| Usercomm Number: 2011 - 8 |
 Usercomm - CA-7 on PLIPC1B, PLIPC4B, and PLIPC3D is being converted to use UID security. hits: 395 |
| Posted by Joan Reith [gz0zjg] on Feb 24 2011 |
Reserved: |
Scope: CA-7 on PLIPC1B, PLIPC4B, and PLIPC3D is being converted to use UID security.
Effective Date: 02/20/11
Group Name: US Mainframe MVS
Affected Locations: PLIPC1B, PLIPC4B, and PLIPC3D
Benefits: CA-7 UID security is the vendor recommended option for protecting production jobs. It offers as much security as the CA-7 JOBNAME security interface while using fewer system resources.
Details: In support of the GM Consolidation of PLIPC1B with PLIPC4B, CA-7 is being converted to use UID security. Since many GM Accounts use PLIPC3D for testing and model office processing, this system will also be converted.
CA-7 UID security will allow accounts to control which logon IDs have access to perform functions against production batch jobs. Functions include, but are not limited to, listing, demanding, cancelling, and restarting jobs within CA-7. If a batch job has a UID value equal to zero, which is the default, any user can perform these functions against the job. If a batch job has a non-zero UID value, only those individuals who have a matching UID value in their CA-7 profiles will be allowed to perform these functions.
At this time, batch jobs on PLIPC1B are secured with JOBNAME rules within ACF2. The JOBNAME interface will be disabled prior to the merger of PLIPC1B into PLIPC4B.
Required User actions:
• Review your batch cycles on PLIPC1B, PLIPC4B, and PLIPC3D to determine which jobs need to be secured.
• Review dataset SYSREAD.CA7.UID for additional information about this change, and sample batch jobs.
• Send an email to the Batch Scheduling Team to request a CA-7 UID number. Their email address is “AMS ITO Prod Sup – US Team1”. Note that there are a limited number of UID numbers that must be shared by all teams that will be merged into PLIPC4B. All batch jobs that are supported by one team should use the same UID value. If a team supports batch jobs on multiple complexes, include this information in your request.
• Submit a DSAS or NACOS request asking for access by your team’s ACF2 UID strings to the CA-7 UID number assigned by the Batch Scheduling Team. Use a Resource Type PAN, and a Resource Name CA70###, where the ### is the number assigned in the step above. If the number assigned is less than 3 characters long, please pad with leading zeros. For example, the team which is assigned CA-7 UID value 27 would request access to Resource Name CA70027.
• If you have batch jobs that enter commands to CA-7, or if your account uses an ARF Response ID, submit requests to grant access for these logon IDs to the same resource as in the step above. To determine if your batch jobs enter CA-7 commands, look for JCL that executes program SASSBSTR, or PROC CA7BTI or CA7SVC.
• After the DSAS or NACOS requests have been processed, update the profiles of each logon ID to assign the CA-7 UID value. Use command /PROFS,ID=zzzzzz,R=CA70### in the CA-7 panels or in a batch job. In this command, the zzzzzz is the logon ID, and CA70### is the Resource Name from the DSAS or NACOS request. This will need to be done one time for each TSO, batch, or ARF Response ID that uses CA-7.
• Verify that the profile updates are complete by entering /PROFS,ID=zzzzzz for each ID.
• After all logon IDs have been assigned the CA-7 UID value, add the UID number to the batch job definitions. This can be done using the DB.1 screen, or by running JOB UPD commands in a batch job. The individuals who define or make changes to your production batch schedule must perform this function.
Primary contact for Batch Scheduling: Primary contact for other questions:
Tony Schmieg Joan Reith
1-972-604-5264 1-717-763-6111
tony.schmieg@hp.com joan.reith@hp.com
|
|
|
