| On the South system set up the necessary RACF profiles in warning mode. This will identify who is using your data and, therefore, will need to have the appropriate permission to access it on Titan.
Warning Mode
On Titan, a RACF high-level profile has already been set up for each USERid. The UACC or Universal Access for this profile is READ, meaning anyone can look at the data but cannot create, delete or update it.
To prepare for the move to Titan, on the South system you can set up RACF data set profiles in "warning mode." (Normally, a RACF profile is set to FAILURE mode. This means that no one can access the data unless they have been granted the right level of permission.) A RACF profile set to warning mode allows access to data but issues a warning message. Warning mode messages are sent to the batch jobs or interactive users who are accessing your data but have not been given the right level of access.
CIT has developed a way that you can see the warning messages that have been issued to each person who has accessed your data sets. This will allow you to establish the appropriate access permissions so their jobs and sessions won't fail on Titan.
How to Set Up a RACF Profile in Warning Mode
- Using South system Web RACF, select Create/maintain profile aaaaiii.**, under RACF PROFILES/Actions.
- Be sure the Universal Access (UACC) is set to the security level you desire. On Titan you already have a high-level profile set up with a UACC of READ. If you set up a South system high-level profile with a UACC different than this, it will flow over to Titan to change your default on Titan.
- If you know of others who need to access your datasets, include an access list to grant the necessary permission to these people. Do this through Add user to access list, under RACF PROFILES/Actions.
- Now, set this RACF profile to warning mode (Set WARNING on/off for profile under RACF PROFILES/Actions).
- You can set up other RACF profiles in addition to your high-level profile if some of your data should be treated differently (Protect a data set—create a profile under RACF PROFILES/Actions).
Everyone will be permitted access, but an audit trail will be created showing who would have been denied access had the profile not been in warning mode. Anyone on the access list will NOT receive a message. Everyone else WILL receive a message like the following:
ICH408I USER(iii ) GROUP(aaaaiii ) NAME(USERNAME)
bbbbjjj.RUNJCL.TEST CL(DATASET ) VOL(DSA126)
WARNING: INSUFFICIENT AUTHORITY - TEMPORARY ACCESS ALLOWED
FROM bbbbjjj.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
The owner of the RACF profile in warning mode can check to see who needs access to their data set(s). Go to South Web RACF and select Show warnings received for prior 7 days under RACF PROFILES/Display. This report is updated daily. Using the example above, the report shows:
- who (iii) has gained temporary access to.
- what data set (bbbbjjj.RUNJCL.TEST) based on.
- what RACF profile (bbbbjjj.**) and.
- what level of access the user needed (READ in this case).
Once you've set up your profile in warning mode, check daily to see if anyone is accessing your data. Make any changes to the profile, for example, to change the UACC or add to the access list, and keep checking the warning message report until you are satisfied with the results. At this point your RACF environment should be set up on Titan with the appropriate level of access for your needs.
Account sponsors can view a report to see all warnings within their account. In South Web Sponsor go to RACF Warning messages under ACCOUNT/Display.
|
