR3 86. 20000120 21504997 VRA2201I Event analysis starting. 87. 20000120 21505095 VRA2202I Event analysis completed. 88. 20000120 21560047 VRA2301I Command(s) selected - scheduled execution date=01/20/2001


userid=VRAUSR.

A p p e n d i x E . V R A L O G S Y S O U T F i l e C o n t e n t s


90. 20000120 21560050 CID#0006 LISTC LEVEL(VRAUSR) ALL 91. 20000120 21560689 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=21:56:00 for userid=VRAUSR 92. 20000120 22060077 VRA2301I Command(s) selected - scheduled execution date=01/20/2001


userid=VRAUSR. 94. 20000120 22060084 CID#0007 SETROPTS RACLIST(FACILITY) REFRESH 95. 20000120 22060467 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=22:06:00 for userid=VRAUSR 96. 20000120 22105018 VRA2201I Event analysis starting. 97. 20000120 22105073 VRA2202I Event analysis completed. 98. 20000120 22160131 VRA2301I Command(s) selected - scheduled execution date=01/20/2001

time=22:16:00 for userid=VRAUSR3 99. 20000120 22160134 VRA2307I APPC conversation id CID#0008 started with the PROD1 host for

userid=VRAUSR3. 100. 20000120 22160134 CID#0008 SETROPTS RACLIST(FACILITY) REFRESH 101. 20000120 22160251 VRA2302I Command(s) executed - scheduled execution date=01/20/2001


time=22:26:00 for userid=VRAUSR

103. 20000120 22260151 VRA2307I APPC conversation id CID#0009 started with the PROD1 host for userid=VRAUSR.

104. 20000120 22260151 CID#0009 EX 'VRAUSR.ACS.DATA(CMDSTR01)' LIST

① ② ③ ④ 105. 20000120 22265597 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=22:26:00 for userid=VRAUSR 106. 20000120 22265597 VRA2301I Command(s) selected - scheduled execution date=01/20/2001


userid=VRAUSR. 108. 20000120 22265600 CID#0010 EX 'VRAUSR.ACS.DATA(CMDSTR02)' LIST 109. 20000120 22275626 VRA2302I Command(s) executed - scheduled execution date=01/20/2001

time=22:26:00 for userid=VRAUSR 110. 20000120 22305029 VRA2201I Event analysis starting. 111. 20000120 22305068 VRA2202I Event analysis completed. 112. 20000120 22505107 VRA2201I Event analysis starting. 113. 20000120 22505240 VRA2202I Event analysis completed. 114. 20000120 23105134 VRA2201I Event analysis starting. 115. 20000120 23105240 VRA2202I Event analysis completed.

Figure 6. VRALOG SYSOUT File Report Diagram

A p p e n d i x E . V S A M E x t r a c t F i l e C o n v e r s i o n


Appendix E. VSAM Extract File Conversion The VRAEXCNV program converts full VSAM extract files so that they can be used by a newer release of Administrator.

Note: The Administrator VSAM extract files created by VRAEXCNV are valid Administrator VSAM extract files. You can use all Administrator functions when accessing the converted files.

VRAEXCNV creates records for the newer version as they existed in the prior version. VRAEXCNV does not populate fields that were added to records unless the fields existed in the prior version. New fields are initialized to their default value.

You must have READ access to profile VRA$.VRAEXCNV in the FACILITY class to execute this program.

The VRAEXCNV member of your VANSAMP library contains sample JCL and control statements to run the extract file conversion program. You must substitute the following variables in the sample prior to submitting the job.


<VANLOAD> The name of the Vanguard Security Solutions load library.

<VANOPTS> The name of the Vanguard Security Solutions options library.

<SVSAMInput> The name of the SVSAM cluster that was created by a prior release of the Administrator.

<MVSAMInput> The name of the MVSAM cluster that was created by a prior release of the Administrator.

<SVSAMOutput> The name for the SVSAM cluster to be created.

<MVSAMOutput> The name for the MVSAM cluster to be created.

<PRIMARY> Size of the primary allocation, in cylinders, for the VSAM output files and the SORT intermediate files.

<SECONDARY> Size of the secondary allocation, in cylinders, for the VSAM output files and the SORT intermediate files.

<VOLSER> The VOLSER of the volume where you want to allocate the VSAM files. If you use MVS Storage Management Subsystem, remove the volume parameter from the VSAM define statement.

Table 31. VRAEXCNV Substitution Variables

A p p e n d i x F . S e q u e n t i a l E x t r a c t F i l e G e n e r a t i o n


Appendix F. Sequential Extract File Generation

The VRAFLAT and VRAFLTP extract processes create a sequential extract file from the VSAM extract files. The sequential extract file allows you to easily use your own reporting. You must have READ access to profile VRA$.VRAEXTR in the FACILITY class to execute this program. Refer to Appendix G to view the Flat File to Extract File cross-reference list.

The VRAFLAT process creates the file in the latest format and the VRAFLTP process creates the file in the format of the prior release. The main differences are:

• Latest format has variable length records and the prior have fixed length records.

• Latest release has all fields in text display format except for fields designated as length fields. All fields Length fields are two byte binary fields preceding each variable length text field. This allows for loading variable length fields with your database software.

• Latest release minimizes space usage.

• Latest release includes field lengths to individual variables fields for application handling and database loading.

• Prior release allows applications designed to use the prior file format continue to work without modifications.

The VRAFLATR and VRAFLTPR members of your VANSAMP library contain the record layouts of the sequential extract file. VRAFLATR is the latest release and VRAFLTPR is for the prior release.

The VRAFLAT and VRAFLTP members of your VANSAMP library contain sample JCL and control statements to run the extract file creation program. VRAFLAT is the latest release and VRAFLTP is for the prior release. This process reads and consolidates various record types from the VSAM extract files. You must substitute values for the following variables in the sample member prior to submitting the job.




<VANLOAD> The name of the Vanguard load library.

<VANOPTS> The name of the Vanguard options library.

<SVSAMInput> The name of the SVSAM file created by the Administrator data service extract process.

<MVSAMInput> The name of the MVSAM file created by the Administrator data service extract process.

<EXTRACT> The name for the output flat extract file to be created.

<PRIMARY> Size of the primary allocation, in cylinders, for the output flat extract file.

<SECONDARY> Size of the secondary allocation, in cylinders, for the output flat extract file.

<SORTCYLS> Size of the allocation, in cylinders, for the SORT work file.

<EXTRUNIT> The device where you want to allocate the flat extract file.

<SORTUNIT> The device where you want to allocate the SORT work files.

Table 32. VRAFLAT Substitution Variables

A p p e n d i x G . F l a t F i l e t o E x t r a c t F i l e C r o s s - R e f e r e n c e L i s t


Appendix G. Flat File to Extract File Cross-Reference List

VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R00REC Small R000 n/a X(2) 00' n/a X(1) Spaces n/a X(7) STATS' n/a X(58) Spaces R00CLASS X(8) R000-CLASS(2:7) X(08) n/a X(1) Spaces R00COUNT 9(7) R000-COUNT S9(08) COMP R00TIME X(06) R000-TIME X(04) n/a X(1) Spaces R00JULDT 9(7) R000-DATE S9(07) COMP-3 R00GRGDT X(12) R000-DATE S9(07) COMP-3 R00NUM X(08) CUSTOMER-NUMBER R00ACTIVE X(01) R000-ACTIVE X(01) R00FULLRUN X(01) R000-FULLRUN X(01) R00EGN X(01) R000-EGN X(01) R00CDT-MEMBER X(08) R000-CDT-MEMBER X(08) R00CDT-PROFLGTH 9(04) R000-CDT-PROFLGTH S9(04) COMP R00CDT-SYNTAXF X(01) R000-CDT-SYNTAXF X(01) R00CDT-SYNTAXR X(01) R000-CDT-SYNTAXR X(01) R00CDT-DFLTUACC X(01) R000-CDT-DFLTUACC X(01) R00CDT-GRPCLASS X(01) R000-CDT-GRPCLASS X(01) R00CDT-ACEEUACC X(01) R000-CDT-ACEEUACC X(01) R00CDT-OPER X(01) R000-CDT-OPER X(01) R00CDT-RACLIST X(01) R000-CDT-RACLIST X(01) R00CDT-GENLIST X(01) R000-CDT-GENLIST X(01) R00CDT-RACDATASP X(01) R000-CDT-RACDATASP X(01) R00CDT-DFLTRC 9(04) R000-CDT-DFLTRC S9(04) COMP R00CDT-RACLISTRQ X(01) R000-CDT-RACLISTRQ X(01) R00CDT-PROFALLOWED X(01) R000-CDT-PROFALLOWED X(01) R00CDT-SECLABELRQ X(01) R000-CDT-SECLABELRQ X(01) R00CDT-REVMACCHK X(01) R000-CDT-REVMACCHK X(01) R00CDT-LOWERCASE X(01) R000-CDT-LOWERCASE X(01) R00CDT-GENERIC X(01) R000-CDT-GENERIC X(01) R00CDT-GENCMD X(01) R000-CDT-GENCMD X(01) R00CDT-AUDIT X(01) R000-CDT-AUDIT X(01) R00CDT-CLASSACT X(01) R000-CDT-CLASSACT X(01) R00CDT-GLOBAL X(01) R000-CDT-GLOBAL X(01) R00CDT-LOPTIONS X(01) R000-CDT-LOPTIONS X(01) R00CDT-STATISTICS X(01) R000-CDT-STATISTICS X(01) R00CDT-MNAME X(08) R000-CDT-MNAME X(08) R00CDT-GNAME X(08) R000-CDT-GNAME X(08)



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R00CDT-POSIT 9(9) R000-CDT-POSIT 9(9) comp R00VERSION X(08) R000-VERSION X(08) R00CPUID X(06) R000-CPUID X(06) R01REC Small R200 n/a X(2) '01' R01USER X(8) R200-USER X(08) n/a X(58) Spaces n/a X(8) USER' R01DEF1 9(7) R200-CREADATE S9(07) COMP-3 R01DEF2 X(12) R200-CREADATE S9(07) COMP-3 R01PWDT1 9(7) R200-PASSDATE S9(07) COMP-3 R01PWDT2 X(12) R200-PASSDATE S9(07) COMP-3 R01OWNER X(8) R200-OWNER X(08) R01INIT1 9(7) R200-INITDATE S9(07) COMP-3 R01INIT2 X(12) R200-INITDATE S9(07) COMP-3 R01FLAG1 X(1) R200-ADSP X(01) R01FLAG2 X(1) R200-SPEC X(01) R01FLAG3 X(1) R200-OPER X(01) R01FLAG4 X(1) R200-RVKE X(01) R01FLAG5 X(1) R200-GACC X(01) R01FLAG6 X(1) R200-AUDT X(01) R01UAUDT X(1) R200-UAUD X(01) R01UNAMEL S9(4) R200-NAMELGTH S9(04) COMP R01UNAME X(20) R200-NAME PIC X(255) R01SECL1 9(3) R200-SECLEVEL S9(04) COMP R01SECL2 9(3) R200-SECLEVEL S9(04) COMP R01DFGRP X(8) R200-DFLTGRP X(08) R01PWIN1 9(3) R200-PWINTRVL S9(04) COMP R01PWIN2 X(03) R200-PWINTRVL S9(04) COMP R01PWIN2R (Redefined) 9(03) R200-PWINTRVL S9(04) COMP R01REVD1 9(7) R200-REVOKEDT S9(07) COMP-3 R01REVD2 X(10) R200-REVOKEDT S9(07) COMP-3 R01RESD1 9(7) R200-RESUMEDT S9(07) COMP-3 R01RESD2 X(10) R200-RESUMEDT S9(07) COMP-3 R01MODEL X(17) R200-MODEL PIC X(255) R01APPL X(8) R210-DATAAPPL X(08) R01DATA X(8) R210-DATACLAS X(08) R01MGMT X(8) R210-MGMTCLAS X(08) R01STOR X(8) R210-STORCLAS X(08) R01SECL3 X(20) R904-MEMBER PIC X(255) n/a X(4) Spaces R01INSTL S9(4) COMP R200-INSTLGTH S9(04) COMP R01INST X(255) R200-INSTDATA PIC X(255) R01CTGYCT 9(08) R200-CTGYCT PIC S9(08) COMP R01CLASCT 9(08) R200-CLASCT PIC S9(08) COMP R01CONGRPCT 9(08) R200-CONGRPCT PIC S9(08) COMP R01INITTIME X(06) R200-INITTIME PIC X(04)



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R01PWNEEDED X(01) R200-PWNEEDED PIC X(01) R01SECLABEL X(08) R200-SECLABEL PIC X(08) R01LOGSUN X(01) R200-LOGSUN X(01) R01LOGMON X(01) R200-LOGMON X(01) R01LOGTUE X(01) R200-LOGTUE X(01) R01LOGWED X(01) R200-LOGWED X(01) R01LOGTHU X(01) R200-LOGTHU X(01) R01LOGFRI X(01) R200-LOGFRI X(01) R01LOGSAT X(01) R200-LOGSAT X(01) R01LOGTIME-BEGIN 9(04) R200-LOGTIME-BEGIN S9(04) COMP R01LOGTIME-END 9(04) R200-LOGTIME-END S9(04) COMP R01HRVK X(01) R200-HRVK X(01) R01HRVKID X(08) R200-HRVKID X(08) R01HRVKDT 9(07) R200-HRVKDT S9(07) COMP-3 R01DCERT-CNT 9(08) R200-DCERT-CNT S9(08) COMP R01RESTRICTED X(01) R200-RESTRICTED X(01) R01PROTECTED X(01) R200-PROTECTED X(01) R01OIDCARD X(01) R200-OIDCARD X(01) R01MODELLONGL S9(4) COMP R200-MODELLGTH S9(04) COMP R01MODELLONG X(44) R200-MODEL PIC X(255) R02REC Small R100 n/a X(2) '02' R02GROUP X(8) R100-GROUP X(08) n/a X(58) Spaces n/a X(8) GROUP' R02OWNER X(8) R100-OWNER X(08) R02SUPGR X(8) R100-SUPGROUP X(08) R02TERM X(1) R100-TERM X(01) R02SCOPE X(1) R100-SCOPE X(01) R02MODEL X(17) R100-MODEL X(44) R02CRDT1 9(7) R100-CREADATE S9(07) COMP-3 R02CRDT2 X(12) R100-CREADATE S9(07) COMP-3 R02APPL X(8) R110-DATAAPPL X(08) R02DATA X(8) R110-DATACLAS X(08) R02MGMT X(8) R110-MGMTCLAS X(08) R02STOR X(8) R110-STORCLAS X(08) R02NRUSR 9(5) R100-USERCNT PIC S9(08) n/a X(106) Spaces R02INSTL S9(4) COMP R100-INSTLGTH S9(04) COMP R02INST X(255) R100-INSTDATA X(255) R02UACC X(1) R100-UACC X(01) R02UNIVERSAL X(1) R100-UNIVERSAL X(01) R02SUBGRPCT 9(08) R100-SUBGRPCT S9(08) COMP R02MODELLGTH S9(04) COMP R02MODELLONG X(44) R100-MODEL X(44) R03REC Medium R300



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage n/a X(2) 03' R03HLQ X(8) R300-DSN X(44) R03DSN X(44) R300-DSN X(44) n/a X(14) n/a X(8) DATASET' R03VOL X(6) R300-VOL X(06) R03PROFTYP X(01) R300-PROFTYPE X(01) R03DEVTP X(4) R300-DEVTYPE X(08) R03UACC X(1) R300-UACC X(01) R03OWNER X(8) R300-OWNER X(08) R03WARN X(1) R300-WARNING X(01) R03NOTFY X(8) R300-NOTIFY X(08) R03SECL1 9(3) R300-SECLEVEL S9(04) COMP R03SECL2 9(3) R300-SECLEVEL S9(04) COMP R03ADS X(8) R300-ADS X(01) R03ADSQ X(7) R300-ADSQ X(01) R03ADF X(8) R300-ADF X(01) R03ADFQ X(7) R300-ADFQ X(01) R03GADS X(8) R300-GADS X(01) R03GADSQ X(7) R300-GADSQ X(01) R03GADF X(8) R300-GADF X(01) R03GADFQ X(7) R300-GADFQ X(01) R03CRDT1 9(7) R300-CREADATE S9(07) COMP-3 R03CRDT2 X(12) R300-CREADATE S9(07) COMP-3 R03RESOW X(8) R310-RESOWNER X(08) R03EOS X(1) R300-EOS X(01) R03SECL3 X(20) R904-MEMBER X(255) R03DSTYP X(1) R300-DSTYPE X(01) n/a X(54) Spaces R03INSTL S9(4) COMP R300-INSTLGTH S9(04) COMP R03INST X(255) R300-INSTDATA X(255) R03CONGROUP X(08) R300-CONGROUP X(08) R03GROUPDSN X(01) R300-CONGROUP X(08) R03LEVEL 9(02) R300-LEVEL 9(02) R03SECLABEL X(08) R300-SECLABEL X(08) R03ACLCNT 9(04) R300-ACLCNT S9(04) COMP R03ACL2CNT 9(04) R300-ACL2CNT S9(04) COMP R04REC Medium R400 n/a X(2) 04' n/a X(8) Spaces R04ENTY X(50) R400-ENTY X(50) R04SEQUENCE 9(08) R400-TIE-BREAK S9(08) COMP R04CLASS X(8) R400-CLASS X(08) R04UACC X(1) R400-UACC X(01) R04OWNER X(8) R400-OWNER X(08) R04TYPE X(1) R400-TYPE X(01) R04WARN X(1) R400-WARNING X(01)



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R04NOTFY X(8) R400-NOTIFY X(08) R04SECL1 9(3) R400-SECLEVEL S9(04) COMP R04SECL2 9(3) R400-SECLEVEL S9(04) COMP R04ADS X(8) R400-ADS X(01) R04ADSQ X(7) R400-ADSQ X(01) R04ADF X(8) R400-ADF X(01) R04ADFQ X(7) R400-ADFQ X(01) R04GADS X(8) R400-GADS X(01) R04GADSQ X(7) R400-GADSQ X(01) R04GADF X(8) R400-GADF X(01) R04GADFQ X(7) R400-GADFQ X(01) R04CRDT1 9(7) R400-CREADATE S9(07) COMP-3 R04CRDT2 X(12) R400-CREADATE S9(07) COMP-3 R04SECL3 X(20) R904-MEMBER X(255) n/a X(74) Spaces R04INSTL S9(4) COMP R400-INSTLGTH S9(04) COMP R04INST X(255) R400-INSTDATA X(255) R04LEVEL 9(02) R400-LEVEL 9(02) R04SECLABEL X(08) R400-SECLABEL X(08) R04LOGSUN X(01) R400-LOGSUN X(01) R04LOGMON X(01) R400-LOGMON X(01) R04LOGTUE X(01) R400-LOGTUE X(01) R04LOGWED X(01) R400-LOGWED X(01) R04LOGTHU X(01) R400-LOGTHU X(01) R04LOGFRI X(01) R400-LOGFRI X(01) R04LOGSAT X(01) R400-LOGSAT X(01) R04LOGTIME-BEGIN 9(04) R400-LOGTIME-BEGIN S9(04) COMP R04LOGTIME-END 9(04) R400-LOGTIME-END S9(04) COMP R04TIMEZONE X(06) R400-TIMEZONE X(06) R04ACLCNT 9(04) R400-ACLCNT S9(04) COMP R04ACL2CNT 9(04) R400-ACL2CNT S9(04) COMP R04VOLCNT 9(04) R400-VOLCNT S9(04) COMP R04VOLSER X(06) R400-VOLSER X(06 R04TVOL-SINGLEDSN X(01) R400-TVOL-SINGLEDSN X(01) R04TVOL-AUTOMATIC X(01) R400-TVOL-AUTOMATIC X(01) R04TVOL-MTNTVTOC X(01) R400-TVOL-MTNTVTOC X(01) R04APPLL S9(04) COMP R400-APPLLGTH S9(04) COMP R04APPL X(255) R400-APPLDATA X(255) R04ALTENTYL S9(04) COMP R400-ALTENTYLGTH S9(04) COMP R04ALTENTY X(255) R400-ALTENTY X(255) R07REC Small R220 n/a X(2) 07' R07USER X(8) R220-USER X(08) n/a X(58) Spaces n/a X(8) TSOSGMT' R07UNAME X(20) R200-NAME X(20) R07HOLD X(1) R220-HOLD X(01)



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R07JOB X(1) R220-JOB X(01) R07PROC X(8) R220-PROC X(08) R07SCLAS X(1) R220-SCLS X(01) R07UNIT X(8) R220-UNIT X(08) R07MSGCL X(1) R220-MCLS X(01) R07DEST X(8) R220-DEST X(08) R07UDATA X(4) R220-UDATA X(04) R07LSIZE 9(7) R220-LSIZE S9(08) COMP R07RSIZE 9(7) R220-MSIZE S9(08) COMP R07ACCTL S9(04) COMP R220-ACCTLGTH S9(04) COMP R07ACCT X(39) R220-ACCT PIC X(40) R07PERF X(02) R220-PERF X(04) R07SECLABEL X(08) R220-SECLABEL X(08) R07CMDL S9(04) COMP R220-CMDLGTH S9(04) COMP R07CMD X(80) R220-CMD PIC X(80) R08REC Medium R901 n/a X(2) 08' n/a X(8) Spaces R08ENTY X(50) R901-ENTY X(50) R08SEQUENCE 9(08) R901-TIE-BREAK S9(08) COMP R08CLASS X(8) R901-CLASS X(08) R08UNAME X(20) R200-NAME X(20) n/a X(8) Spaces R08VOL X(6) R901-VOL X(06) R08DSTYP X(1) R901-DSTYPE X(01) R08CATOT 9(4) R901-CTGYTOT S9(08) COMP R08CANUM 9(4) Count R08CATABLE - Next 2 occurs 20 times. R08CATGYL PIC S9(04) COMP R901-CTGYLGTH S9(04) COMP R08CATGY PIC X(20) R901-CATEGORY X(44) R08ALTENTYL S9(04) COMP R901-ALTENTYLGTH S9(04) COMP R08ALTENTY X(255) R901-ALTENTY X(255) R09REC Small R203 n/a X(2) 09' R09USER X(8) R203-USER X(08) n/a X(56) Spaces R09UNAME X(20) R200-NAME X(20) R09DFGRP X(8) R200-DFLTGRP X(08) R09CLTOT 9(4) R200-CLASCT S9(08) COMP R09CLNUM 9(4) Count

R09CLAUTAB - Next item occurs 50 times.

R09CLAUT X(8) R203-CLNAME X(08) R10REC Medium R902 n/a X(2) 10'



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R10USGR X(8) R902-USRGRP X(08) R10ENTY X(50) R902-ENTY X(50) R10SEQUENCE 9(08) R902-TIE-BREAK S9(08) COMP R10CLASS X(8) R902-CLASS X(08) R10VOL X(6) R902-VOL X(06) R10PROFTYP X(01) R902-PROFTYPE X(01) R10DEVTP X(4) R902-DEVTYPE X(08) R10ACC X(1) R902-ACCESS X(01) R10UNAME X(20) R200-NAME X(20) R10DSTYP X(1) R902-DSTYPE X(01) R10ALTENTYL S9(04) COMP R902-ALTENTYLGTH S9(04) COMP R10ALTENTY X(255) R902-ALTENTY X(255) R11REC Medium R905 n/a X(2) '11' R11USGR X(8) R905-USRGRP X(08) R11ENTY X(50) R905-ENTY X(50) R11SEQUENCE 9(08) R905-TIE-BREAK S9(08) COMP R11CLASS X(8) R905-CLASS X(08) R11VOL X(6) R905-VOL X(06) R11PROFTYP X(01) R905-PROFTYPE X(01) R11DEVTP X(4) R905-DEVTYPE X(08) R11ACC X(1) R905-ACCESS X(01) R11PROGL S9(04) COMP R905-WHENENTY-LGTH S9(04) COMP R11PROG X(8) R905-WHENENTY X(255) R11UNAME X(20) R200-NAME X(20) R11DSTYP X(1) R905-DSTYPE X(01) R11ALTENTYL S9(04) COMP R905-ALTENTYLGTH S9(04) COMP R11ALTENTY X(255) R905-ALTENTY X(255) R15REC Small R103 FILLER X(2) '15' R15GROUP X(8) R103-GROUP X(08) FILLER X(58) Spaces FILLER X(8) 'SUBGROUP' R15GRTOT 9(4) Count R15GRNUM 9(4) Count

R15SBGRP-G - Next item occurs 50 times.

R15SBGRP X(8) R103-SUBGROUP X(08) R16REC Medium R904 n/a X(2) 16' n/a X(8) Spaces R16ENTY X(50) R904-ENTY X(50) R16SEQUENCE 9(08) R904-TIE-BREAK S9(08) COMP R16CLASS X(8) R904-CLASS X(08) R16METOT 9(4) R904-MEM-TOT S9(08) COMP



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R16VOL X(6) R904-VOL X(06) R16ACC X(7) R904-ACCESS X(07) R16SECLV 9(02) R904-SECLEVEL S9(04) COMP R16MEMBRL S9(04) COMP R904-MEMLGTH S9(04) COMP R16MEMBR X(255) R904-MEMBER X(255) R16PADS X(1) R904-PADS X(01) R16ALTENTYL S9(04) COMP R904-ALTENTYLGTH S9(04) COMP R16ALTENTY X(255) R904-ALTENTY X(255) R20REC Medium R300 n/a X(2) 20' R20USR X(8) R300-NOTIFY X(08) R20DSN X(44) R300-DSN X(44) n/a X(14) n/a X(8) DATASET' R20VOL X(6) R300-VOL X(06) R20PROFTYP X(01) R300-PROFTYPE X(01) R20DEVTP X(4) R300-DEVTYPE X(08) R20UNAME X(20) R200-NAME X(20) R20DSTYP X(1) R300-DSTYPE X(01) R21REC Medium R300 n/a X(2) 21' R21OWNER X(8) R300-OWNER X(08) R21DSN X(44) R300-DSN X(44) n/a X(14) n/a X(8) 'DATASET' R21VOL X(6) R300-VOL R21PROFTYP X(01 R300-PROFTYPE X(01) R21DEVTP X(4) R300-DEVTYPE X(08) R21UNAME X(20) R200-NAME X(20) R21DSTYP X(1) R300-DSTYPE X(01) R30REC Medium R400 n/a X(2) '30' R30USR X(8) R400-NOTIFY X(08) R30ENTY X(50) R400-ENTY X(50) R30SEQUENCE 9(08) R400-TIE-BREAK S9(08) COMP R30CLASS X(8) R400-CLASS X(08) R30TYPE X(1) R400-TYPE X(01) R30UNAME X(20) R200-NAME X(20) R30ALTENTYL S9(04) COMP R400-ALTENTYLGTH S9(04) COMP R30ALTENTY X(255) R400-ALTENTY X(255) R31REC Medium R400 FILLER X(2) '31' R31OWNER X(8) R400-OWNER X(08) R31ENTY X(50) R400-ENTY X(50)



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R31SEQUENCE 9(08) R400-TIE-BREAK S9(08) COMP R31CLASS X(8) R400-CLASS X(08) R31TYPE X(1) R400-TYPE X(01) R31UNAME X(20) R200-NAME X(20) R31ALTENTYL S9(04) COMP R400-ALTENTYLGTH S9(04) COMP R31ALTENTY X(255) R400-ALTENTY X(255) R41REC n/a X(2) 41' Small R200 R41OWNER X(8) R200-OWNER X(08) R41USER X(8) R200-USER X(08) n/a X(50) Spaces n/a X(8) OWNER' R41UNAME X(20) R200-NAME X(20) R51REC Small R100 n/a X(2) 51' R51OWNER X(8) R100-OWNER X(08) R51GROUP X(8) R100-GROUP X(08) n/a X(50) Spaces n/a X(8) CONNECT' R51UNAME X(20) R200-NAME X(20) R60REC Small R900 n/a X(2) '60' R60USER X(8) R900-USER X(08) R60GROUP X(8) R900-GROUP X(08) n/a X(50) Spaces n/a X(8) CONNECT' R60GRPSP X(1) R900-SPECIAL X(01) R60GRPOP X(1) R900-OPERATIONS X(01) R60GRPAU X(1) R900-AUDITOR X(01) R60GRPRE X(1) R900-REVOKE X(01) R60GRPTE X(1) R900-TERMUAC X(01) R60GRPUA X(1) R900-UACC X(01) R60AUTH X(1) R900-AUTH X(01) R60UNAME X(20) R200-NAME X(20) R60REVD1 9(7) R900-REVOKEDT S9(07) COMP-3 R60REVD2 X(10) R900-REVOKEDT S9(07) COMP-3 R60RESD1 9(7) R900-RESUMEDT S9(07) COMP-3 R60RESD2 X(10) R900-RESUMEDT S9(07) COMP-3 R60OWNER X(8) R900-OWNER X(08) R60COND1 9(7) R900-CREADATE S9(07) COMP-3 R60COND2 X(12) R900-CREADATE S9(07) COMP-3 R60ADSP X(1) R900-ADSP X(01) R60GACC X(1) R900-GACC X(01) R60INITDATE1 9(7) R900-INITDATE S9(07) COMP-3 R60INITDATE2 X(12) R900-INITDATE S9(07) COMP-3



VRAFLAT File VSAM File Record Field Name Usage Value Small/Medium Record Field Name Usage R60INITTIME X(6) R900-INITTIME X(04) R61REC Small R900 n/a X(2) '61' R61GROUP X(8) R900-USER X(08) R61USER X(8) R900-GROUP X(08) n/a X(50) Spaces n/a X(8) CONNECT' R61GRPSP X(1) R900-SPECIAL X(01) R61GRPOP X(1) R900-OPERATIONS X(01) R61GRPAU X(1) R900-AUDITOR X(01) R61GRPRE X(1) R900-REVOKE X(01) R61GRPTE X(1) R900-TERMUAC X(01) R61GRPUA X(1) R900-UACC X(01) R61AUTH X(1) R900-AUTH X(01) R61UNAME X(20) R200-NAME X(20) R61REVD1 9(7) R900-REVOKEDT S9(07) COMP-3 R61REVD2 X(10) R900-REVOKEDT S9(07) COMP-3 R61RESD1 9(7) R900-RESUMEDT S9(07) COMP-3 R61RESD2 X(10) R900-RESUMEDT S9(07) COMP-3 R61OWNER X(8) R900-OWNER X(08) R61COND1 9(7) R900-CREADATE S9(07) COMP-3 R61COND2 X(12) R900-CREADATE S9(07) COMP-3 R61ADSP X(1) R900-ADSP X(01) R61GACC X(1) R900-GACC X(01) R61INITDATE1 9(7) R900-INITDATE S9(07) COMP-3 R61INITDATE2 X(12) R900-INITDATE S9(07) COMP-3 R61INITTIME X(6) R900-INITTIME X(04)

A p p e n d i x H . G l o s s a r y o f T e r m s


Appendix H. Glossary of Terms This Glossary of Terms lists critical terms and acronyms used throughout the Administrator User Guide, Technical Reference, Message Reference, Help panels, the online Tutorial and within a security environment.

A Access. The authorization to use a protected resource. Access Authority. The authority to request a specific type of access. The RACF access authorities are NONE, EXECUTE, READ, UPDATE, CONTROL, and ALTER. Access List. Synonymous with Standard Access List. See also Conditional Access List. ACEE. Accessor Environment Element. Accessor Environment Element (ACEE). A description of the current user including userid, current connect group, user attributes, and group authorities. An ACEE is constructed during user identification and verification. ACS. Automated Command Scheduler. See Command Scheduler below. ADSP. Data Set Protection. Alternate User ID. The VM facility that allows one virtual machine to operate with the access authority of another. When the authority of a user is delegated to a second party, the user's User ID is the alternate User ID for the second party. Attribute. A distinct characteristic or feature used to identify and classify objects or individuals. See also User Attribute. Automatic Data Set Protection (ADSP). On MVS, the user attribute that automatically defines all permanent data sets created by the user to RACF with a discrete RACF profile. Automatic Profile. On MVS, a TAPEVOL profile is created when a RACF-defined user protects a data set tape. When the last data set on the volume is deleted, the TAPEVOL profile is automatically deleted by RACF. See also non-automatic profile. Authority. Having authorization to access objects, resources or utilities.

Authorization Checking. The process of verifying a user's access to protected resources that RACF performs following a RACHECK or FRACHECK request.

B Base Segment. See RACF segment.

C Category. See security category. CICS Segment. A section of a RACF profile that contains information for the Customer Information Control System (CICS). Class. A set of entities (users, groups, and resources) that are RACF-defined and have similar characteristics. The class names are DATA SET, GROUP, USER, and the classes defined in the class descriptor table. Class Authority (CLAUTH). The authority to define RACF profiles in a class defined in the class descriptor table. Users can have class authorities to more than one class. Class Descriptor. A RACF-supplied control block for all classes in the class descriptor table. See class descriptor table. Class Descriptor Table (CDT). A table, created when the ICHERCDE macro is executed (once per class), that contains an entry for each class except the USER, GROUP, and DATA SET classes. CLAUTH. Class Authority. Command Scheduler. This facility allows the RACF Security Administrator to define events, i.e. enter TSO commands that will be executed at a future date or time. He or she can specify that a User ID be activated tomorrow at noon and then deactivated two days later. This ensures that necessary future administration activities will take place with minimal human intervention.



Reminders can be specified as well. Conditional Access List. Access list within a profile that links a condition to a User ID or group ID and the corresponding access authority. A conditional access list entry can allow access, if user does not otherwise have access, if the specified condition it true. For example, the condition for program access to data sets is that the user must be executing the program specified in the access list. See standard access list for contrast. CST (CMS subtasking). An interface program enabling RACF to run programs written for an OS/VS environment. A function of RACF only, not VM. Current Connect Group. The group associated with a user, for access-checking purposes, during a terminal session or batch job. On MVS, the current connect group is the user's default group unless user specifies the current connect group on the LOGON command or batch JOB statement. On VM, no group can be specified other than the user's default group. If list-of-groups processing is in effect, all groups the user is connected to are associated with the user. However, list-of-groups checking is ignored if the current connect group is also found in the global access table. Current Security Label. The security label used by RACF in authorization checking if the SECLABEL class is active. For batch jobs on MVS, the current security label is the default label in the user's profile unless otherwise specified in the SECLABEL parameter of the JOB statement. For an interactive user the current security label is the user's default security label unless the user specified otherwise during logon.

D Data Security. The protection of data from accidental or intentional destruction, disclosure, or modification. Data Security Monitor (DSMON). A RACF audit tool that produces reports enabling installations to verify data-security controls and basic system security. Data Set Profile. A profile providing RACF protection for one or more data sets. The

profile can include the data set profile name, profile owner, universal access authority, access list, and other information. See also discrete profile and generic profile. Default Group. In RACF, the default current group specified in the user profile. Delegation. The assignment of authorities to other users or user groups to enable the performance of RACF operations. DFP Segment. The section of a RACF profile that contains information related to the resources and users managed by the data facility product (DFP). Discrete Profile. A resource profile that can provide RACF protection for a single resource such as one minidisk or one data set. Discretionary Access Control. A way to restrict access on the basis of accessor identity, or groups to which the accessor belongs. An accessor with sufficiently high access authority can grant access to another accessor. DLFDATA segment. The section of a RACF profile that contains data for the data looks aside facility. DSMON. Data Security Monitor.

E Entity. A resource, user or group that is defined to RACF. Exempt User. In RACF/VM, a user whose VM event profile precludes auditing or access-resource control. Exempt users can access a resource for which CP is the resource manager.

Note: For LOGON, LOGOFF, AUTOLOG and XAUTOLOG commands as well as certain sub-codes of the diagnose codes, such as X and AO, CP always calls RACF, even for an exempt user.

Extract. The Administrator gives the user the ability to optionally view either live information directly from the RACF database or to view information from the most recently produced Extract file. Use the Extract command to view Extract file information.

F Facility Class. When the user presses


V a n g u a r d A d m i n i s t r a t o r T e c h n i c a l R e f e r e n c e 171

<Enter> a check will be made to see if he or she has READ access to the specific facility class profile: VIP$.NOEDIT.COMMANDS. If the user has READ access or higher, he or she will not be allowed to edit the generated commands; they are displayed as they are executed. Fastpath. A short-cut method called for selecting reports and performing tasks. Fastpath allows you to easily jump from one function to another. Field-Level Access Checking. The RACF facility used by a security administrator to control access to fields or segments in a RACF profile. FRACHECK. Checks a user's author-ization to a RACF-protected resource or function faster than RACCHECK. A FRACHECK request uses only in-storage profiles for faster performance. Fully Qualified Generic Profile. A generic profile with no generic characters in its name that protects only a resource with names matching the name of the profile. Function Modification Identifier (FMID). A seven-character identifier that MVS, VS/1, and related products use to identify the release of the product.

G GCS. Group Control System. GDG. Generation Data Group. General Resource. Any system resource, except an MVS data set, that is defined in the class descriptor table (CDT). VM general resources are minidisks, terminals, RSCS nodes and virtual record devices. MVS general resources are load modules, IMS and CICS transactions, tape volumes, DASD volumes, terminals and installation-defined resource classes. General Resource Profile. A profile that provides RACF protection for one or more general resources and contains information that can include the general resource profile name, profile name, profile owner, universal access authority, access list, and other data. Generation Data Group (GDG). A chronological grouping of data sets that have the same base name, such as PAYROLL. Each data set is called a generation data set. Generic Profile. Resource profiles that can

provide RACF protection for one or more resources that have similar names and identical security requirements. For example, one or more data sets can be protected by a generic data set profile. Global Access Checking (GAC). The ability to allow an installation to establish an in-storage table of default values for authorization levels for selected resources. RACF refers to this table before performing normal authority does not exceed the global value. Global access checking can grant the user access to the resource, but it cannot deny access. Group. A collection of RACF-defined users who can share access authorities for protected resources. Group Authority. The authority that specifies the functions a user can perform in a group. The group authorities are CREATE, CONNECT, JOIN, and USE. Group Control System (GCS). A component of VM that provides multiprogramming and shared memory support to virtual machines. It is a saved system intended for use with SNA products. Group Data Set. On MVS, a RACF-protected data set in which either the high-level qualifier of the data set or the qualifier supplied by an installation exit routine is a RACF group name. Group ID. A string of 1 to 8 alphanumeric characters identifying a group to RACF. The first character must be #, $, @ or an alpha character. Group Profile. A description of a group that includes the group name, profile owner, and users in the group. Group Terminal Option. A RACF function allowing users within a group to log on only from terminals for which they have been specifically authorized. Group-Related User Attribute. A user attribute assigned at the group level, that enables the user to control the resource, group, and user profiles associated with the group and it subgroups. Some of the group-related attributes are group-SPECIAL, group-AUDITOR, and group-OPERATIONS.

L LIST. The command that displays (lists) username and installation data field from the



user's profile. List-Of-Groups Checking. A RACF option providing a user access to all resources available to all groups to which the user belongs; based on the highest access among the groups, regardless of the user's current connect group. Live. The Administrator allows the user to optionally view either live information directly from the RACF database or to view information from the most recently produced Extract file. Use the Live command to view Live RACF information. Logging. The routine recording of data concerning specific events.

M Modeling. See profile modeling. MVS. Multiple Virtual Storage. Implies MVS/370, MVS/XA, and MVS/ESA.

O Owner. The user/group that created the profile, or is designated as the owner. Profile owners can list, modify, or delete the profile.

P PADS. Program Access to Data Sets. Password. A string of characters recognized by a computer system that a user must specify to gain access to a system and the data stored within it. The password identities the user. Profile. Description of key features of a user, a group of users, or one or more computer resources. See data set profile, discrete profile, general resource profile, generic profile, group profile, and user profile. Profile List. A list of profiles that are built in storage by the RACF routines and indexed by class (general resources) or by the high-level qualifier (DATA SET profiles). Profile Modeling. The user or installation capability to copy information (such as access lists or universal access authority) from an existing resource profile when

defining a new resource profile. Program Access to Data Sets (PADS). On MVS, a RACF function allowing authorized users or user groups to access one or more data sets at a specified access authority only while running a specified RACF-controlled program. See also program control. Program Control. On MVS, a RACF function that provides the ability to regulate who can run RACF-controlled programs. See also program access to data sets. Protected Resource. A resource defined to RACF to control access to the resource. Resources that can be protected by RACF are terminals, tape volumes, DASD volumes, DASD and tape data sets, VM minidisks, IMS/VS transactions, IMS/VS transaction groups, and any other resources defined in the class descriptor table. PV. Persistent Verification.

R RACF. Resources Access Control Facility. RACF Database. A collection of data items stored together, without unnecessary redundancy, to serve the Resource Access Control Facility (RACF). RACF-Indicated. A RACF-indicated data set can be accessed by a user only if the data set has a RACF profile or an entry in the global access checking table. For MVS data sets, RACF indicator is in the catalog entry. For non-VSAM data sets, the indicator is in the data set control block (DSCB). For data sets on tape, the indicator is in the RACF tape volume profile of the volume containing the data set. On systems without RACF, a RACF-indicated data set cannot be accessed by a user until the indicator is turned off. RACF-Protected. A resource that has either a discrete profile or an applicable generic profile. A data set that is RACF-protected by a discrete profile must also be RACF-indicated. RACF Manager. The routines within RACF that provide access to the RACF database. Contrast with RACF storage manager. RACF Report Writer. A RACF function that generates reports on resource and system use from information found in the RACF SMF records.



RACF segment. The section of a RACF profile that contains basic information needed to define a user, group, or resource to RACF. Also called base segment. See also DFP, DLFDATA, and TSO segments. RACF storage manager. The routines within RACF that obtain and release system storage on behalf of the rest of RACF. Contrast with RACF manager. RACHECK request. The execution of the RACHECK macro or the RACROUTE macro with REQUEST=AUTH specified. A RACHECK request is primarily used to check a user's authorization to a RACF-protected resource or function. See also authorization checking. RACINIT request. The execution of the RACINIT macro or the RACROUTE macro with REQUEST=VERIFY or REQUEST=VERIFYX specified. A RACINIT request is used to verify the authority of a user to enter work into the system. RACROUTE macro. An assembler macro that enables the calling of RACF to provide security functions. See also FRACHECK, RACHECK, and RACINIT requests. RBA. Relative Byte Address. Relative Byte Address (RBA). In RACF, the address of a profile on the RACF database. Resource Access Control Facility (RACF). An IBM-licensed product that provides for access control by identifying and verifying users to the system, authorizing and logging accesses to protected resources, and logging detected unauthorized attempts to enter the system. Resource Group Class. A RACF class in which resource group profiles can be defined that is related to another class, sometimes called a member class. For example, resource group class GTERMINL is related to class TERMINAL. See also resource group profile. Resource Group Profile. A general resource profile in a resource group class that can provide RACF protection for one or more resources with unlike names. See also resource group. Resource Profile. A profile that provides RACF protection for one or more resources, and can include the data set profile name, profile owner, universal access authority, access list, and other data. User, group, and connect profiles are not resource profiles. The information in a resource profile can

include. Resource profiles can be discrete profiles or generic profiles. See discrete profile and generic profile. RRSF. RACF Remote Sharing Facility

S SECLEVEL. Security level. Security. The prevention of unauthorized use of a program or device. See also data security. Security Category. An installation-defined label that corresponds to a department or area within an organization with similar security requirements. Security Classification. The use of security categories, a security level, or both, to impose additional access controls on sensitive resources. An alternative way to provide security classifications is to use security labels. Security Label. An installation-defined name that corresponds to a specific RACF security level with a set of zero or more security categories. It is equivalent to the NCSC term sensitivity label. Security Token. A collection of information that represents a user, a job, or the data to be accessed, and includes a User ID, group ID, security label, node of origin, and other information. SESSION Segment. The section of a RACF profile that contains data used to control the development of sessions between logical units under LU 6.2. Standard Access List. Within a profile, a list of all authorized users and their access authorities. Synonymous with access list. See also conditional access list. Sysplex (System Complex). Multiple systems linked together by hardware elements and software services. System VM Event Profile. A resource profile in the VMXEVENT class that can be used to define the audit settings and control of VM events for all users. System High. The highest security level and the highest level of security label in a system. All security levels are included in system high. System Low. The lowest security level and the lowest level of security label in a system. No security categories are associated with system low.



T Task Oriented Administration: An expanded set of commands designed to simplify administration of RACF. Tranquility. Maintaining the constancy of security classifications of a user that is active or a resource that is in use. TSO segment. The section of a RACF profile that contains TSO/E logon information.

U UACC. Universal Access Authority. UADS. User Attribute Data Set. Universal Access Authority (UACC). The default access authority that applies to a resource if the user or group is not specifically permitted access to the resource. The universal access authority can be any of the access authorities. User. An individual who uses a computing system. User Attribute. The distinctive privileges, restrictions, and processing environments assigned to a user. The user attributes are SPECIAL, AUDITOR, CLAUTH, ADSP, OPERATIONS, GRPACC, and REVOKE. User Data Set. On MVS, a RACF-defined data set, in which either the high-level qualifier of the data set name or the qualifier supplied by an installation exit routine is a RACF User ID. User ID. A string of characters that uniquely identifies a user to a system. On VM, the User ID is 1 to 8 alphanumeric characters. On TSO, the User ID can be no more than 7 characters and must begin with #, $, @, or an alpha character. User identification and Verification. The

acts of identifying and verifying a RACF-defined user to the system during logon or batch job processing. RACF identifies the user by the User ID and verifies the user by the password or operator identification card (MVS only) supplied during logon processing or the password supplied on a batch JOB statement. User Name. A string of one to twenty alphanumeric characters that represents a RACF-defined user. User Profile. A summary of a RACF-defined user that includes the User ID, user name, user attributes, default group name, password, profile owner, and other information. The profile can also include information for subsystems such as TSO and DFP. See TSO and DFP segments.

V Verification. The confirmation of User identity and authority. See also User identification and verification. VM. A licensed program that regulates ''virtual machines'' and runs on both the CP and CMS command languages. Can be VM/ESA, VM/HPO, VM/SP, or VM/XA. VM Event. The execution of a CP command, DIAGNOSE function, or a user request pertaining to communication between virtual machines, or spool file activity. VMCF. Virtual Machine Communication Facility. VRA IDs. While generating RACF commands, the Administrator may be required to specify a User or Group ID that can not be specified when the command is issued. These IDs assure non-acceptance by RACF of the commands in which they appear.

I n d e x


Index Access, 169 Access Authority, 169, 173 Access List, 169 Accessor Environment Element, 169 ACEE, 169 ACS, 169 ACS client, 149 ACS_APPC_ALLOCATE_RETRIES, 22 ACS_APPC_DEFAULT_DEST, 21 ACS_APPC_DEFAULT_LOCAL_LU, 21 ACS_APPC_DEFAULT_MODE_NAME, 22 ACS_APPC_TP_NAME, 22 ACS_COMMAND_BYPASS_IF_OLDER_TH

AN, 22 ACS_LOG_MAXLINES, 23 ACS_LOG_SYSOUT_CLASS, 23 ACS_SMF_RECORD_NUMBER, 20 ACS_SUBSYSTEM_NAME, 23 administering passwords, 36 ADMINISTRATOR DB2 JCL Library, 67 ADMINISTRATOR Extract, 47 ADMINISTRATOR Extract function, 48, 54 Administrator Initialization Panel, 10 ADMINISTRATOR JCL DSN, 63 ADSP, 169 Alternate User ID, 169 ALTUSER, 38 APPC/MVS, 99 APPC/MVS profiles, 93 ASCH, 87, 99 ASMLRCX2, 140 Attribute, 169 Auditor attribute, 36 Authority, 169 Authorization Checking, 169 Automatic Data Set Protection, 169 AVIPQA1, 89, 90, 91, 92 AVIPQAT, 90, 91 BACKUP, 136 Base Segment, 169 Category, 169 CDT, 169, 171 CICS segment, 169 CICS transaction, 171 Class, 169 class authority, 169 Class Descriptor Table, 169, 171, 172 CLAUTH, 169 CLIST library, 57 CMS subtasking, 170 Command Data Set, 13

Command Scheduler, 169 Conditional Access List, 170 connect group, 34 Connect group, 170, 172 Connect profiles, 173 CS_COMMAND_CHECK_INTERVAL, 23 CST, 170 Current Security Label, 170 Data Services, 48, 55 Data Set Profile, 170 database id, 52, 54, 55 DATEFORMAT, 18 DB2, 15 DB2 base tables, 54, 55 DB2 Install/Reinstall, 64 DB2 Load Function, 55 DB2 Object Prefix, 61, 66 DB2 option, 47 DB2 Option, 64 DB2 Plan Owner, 70 DB2 Plan Prefix, 62, 66, 70 DB2 Queries, 73 DB2 Rebind, 72 DB2 Runstats, 72 DB2 RUNSTATS, 72 DB2 Shadow Catalog, 76 DB2 Subsystem ID, 61, 66 Decentralization, 31 default access authority, 174 Default Group, 170 DEFAULT_FILE_MODE, 19 DEFAULT_REPORT_OPTION, 18 DFP Segment, 170 discrete profile, 170, 172, 173 Distributed Identity Manager, 81 DLFDATA segment, 170, 173 DSMON, 170 DSNEXIT, 16, 61, 66 DSNLOAD, 61, 66 EMAILASATCHMT, 23 EMAILLCLNODE, 23 EMAILPRMSPACE, 24 EMAILREPLYTO, 24 EMAILSECSPACE, 24 EMAILSMTPNODE, 24 EMAILSMTPUSER, 24 EMAILUNITNAME, 24 exclude, 36 Execute Authority, 70 Exempt User, 170 Extended Access List, 52, 58, 59



Extract, 170, 172 Extract Audit Report, 53 Extract JCL, 52 EXTRACTSVC, 19 Facility Class, 170 FAILSOFT, 139 Fastpath, 171 field-level access checking, 171 File Conversion

VSAM Extract, 155 FMID, 171 FORCEINIT, 19 FORCEUPDT, 19 FRACHECK, 171 FULLRUN, 51 GAC, 171 GCS, 171 GDG, 171 general resource, 173 General Resource, 171 General Resource Profile, 171 Generation Data Group, 171 generic character, 171 Generic Profile, 171 Global Access Checking, 171 Group, 171 group access, 36, 37 group authorities, 169, 171 Group Control System, 171 Group ID, 171 Group Profile, 171 HARD REVOKE, 38 highest security level, 173 ICHPWX01, 139, 141 ICHRCX01, 139, 140 Identity Manager, 81 IEFUJI, 140 index spaces, 68 Information Request Services, 13 Initialization Panel, 70 Installation Data, 141, 171 INTERVAL, 141 JCL library, 48, 55, 57, 63, 73 LINESPERPAGE, 17 LIST, 171 Live RACF, 172 LIVEALLOC, 19 LIVESVC, 19 Logging, 172 lowest security level, 173 Main Menu, 27 masking, 18 Medium Extract, 59 Message Library DSN, 60 MVS, 172 new password, 37, 141

NEWPASS, 141 NON-RDS, 48 Object Prefix, 16 Objects Creator, 68 Obsolete, 13 Operations attribute, 36 OPERATIONS attribute, 140 Owner, 172 Panel Library DSN, 60 Partial Extract, 51 Password, 172 password history, 37, 141 Problem Support Form, xii Profile, 172 Profile owners, 172 RACF, 172 RACF CLIST Library, 60 RACF commands, 77, 174 RACF Database, 172 RACF database ID, 81, 102, 144 RACF exits, 77 RACF Extract File, 49 RACF FACILITY, 14, 171 RACF FACILITY class, 34, 36, 37 RACF FACILITY class, 29, 30, 31, 78, 81, 86,

93 RACF group name, 171 RACF Report Writer, 172 RACF segment, 169 RACF segment., 173 RACF System SPECIAL, 36 RACHECK, 38, 169, 173 RACINIT, 173 RACROUTE, 29, 173 RDS, 48 READ level access, 29 REBIND, 54 RECOVER, 137 Reinstall DB2 Option, 48 REORG, 136 RESTORE, 136 RESUME, 38 Retailor Batch JCL, 48 REVOKE, 38 RRSF, 81, 173 SECLEVEL, 173 Security Level, 173 Sequential Extract File Generation, 157 SESSION segment, 173 SETROPTS Refresh, 3 Shadow Catalog, 54, 62, 66, 76 Skeleton Library DSN, 60 Small Extract, 58 SMF, 172 SPECIAL attribute, 31 specified access authority, 172

I n d e x


SPUFI, 72 Standard Access List, 173 STEPLIB, 20 VRAFLAT program, 158 Supervisor state, 141 SYSEXEC, 20 sysout class, 52 Sysplex, 173 System Auditor, 36 Tailoring the ADMINISTRATOR batch JCL, 47 Task Oriented Administration, 12, 13, 174 TIMESEPARATOR, 18 TSO segment, 173, 174 UACC, 37, 174 UADS, 174 UNBOUND, 18 UPPERCASE, 17 user access, 172 User Attributes, 169, 174 User Data Set, 174 User ID., 174 User Profile, 174 VAMOPT00, 25 VIMDEBUG, 26 VIMOPT00, 26 VIMSERVM, 100 VIOUNIT, 18, 26 VIP$.NOEDIT.COMMAND, 30 VIP$.NOEDIT.COMMANDS, 171 VIPOPTS, 98

VM, 174 Volser, 59 VPWDBUGC, 20 VPWDEBUG, 20 VRA ID, 174 VRA$.LIVE.USER, 31 VRA$.SCOPE, 31 VRA$.VRAEXTR, 14, 157 VRAABCSU, 136 VRAEXCNV program, 155

substitution variables, 155 VRAFLAT member, 157 VRAFLAT program, 157 VRAIDM$.classname.profile, 30 VRALOG SYSOUT, 149 VRAOPT00, 1, 17, 23 VRAPW, 37, 38 VRAPW$.ALL, 35, 36 VRAPW$.AUDIT, 38 VRAPW$.default, 36 VRAPW$.Groupid, 35 VRAPW$.NOHISTCHK, 37 VRAPW$.Userid, 35, 36 VRAUD$.classname, 31 VRAUD$.classname.fieldname, 31 VSAM, 14 VSAM Extract File Conversion, 155 VSAM files, 48, 54, 55, 58 WORKUNIT, 17

vanguard administrator 5.2 tech reference guide - · pdf filevanguard administrator technical...

Documents