Thanks for comments from Mike and Mark. I went to Appendix A of the HMC manual (for the first time) and was mildly appalled to see the same confounding organization that I see in the HMC "Task Index": functions alphabetized by action word rather than by function. For example, these functions are grouped together:
Customize/Delete Activation Profiles Customize Scheduled Operations Customize Support Element Date/Time These functions have nothing to do with one another and all have different role categories. They're grouped together because someone somewhere chose to use the word "customize". Other functions are described with words like Change, Configure, Perform, Set, Maintain. You can View activation profiles or Customize/Delete them, options alphabetized by "C" or "V", not by "A"ctivation or even "P"rofile. One sterling counter-example is "Logical Processor Add", which is how they should all be handled. However, the manual does not answer my original question. If someone has only "Manage Users Wizard", they can add, delete, or modify users, but they cannot manage objects. So I add "Add Object Definition" and "Change Object Definition", both of which curiously are included only in ACS column and not Sysprog; and of course alphabetized differently. But if I keep adding roles, at some point the user hits some invisible wall that neutralizes Sysprog function and, as Mark points out, they enter the SE with SOOACS instead of SOOSYSP. I'm just trying to discover the incompatible roles so I can avoid endless trial-and-error. HMC user management does not perform a sanity check. . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Mike Myers Sent: Sunday, June 12, 2016 10:07 AM To: [email protected] Subject: (External):Re: HMC user role boundaries Take a look at Appendix A in the HMC Operations Guide (C28-6881). It has a table which lays out HMC tasks by the default HMC user IDs. Mike Myers Mentor Services Corporation On 06/12/2016 12:40 PM, Mark Zelden wrote: > On Sun, 12 Jun 2016 00:52:07 +0000, Jesse 1 Robinson > <[email protected]> wrote: > >> This has been a bugaboo for me for 20 years. From the get-go I had a userid >> with full operator/sysprog authority. At some point I added ACS authority to >> the same userid so that I could also manage other users. I discovered >> through trial and error that I could not perform all functions with a single >> userid. With ACS authority I could not perform sysprog duties and vice >> versa. I have never seen this documented, and nothing in the user management >> dialog indicates conflicting roles. Both roles can be selected for a single >> user, but both roles do not work for the same user. >> >> Some other roles can be added besides ACS that still allow, for example, >> management of CPC and LPAR definitions. ACS alone does not allow that. Does >> anyone understand the boundaries? >> > Separation of duties. :-) I don't know if it is documented, but recently I > deleted the shared > userids for operations and sysprogs and a shared userid we had for ACS > admin and defined individual userids for about 15-20 OS sysprogs and > operators to close an audit gap. I had > 2 userids for myself, one that was ACS admin (and also a backup userid) and > my normal sysprog > userid that I use bit that also had ACS. I was able to use my sysprog ID > for everything I > needed - so I though. But just the other day I noticed when I went > into the SE (single object operations) I ended up with a userid of > sooacsadmin instead of soosysprog and couldn't do diagnostics, model > conversion etc. So I had to remove ACS from my userid and one other > sysprog who had the ACS authority on his userid and now we both have 2 > userids, one being for ACS admin only. > > All the "default" shared IBM userids are still there, but since they > can only be accessed locally in the secure computer room, they were allowed > to remain. > > > Best regards, > > Mark > -- > Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS ITIL > v3 Foundation Certified mailto:[email protected] Mark's MVS Utilities: > http://www.mzelden.com/mvsutil.html > Systems Programming expert at > http://search390.techtarget.com/ateExperts/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
