Scope: CA-7 on DNIPC1A is being converted from JOBNAME security to UID security.
Effective Date: 05/11/11
Group Name: US Mainframe MVS
Affected Locations:DNIPC1A
Benefits: CA-7 UID security is the vendor recommended option for protecting production jobs. It offers as much security as the CA-7 JOBNAME security interface while using fewer system resources.
Details: At this time, batch jobs on DNIPC1A are secured with JOBNAME rules within ACF2. The JOBNAME interface will be disabled during the weekend of June 18-19, 2011.
CA-7 UID security will allow accounts to control which logon IDs have access to perform functions against production batch jobs. Functions include, but are not limited to, listing, demanding, cancelling, and restarting jobs within CA-7. If a batch job has a UID value equal to zero, which is the default, any user can perform these functions against the job. If a batch job has a non-zero UID value, only those individuals who have a matching UID value in their CA-7 profiles will be allowed to perform these functions.
The UID feature is installed, so users can set up this feature prior to the removal of JOBNAME security. On May 20, 2011, any CA-7 jobs with a UID value of 255 will be reset to the default value of zero. After that date, accounts can assign UID values to their CA-7 jobs using the steps listed in the “Required User Action “ section.
Required User actions:
• Review your CA-7 batch cycles on DNIPC1A to determine which jobs need to be secured.
• Review dataset SYSREAD.CA7.UID for additional information about this change, and sample batch jobs.
• Send an email to the Batch Scheduling Team to request a CA-7 UID number. Their email address is “AMS ITO Prod Sup – US Team1”. Note that there are a limited number of UID numbers that must be shared by all teams that support the GM customer. All batch jobs that are supported by one team should use the same UID value. If a team supports batch jobs on multiple complexes, include this information in your request.
• Submit a DSAS or NACOS request asking for access by your team’s ACF2 UID strings to the CA-7 UID number assigned by the Batch Scheduling Team. Use a Resource Type PAN, and a Resource Name CA70###, where the ### is the number assigned in the step above. If the number assigned is less than 3 characters long, please pad with leading zeros. For example, the team which is assigned CA-7 UID value 27 would request access to Resource Name CA70027.
• If you have batch jobs that enter commands to CA-7, or if your account uses an ARF Response ID, submit requests to grant access for these logon IDs to the same resource as in the step above. To determine if your batch jobs enter CA-7 commands, look for JCL that executes program SASSBSTR, or PROC CA7BTI or CA7SVC.
• After the DSAS or NACOS requests have been processed, update the profiles of each logon ID to assign the CA-7 UID value. Use command /PROFS,ID=zzzzzz,R=CA70### in the CA-7 panels or in a batch job. In this command, the zzzzzz is the logon ID, and CA70### is the Resource Name from the DSAS or NACOS request. This will need to be done one time for each TSO, batch, or ARF Response ID that uses CA-7.
• Verify that the profile updates are complete by entering /PROFS,ID=zzzzzz for each ID.
• After all logon IDs have been assigned the CA-7 UID value, add the UID number to the batch job definitions. This can be done using the DB.1 screen, or by running JOB UPD commands in a batch job. The individuals who define or make changes to your production batch schedule must perform this function.
Primary contact for Batch Scheduling: Primary contact for other questions:
Tony Schmieg Joan Reith
1-972-604-5264 1-717-763-6111
tony.schmieg@hp.com joan.reith@hp.com
|
Usercomm - CA-7 on DNIPC1A is being converted from JOBNAME security to UID security.