« previous next »
Pages: [1]

Author Topic: RACF sercurity  (Read 2915 times)

DDP021

  • Sr. Member
  • ****
  • Posts: 343
    • View Profile
RACF sercurity
« on: February 26, 2014, 04:22:48 AM »
Is there anyone currently using RACF for their user id validation on CMOD8.5?  We are using RACF security since that was what was used when we were running ode2.1 on  the mainframe...When the conversion was done to CMOD years ago, they kept that security in place...UNFORTUNATELY no one either thought, or bothered to set anything up to do automatic user id adds/deletes to CMOD...The resulted in us manually deleting over 5000 non valid RACF ids off our system..It also resulted in us to have to manually add new users...We do know of a RACF file that gets updated daily that another application uses..Just not sure what type of file it is (trying to find out) or how it's formatted...The 1000 dollar question is, if we can use this file,  what would need to be done to somehow use it to go against our current user file in CMOD to add/remove ids?...Just curious if anyone is currently doing anything like this and what they did...My biggest task would be to find someone to set something like this up since I'm not a programmer...my guess is it's not a simple thing otherwise it would have been done when the original conversion to CMOD from ODE2.1 was done!!!.. ;)

Any info would  be appreciated!

Take care

Dave
Logged

ewirtz

  • Guest
Re: RACF sercurity
« Reply #1 on: February 28, 2014, 01:36:02 AM »
Hi Dave,
a batch could be implemented that reads all CMOD user. For all user the racf configuration could be checked. If a user deletion is needed, the user can be deactivated or dropped using ARSXML. I know this would work. Of course this idea does not substitute a detailed design.

regards

Egon
Logged

DDP021

  • Sr. Member
  • ****
  • Posts: 343
    • View Profile
Re: RACF sercurity
« Reply #2 on: March 03, 2014, 08:41:52 AM »
Thanks Egon,

I was able to track down the mainframe dataset that contains all the valid RACF users..It gets updated nightly..I just need to find out how to incorporate this file with the CMOD user file on the server so it can do a compare of the two files and remove any id's from CMOD that don't match the RACF dataset file.....Right now it would be just nice to removed non valid ids...No need to import ALL the current valid RACF id's (over 75,000 I believe) because a majority of them don't even access CMOD..
Logged

Michael Prouse

  • Guest
Re: RACF sercurity
« Reply #3 on: March 06, 2014, 10:23:51 AM »
Query your user table in CMOD and dump the RACF IDs to a file. Use that file to compare against the RACF file - and write all RACF IDs from your CMOD user file that do not have a match in the RACF file to a "not matched" file. Use the "not matched" file to build XML to delete the users from CMOD...

I've worked on a system that used RACF for security. What we did was have the RACF admins produce an 'audit' file each night showing all users they added, deleted or modified. We would then read that file and generate the XML to add/delete/update the users, as appropriate. That way, CMOD remains in sync with the RACF system.
Logged

DDP021

  • Sr. Member
  • ****
  • Posts: 343
    • View Profile
Re: RACF sercurity
« Reply #4 on: March 11, 2014, 08:53:37 AM »
Thanks Michael!!....I'll pass this info to our engineers...As I indicated, what we would want to do is only remove any ID's from CMOD that aren't valid any longer in RACF..We don't see a need to automate RACF user adds seeing as not all of them require CMOD access.....I did find how we authenticate the users RACF password...Apparently there is LDAP on the mainframe that is used as a pass through which syncs up the user id that is defined to CMOD with the password defined to RACF on the mainframe...
Logged
Pages: [1]
« previous next »