I am having a rather difficult time with the scoping profiles within Visual.    

Our administrators are going to use either Visual or zSecure ISPF to perform their daily administration tasks.   I wanted to see if I could scope the administrators more using XFACILIT CKG.SCP.ID., CKG.SCP.G., and CKG.SCP.U. profiles in Visual, or use what's available in Command Verifier/RACF for zSecure ISPF.

It appears that if I set up CKG.SCP.ID.group.user profiles I can scope the user, but in my opinion these profiles are quite limited.    From my understanding the CKG.SCP.G and CKG.SCP.U profiles let you scope the administrator between 2 points in the group tree, or just listing a starting point in the tree.   So if I remove CKG.SCP.ID. profile and try the CKG.SCP.G.** or CKG.SCP.U.** the administrator can't list any users at all.   I have even tried to specify 2 points in the tree / starting point in the tree with no luck, and no errors.

Does the administrator need SPECIAL, Group Special, or CTLSPEC to use Visual?  Or is the authority/scope based solely on the CKG resources?

------------------------------
Linnea Sullivan
------------------------------

If a USER profile ABC123 with an OWNER + DFTLGRP DEPT110 should be in your administration scope, CKGRACF and CKRCARLA look for a profile protecting
CKG.SCP.ID.ABC123.DEPT110.DEPT110
Three variable qualfiers.
If this profile is not found, CKGRACF and CKRCARLA look for the OWNER of DEPT110, and continue chasing the OWNER chain until they get to SYS1, in which case a profile is searched for resource CKG.SCP.G.owner1.owner2....DEPT110, where owner1 is the last group before SYS1.
If there is a USER in the OWNER chain, the chain stops and a profile is found for CKG.SCP.U.owner1.owner2....DEPT110, where owner1 is the USER ID. 

Now, if you are going to execute commands on a GROUP, like a CONNECT command, CKGRACF and CKRCARLA do not have a DFLTGRP value to check, the first profile to check is CKG.SCP.ID.group.owner
Two variable qualifiers.  And CKG.SCP.G and CKG.SCP.U profiles work similar to the USER case.

CKGRACF has a DEBUG command that illustrates the way these SCP profiles are checked.  Go to SE.T (Trace or Debug options), select the "Collect CKGRACF diagnostics" option.  This adds the DEBUG command into the CKGRACF command parameters.  Output is written to CKGPRINT.


------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Wed March 04, 2020 11:28 PM
From: Linnea Sullivan
Subject: Scoping Profiles in Visual

I am having a rather difficult time with the scoping profiles within Visual.    

Our administrators are going to use either Visual or zSecure ISPF to perform their daily administration tasks.   I wanted to see if I could scope the administrators more using XFACILIT CKG.SCP.ID., CKG.SCP.G., and CKG.SCP.U. profiles in Visual, or use what's available in Command Verifier/RACF for zSecure ISPF.

It appears that if I set up CKG.SCP.ID.group.user profiles I can scope the user, but in my opinion these profiles are quite limited.    From my understanding the CKG.SCP.G and CKG.SCP.U profiles let you scope the administrator between 2 points in the group tree, or just listing a starting point in the tree.   So if I remove CKG.SCP.ID. profile and try the CKG.SCP.G.** or CKG.SCP.U.** the administrator can't list any users at all.   I have even tried to specify 2 points in the tree / starting point in the tree with no luck, and no errors.

Does the administrator need SPECIAL, Group Special, or CTLSPEC to use Visual?  Or is the authority/scope based solely on the CKG resources?

------------------------------
Linnea Sullivan
------------------------------

Let me do some testing and will get back with further questions if needed.

------------------------------
Linnea Sullivan
------------------------------

Original Message:
Sent: Thu March 05, 2020 05:11 AM
From: Rob van Hoboken
Subject: Scoping Profiles in Visual

If a USER profile ABC123 with an OWNER + DFTLGRP DEPT110 should be in your administration scope, CKGRACF and CKRCARLA look for a profile protecting
CKG.SCP.ID.ABC123.DEPT110.DEPT110
Three variable qualfiers.
If this profile is not found, CKGRACF and CKRCARLA look for the OWNER of DEPT110, and continue chasing the OWNER chain until they get to SYS1, in which case a profile is searched for resource CKG.SCP.G.owner1.owner2....DEPT110, where owner1 is the last group before SYS1.
If there is a USER in the OWNER chain, the chain stops and a profile is found for CKG.SCP.U.owner1.owner2....DEPT110, where owner1 is the USER ID. 

Now, if you are going to execute commands on a GROUP, like a CONNECT command, CKGRACF and CKRCARLA do not have a DFLTGRP value to check, the first profile to check is CKG.SCP.ID.group.owner
Two variable qualifiers.  And CKG.SCP.G and CKG.SCP.U profiles work similar to the USER case.

CKGRACF has a DEBUG command that illustrates the way these SCP profiles are checked.  Go to SE.T (Trace or Debug options), select the "Collect CKGRACF diagnostics" option.  This adds the DEBUG command into the CKGRACF command parameters.  Output is written to CKGPRINT.


------------------------------
Rob van Hoboken

Original Message:
Sent: Wed March 04, 2020 11:28 PM
From: Linnea Sullivan
Subject: Scoping Profiles in Visual

I am having a rather difficult time with the scoping profiles within Visual.    

Our administrators are going to use either Visual or zSecure ISPF to perform their daily administration tasks.   I wanted to see if I could scope the administrators more using XFACILIT CKG.SCP.ID., CKG.SCP.G., and CKG.SCP.U. profiles in Visual, or use what's available in Command Verifier/RACF for zSecure ISPF.

It appears that if I set up CKG.SCP.ID.group.user profiles I can scope the user, but in my opinion these profiles are quite limited.    From my understanding the CKG.SCP.G and CKG.SCP.U profiles let you scope the administrator between 2 points in the group tree, or just listing a starting point in the tree.   So if I remove CKG.SCP.ID. profile and try the CKG.SCP.G.** or CKG.SCP.U.** the administrator can't list any users at all.   I have even tried to specify 2 points in the tree / starting point in the tree with no luck, and no errors.

Does the administrator need SPECIAL, Group Special, or CTLSPEC to use Visual?  Or is the authority/scope based solely on the CKG resources?

------------------------------
Linnea Sullivan
------------------------------

You could consider giving your administrator (group) special and using CKG.SCP.RACF, instead of CKG.SCP.ID etc.
In any case, you will need CKG.CMD profiles to filter the RACF commands, and CKG.RAC profiles to control access to command parameters.