ISFACR was actually written decades ago, waaay before Rocket involvement in SDSF.
There is a SDSF security migration manual which has been updated recently to refer customers to some alternate simpler tools introduced via PTF. You have to be VERY careful with ISFACR as it does have a "cleanup" step that it runs before defining new rules and it could affect any existing profiles. It does come with plenty of disclaimers in the doc and the commands it generates. It really should not be used as a definitive oracle of the profiles required, and customer review and edit is expected. It most definitely is not a "run it once and you are done" thing. When I get back into work tomorrow I will post the presentation links and the PTF you need for the new tools. Rob Scott Rocket Software ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Peter <dbajava...@gmail.com> Sent: Sunday, December 3, 2023 4:10:16 pm To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> Subject: Re: zOSMF install - SDSF ISFPRMxx EXTERNAL EMAIL Well I was able to find a utility developed by rocket software ISFACR and it helped me to generate some commands which were required as part of my migration found that already my system had OPERCMDS enabled but other Classes were not activated. The generated command also deletes the existing OPERCMDS profile which I will skip and run others if it is required On Sun, Dec 3, 2023, 8:39 AM Peter <dbajava...@gmail.com> wrote: > Hello Rob > > Thank you so much for your response > > Could you please point to your presentation on migrating off from ISFPRMXX > to RACF ? > > Fortunately our shop is very small and we don't have any archiving tool or > any automation tool. > > Peter > > On Sat, Dec 2, 2023, 9:55 PM Rob Scott <rsc...@rocketsoftware.com> wrote: > >> Peter, >> >> Can I strongly suggest you instigate a project to activate OPERCMDS (and >> JESSPOOL if not already active). >> >> ISFPRMx just controls actions within SDSF and does not preclude any >> semi-capable programmer from writing code to issue operator commands (or >> access SYSOUT using the JES SSI). >> >> Starting with z/OS 2 5, SDSF no longer uses ISFPRMxx to control security >> as everything now only goes through SAF authority. We use the SDSF class >> for product controls, and also make OPERCMDS and JESSPOOL checks on the >> user's behalf when processing actions taken within the product. >> >> Please be aware that converting your systems to correctly use OPERCMDS >> and JESSPOOL can be a lengthy process, and you should allow many weeks for >> testing and validation. >> >> The OPERCMDS and JESSPOOL classes being activated can affect a broad >> range of other products including sysout archiving and automated operations. >> >> I do have some presentations about SDSF security and can point you in the >> right direction if you want. >> >> As a further note, the old ISFACR tool that was written 25+ years ago to >> aid in SAF security migration is showing its age a bit. We have some more >> recent (and much simpler) tools and processes now. >> >> Rob Scott >> Rocket Software >> >> Sent from Samsung Mobile on O2 >> Sent from Outlook for Android<https://aka.ms/AAb9ysg<https://aka.ms/AAb9ysg>> >> ________________________________ >> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf >> of Peter <dbajava...@gmail.com> >> Sent: Saturday, December 2, 2023 9:31:26 AM >> To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU> >> Subject: zOSMF install - SDSF ISFPRMxx >> >> EXTERNAL EMAIL >> >> >> >> >> >> Hello All >> >> Good morning >> >> I have planned to install zOSMF in our test LPAR. Our SDSF uses its own >> security features using ISFPRMXX and I can see zOSMF has its own IZUSEC >> jobs where it activates OPERCMDS class. We never activated OPERCMDS >> instead >> we manage using ISFPRMXX PARMLIB member. >> >> Is there anyone who have installed zOSMF with above scenario? >> >> Peter >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> >> ================================ >> Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA >> 02451 ? Main Office Toll Free Number: +1 855.577.4323 >> Contact Customer Support: >> https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport<https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport> >> Unsubscribe from Marketing Messages/Manage Your Subscription Preferences >> - >> http://www.rocketsoftware.com/manage-your-email-preferences<http://www.rocketsoftware.com/manage-your-email-preferences> >> Privacy Policy - >> http://www.rocketsoftware.com/company/legal/privacy-policy<http://www.rocketsoftware.com/company/legal/privacy-policy> >> ================================ >> >> This communication and any attachments may contain confidential >> information of Rocket Software, Inc. All unauthorized use, disclosure or >> distribution is prohibited. If you are not the intended recipient, please >> notify Rocket Software immediately and destroy all copies of this >> communication. Thank you. >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ================================ Rocket Software, Inc. and subsidiaries ? 77 Fourth Avenue, Waltham MA 02451 ? Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy ================================ This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
