Dezhi Systems support site

[SP24439]

Hi Prino/sysprog/sfan,

Please help me out with message "NO BROADCAST MESSAGES".

As per the reply from Prino sir, I have been producing way too many RACF violations accessing system datasets, and as a result I have been banned. And the RACF violations are unintentional and done without my knowledge.

Kindly help me out by providing access and how to get rid of racf and security violations.

I assure you that the same will not happen again from my end.

Thanking you in anticipation,
Sridhar P.

[prino]

Please help me out with message "NO BROADCAST MESSAGES".

It means there are no Broadcast messages.

As per the reply from Prino sir, I have been producing way too many RACF violations accessing system datasets, and as a result I have been banned. And the RACF violations are unintentional and done without my knowledge.

That is utter bull****!

You do not "unintentionally and without your knowledge" access datasets that are not yours!

Kindly help me out by providing access and how to get rid of racf and security violations.

I assure you that the same will not happen again from my end.

You are right, it won't happen again, because you are banned.

[SP24439]

Hi Prino sir,

Thank you for replying. Help us(new ones who are using fandezhi) do not have any idea on violations. Kindly provide any manual or warning so that they cannot do without their knowledge. I am requesting this because I came across many people losting their RACF ID's because of these violations.

Anyways Thank you so much for providing access to use mainframes for some days.

Thank you so much sir.

Good Bye.

[steve-myers]

See this topic about the NO BRODCAST MESSAGES. It is not something that need concern you.

As for RACF violations: you are doing something improper. Perhaps you are doing something someone else told you to do, but that's of no interest to the admins. The admins have been tightening up the system the last 6 months, in part to interfere with prohibited use of the system. The admins will need your z/OS userid, not your web site ID, to investigate your claim. There is no SP24439 z/OS userid.

In general, you have read access to most system datasets. If you are getting RACF violations, you are attempting to alter them in some fashion, which sysprog, sfan and the admins prohibit for obvious reasons.

Reviewing Sundays's RACF violations, we have user MKPMP attempting to delete not 1, but 2 user catalogs, and attempting to access several other user's datasets, and BOSS88 attenpting to delete a user catalog, We have user SHV001 making 12 attempts to update SYSFAN.PROCLIB. We have MMPASD, TCSA09, FCJR and MMMM attempting to read a number of other users datasets,

[SP24439]

Hi Steve,

Thank you so much for replying in an understanding manner. My Id is NE3255A.(sorry i forgot to mention in previous post). I tried to compile hello world program in cics. But as this is my first time, I did some research in net and searched for DFHEITVL and checked for it and some other members so that I can compile it. I am not getting where my work went wrong which resulted in security violations.

Kindly tell the command to check the access before working on any data set.

I wish it will help lot of people so that they cannot commit these mistakes again.

Thank you Steve.

[prino]

Maybe you should start by telling us why you decided to start using FanDeZhi, how you got to know about z/OS and who taught you the basics.

If you had had proper training on z/OS, your teacher would have told you that IBM makes all of its manuals freely available on-line. Accessing them, rather than just willy-nilly opening data sets would have been far more sensible!

[steve-myers]

Hi Steve,

Thank you so much for replying in an understanding manner. My Id is NE3255A.(sorry i forgot to mention in previous post). I tried to compile hello world program in cics. But as this is my first time, I did some research in net and searched for DFHEITVL and checked for it and some other members so that I can compile it. I am not getting where my work went wrong which resulted in security violations.

Kindly tell the command to check the access before working on any data set.

I wish it will help lot of people so that they cannot commit these mistakes again.

Thank you Steve.

I checked back.

Some of your RACF violations were trying to use another user's datasets. Per Fandezhi policy, this is prohibited. Other violations were for system datasets, as you guessed. No user is allowed to look at, much less modify, the system datasets you attempted to access. In any event, as far as I know (I can't access them myself) none of the system datasets you attempted to access have anything to do with running CICS or any normal user program.

In the early 1980s, I was the lead sysprog for an ACF2 installation. Your question about pre testing for access occurred to me at that time, and I was unable to find anything. Some years later, after more experience, I came to realize that allowing this kind of pre testing is not a good idea: it's an open invitation to hackers. As far as I know, RACF has no way for a regular program to perform this kind of test, though I believe a system program can perform this kind of a test and effectively hide the fact the test was performed.

For some years I did program support for an ISV. One of our customers attempted this test in a defined exit for our product, The ability to do the test was not in question, but the customer screwed up the mechanics very badly in the code to prepare to call the security product. After consulting with my boss, I was allowed to write the test in the exit for our customer. It took me a half day, coupled with a lot of time with the manual, as I recall, to do the test correctly and another half day to install the exit in our product to actually perform the test to verify I was doing it correctly and not screwing up something else. FWIW, I did not believe at the time we had any business correcting customer code, but the boss said it was OK.

A regular Assembler program can prevent program termination following an access error, but the error cannot be hidden. I do not believe any high level language, including C, has this capability.

As it happens, a TSO user can use the RACF LISTDSD command to check access without the normal logging messages. If you get NOT AUTHORIZED TO LIST xxx, you are not authorized to do anything with the resource. If you get a screen's worth of RACF gibberish you have some sort of access.

[SP24439]

Thank you Steve sir for replying in admirable way.