急急急,求大神指导。ibm大赛中的安全数据集访问权限如何设置。

ll1811866786 2014-10-16 10:22:13
Background: Just like any other operating system, z/OS provides a means to protect data from unauthorized access. It's called the Resource Access Control Facility, or RACF (pronounced RACK-F). Specifically, RACF allows the mainframe to:
Identify and verify system users
Authorize the users who need access to the resources you've protected
Control the means of access to these resources
Log and report unauthorized attempts at gaining access to the system and to the protected resources
Administer security to meet your installation's security goals
Good stuff, and it's extremely important to know how to protect your data. Let's get some learning on.

Your challenge: Learn to use RACF commands to permit another user ID various levels of access to your data.

Let's look at how RACF works. Why don't you try to access the data set where we keep the master copy of the answer key for the contest: navigate to and try to view the data set ZOS.CONTEST.ALL.THE.ANSWERS.

Oops! You're not allowed to look at that data set. You'll get a message warning you that AUTHORIZATION FAILED. Your intent was to READ, but your access level for that data set was NONE. Now it's time for you to learn how to set the access authority for your own data sets.

Ready? The first thing you need to do is submit a job that will allocate four brand new data sets for you to use in this challenge. The following set up command, as well as the RACF commands you need to issue to complete this challenge, can be entered from ISPF option 6.

Go ahead and navigate over to ISPF option 6 and execute the following command:
SUB 'ZOS.PUBLIC.JCL(RACFGO)'
It should only take a few seconds to do its thing.

You now have four data sets available to you for this challenge:
IBM####.RACF.READ
IBM####RACF.UPDATE
IBM####.RACF.ALTER
IBM####RACF.NONE
Your challenge will be to create a discrete (not generic!) RACF profile for each of the four data sets, then permit a user on the system with an ID of ZUSERID various levels of access to the four data sets that belong to you.
Permit ZUSERID READ access to IBM####.RACF.READ
Permit ZUSERID UPDATE access to IBM####.RACF.UPDATE
Permit ZUSERID ALTER access to IBM####.RACF.ALTER
Permit ZUSERID NONE access to IBM####.RACF.NONE
Your completion of this challenge will be unsuccessful if:
UACC (universal access) is set to READ, UPDATE or ALTER for any of the data sets (it must be set to NONE). Setting UACC to anything other than NONE results in a failure to protect your data sets from all other IDs on the system.
You permit ID access to the data sets. This would also result in a failure to protect your data sets from all other IDs on the system.
You create generic profiles, rather than discrete profiles, for these data sets. RACF has many, many features and capabilities. Generic profiling is beyond the scope of this challenge.
You attempt to change your own access level to the data sets.
ZUSERID is not explicitly defined to have access NONE to IBM####.RACF.NONE.
ZUSERID's access is already NONE because the UACC for the data set is NONE, but you need to explicitly define this anyway, because we're mean. And also because we like it when your brain gets bigger. Besides, what if you really wanted ZUSERID to have no access to the data set, but at some time in the future you decided the universal access could be READ? Then you'd have to remember to permit NONE access for ZUSERID. Might as well do it now!

A description of the RACF commands you will need is available in this section of the z/OS Security Server RACF General User's Guide.

Using the commands you found in the RACF General User's Guide, create a discrete profile for each data set and set the appropriate access levels listed above. Be sure to use the LISTDSD command to check your work as you go!

Finished? Excellent! Now that you've created your RACF profiles and permitted the appropriate access levels, you need to validate your work. Let's do that now.

From the command line, enter:
TSO RACFCHK
The above REXX routine should only take a second or two to check your RACF data set profiles and tell you how you did. It will create a new member in your OUTPUT data set called RACFOUT, which will contain the results of your attempt at this challenge. If the RACFCHK program evaluates your work and finds everything set up correctly, it will remove the four data sets created for this challenge. Poof!

You will see the following message if you were successful: RACF PERMISSIONS SET CORRECTLY! If you see that message, congratulations! You just finished another challenge.

If you were not successful, the RACFCHK program will not delete your data sets or any of the RACF profiles you created. Use the RACF commands LISTDSD and DELDSD to list and delete data set profiles as needed until running that REXX routine tells you that you've set the permissions correctly.

Good luck out there!
按步骤一步步来,但总会报错,无法得到想要的结果,不知道原因,请大神指导。每次运行后经验证总会弹出这个消息:RACF PERMISSIONS not SET CORRECTLY
...全文
3394 3 打赏 收藏 转发到动态 举报
写回复
用AI写文章
3 条回复
切换为时间正序
请发表友善的回复…
发表回复
zhangloveling 2014-10-29
  • 打赏
  • 举报
回复
wendunaing
qq_22557965 2014-10-26
  • 打赏
  • 举报
回复
帮顶
zyq9250 2014-10-23
  • 打赏
  • 举报
回复
看不懂 我也是菜鸟

1,151

社区成员

发帖
与我相关
我的任务
社区描述
该论坛主要探讨基于IBM云计算的开发技术,并为网友们提供自由交流的平台。
社区管理员
  • IBM云计算社区
加入社区
  • 近7日
  • 近30日
  • 至今
社区公告
暂无公告

试试用AI创作助手写篇文章吧