Sasan,
In this case, you will need to write a "Post-Operation Plug-In" for the IBM
Tivoli Directory Server.
This plug-in can be architected to recognize an "ADD" operation (i.e.,
"ADDUSER" in RACF terminology).
It can then check for the existence of an ICF catalog alias, and if found, then
exit with no further action required.
If not found, it can then issue a START STC command to run a REXX PROC (i.e.,
"ICF Catalog Alias Creation STC") which in turn invokes IDCAMS to define the
ICF catalog alias.
The Tivoli Directory Server STC will require the authorization to start the STC
(i.e., "UPDATE" access to resource ID "MVS.START.STC.{std-id-8}" in resource
class ID "OPERCMDS").
The ICF Catalog Alias Creation STC will require the authorization to define the
ICF catalog alias (i.e., "READ" access to resource ID
"STGADMIN.IGG.DEFDEL.UALIAS" in resource class ID "FACILITY").
John P. Baker
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Sasan Mirkhani
Sent: Wednesday, May 22, 2019 2:16 PM
To: [email protected]
Subject: Re: [E!] Re: Re: Automatic Alias Creation
Hi John,
SailPoint IIQ has 2 different connectors. The RACF connector (which has the
CTSxxxx STCs you mention) and the RACF LDAP Connector which uses the SDBM
backend. We've implemented only the LDAP Conncetor. The LDAP connector uses the
IBM Tivoli Directory Server which is included with z/OS. The SDBM backend
allows us to make all types of RACF definitions, however I don't think it
allows us to issue TSO commands. I've looked at the documentation and there is
nothing there. I've also looked to see if there are any exits available and
haven't found anything there either ☹
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
John P. Baker
Sent: May-22-19 2:07 PM
To: [email protected]
Subject: [E!] Re: Re: Automatic Alias Creation
Sasan,
SailPoint IIQ can be customized to issue the IDCAMS DEFINE ALIAS and the IDCAMS
DELETE ALIAS commands.
The "CTSxxxxx" STCs will need to have the requisite "READ" access to resource
ID "STGADMIN.IGG.DEFDEL.UALIAS" in resource class ID "FACILITY".
John P. Baker
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Sasan Mirkhani
Sent: Wednesday, May 22, 2019 2:03 PM
To: [email protected]
Subject: Re: [E!] Re: Automatic Alias Creation
That's actually what we've been doing for a long time. Our Sec admins use ISPF
interface to make all RACF/TSO definitions. We will soon be using a new product
to provision RACF IDs called Sailpoint IIQ. IIQ uses LDAP Server to provision
RACF IDs and that will most likely be done by Helpdesk or other users who have
little knowledge of RACF and TSO.
We have to figure out a way to automate the ALIAS creation process when a RACF
ID with TSO segment is defined but I'm not sure how we can do that yet.
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Carmen Vitullo
Sent: May-22-19 1:56 PM
To: [email protected]
Subject: [E!] Re: Automatic Alias Creation
who is responsible for setting up the ID's?
most places I've been its the security team that creates the ID' provides the
access to resources and creates the alias's, that can be, and have been
streamlined in a lot of places I worked, the SECADMIN's only need to run a REXX
or CLIST, provide the ID to get started and that script creates all the
required security, and creates the ALIAS for the ID
Carmen Vitullo
----- Original Message -----
From: "Sasan Mirkhani" <[email protected]>
To: [email protected]
Sent: Wednesday, May 22, 2019 12:41:13 PM
Subject: Automatic Alias Creation
Hi list,
We're currently provisioning RACF IDs using the Tivoli Directory Server (LDAP
SDBM backend). For IDs that are defined with TSO segment we need to figure out
a way to automatically create an ALIAS. What would be the best way to go about
this? I've thought about doing it in our LOGON PROC, however that would require
users to have UPDATE access to the master catalog which we would like to avoid.
How else can we go about this?
Thanks
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
