IBM Security Z Security

 View Only
Expand all | Collapse all

Control which SETROPTS commands are propagated via RRSF

  • 1.  Control which SETROPTS commands are propagated via RRSF

    Posted Thu June 17, 2021 11:23 AM
    We are in an environment with multiple plexes and each plex has one RACF database.   We want to set our RRSFDATA profiles to allow SETROPTS commands to be propagated between the plexes.   We are considering this for the SETROPTS RACLIST/GENERIC REFRESH commands, to make it easier on the administrator concerning issuing the refresh commands.

    However that also allows other SETROPTS commands to be propagated as well.    We are concerned about an engineer accidentally changing an option in SETROPTS and it being propagated to all the plexes.

    Are there any controls that I have not considered that let me separate the SETROPTS REFRESH from the other SETROPTS commands?

    I know there are controls in Command Verifier that I can use to control which command the administrator/engineer can issue, but nothing concerning propagation via RRSF.   




    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Control which SETROPTS commands are propagated via RRSF

    Posted Mon June 21, 2021 04:00 AM
    Well, CV can control the use of SETROPTS REFRESH independently of all the other keywords.  It's at a lower access level of the RACLIST kewyrod. So, if you give only READ, it means that the user can only REFRESH and not change the RACLIST status.

    All this does not look at the RRSF situation.  But the CV code is invoked on all the affected systems. So, you could control who can execute which SETROPTS keyword on which system, and only allow REFRESH.

    ------------------------------
    Guus Bonnes
    ------------------------------