IBM Security Z Security

 View Only

  • 1.  OPERCMDS profile definition

    Posted Thu January 18, 2024 09:01 PM

    Dear support,

                       it's about  a RACF question. as we know that JES2 and MVS command can be protected by OPERCMDS class. my question is if we don't  define any profile prefixed with JES2.*,  why TSO user still have authorization to submit the JES2 command? is it the default access option to control the protection in the OPERCMDS? thanks!



    ------------------------------
    LIAN CHENG DENG
    ------------------------------


  • 2.  RE: OPERCMDS profile definition

    IBM Champion
    Posted Fri January 19, 2024 04:39 AM
    Edited by Rob van Hoboken Fri January 19, 2024 04:39 AM

    I am not quite sure what you mean with "submit the JES2 command."  However, please read up on Controlling the use of operator commands:

    If the OPERCMDS class is not active, or if no OPERCMDS profile exists, the user will be allowed to issue the command as an operator command.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: OPERCMDS profile definition

    Posted Fri January 19, 2024 08:08 AM

    thanks Rob for your guidance and clarification. for example. if the OPERCMDS class is active, but OPERCMDS profile with prefix JES2 is not define. are all of TSO users can issue JES2 command by default?  is there any global option to control the default behaviour for this scenario? thanks!



    ------------------------------
    LIAN CHENG DENG
    ------------------------------

    Original Message


  • 4.  RE: OPERCMDS profile definition

    IBM Champion
    Posted Fri January 19, 2024 10:50 AM

    Hi Lian,

    First, check to see if there is a more generic profile such as ** that might be granting access to JES2-prefixed resources.

    If there is no protecting OPERCMDS profile, then other mechanisms will govern access to a command such as SDSF ISFPARMS authority, MVS PARMLIB(CONSOLxx) AUTH authority, or JES HASPARM INTRDR and JOBCLASS AUTH authority. (Note that SDSF ISFPARMS authority has been dropped in z/OS 2.5, so you will need to set up OPERCMDS profiles for all operator commands.)

    Regards, Bob



    ------------------------------
    Robert Hansel
    President and Lead RACF Specialist
    RSH Consulting, Inc.
    Cambridge MA
    6179698211
    ------------------------------

    Original Message


  • 5.  RE: OPERCMDS profile definition

    Posted Fri January 19, 2024 03:03 PM

    Hello,

    I read this in the JES2 Initialization and Tuning Guide. 

    Before JES2 completes a request for a resource from a user, JES2 requests authorization from SAF. SAF passes
    the request to RACF which determines the authority based on the existing profiles. If RACF is not active or
    cannot determine the authorization for a resource, JES2 carries out its own security processing, if any, for
    that resource. The z/OS Security Server RACF Security Administrator's Guide has additional information
    about profiles and access.

    JES2 has a number of JES2 initialization statement parameters and installation exits that you can use to protect JES2. Some of the resources that you can protect using JES2-provided facilities include:

    • NJE communication lines
    • RJE communication lines
    • Remote workstation SIGNON/LOGON
    • VTAM® sessions
    • Commands

    Operation command protection mechanisms can be: 

    Console authorities
    JES2 HASPPARM authorities
    OPERCMDS profiles
    FACILITY CSV‐prefixed profiles

    To prevent unauthorized  access I would suggest that your security administrator defines the needed rules in the OPERCMDS class. 

    Check this article: https://www.ibm.com/docs/en/zos/2.3.0?topic=security-authorizing-use-operator-commands

    Hope this helps.

    Bobby



    ------------------------------
    Bobby Borisov
    ------------------------------

    Original Message