Chapter 12. NJE Considerations
Several APARs shipped on OS/390 Release 2 Security Server (RACF) have
implications for NJE.
APAR OW14451
OS/390 Release 2 Security Server (RACF) includes a PTF that provides functions
that change the way inbound NJE jobs and NJE sysout are handled by RACF. If
your installation uses NJE and RACF nodes profiles it is imperative that you read
and understand this chapter before installing the new RACF release. This
information includes a brief overview of NJE security before and after application of
this release and the actions required to assure that the PTF has no unexpected
consequences on your system. It also includes information on how you can use
the enhanced function introduced by this PTF to further implement security for NJE
on your system.
Note: APAR OW08457 shipped on RACF releases prior to RACF 2.2. The code
that shipped for OW08457 was in the RACF 2.2 base program (the GA
version) and OS/390 Release 1 Security Server (RACF). OW14451 fixes
some problems introduced by OW08457 that are in the RACF 2.2 base and
OS/390 Release 1 Security Server (RACF). The phrase “prior to OW08457”
means “prior to RACF 2.2 and prior to OS/390 Release 1 Security Server
(RACF).” In any case, OS/390 Release 2 Security Server (RACF) users
should be aware of the possible implications of the changes OW08457 and
OW14451 have on NJE processing.
Before Applying the PTF for APAR OW08457
Prior to the application of OW08457, RACF did not perform any security translation
or propagation for groups associated with NJE jobs or SYSOUT. RACF uses
profiles of the form NODEID.USER%.* ADDMEM(USERID) with a UACC or read or
higher to translate USERIDs from the submitting userid to an execution USERID on
the receiving system. This type of translation was not available for submitting
groups. The execution group became the default group of the translated USERID.
After Applying the PTF for APAR OW08457
This PTF enables group translation and propagation for NJE jobs and SYSOUT.
With this fix applied the submitting group is propagated to become the execution
group for jobs and the owning group for SYSOUT in the absence of any applicable
NODEID.GROUP%.GROUPID profiles. This service introduces the ability to
translate groups with NODEID.GROUP%.GROUPID profiles by using an ADDMEM
with a UACC of READ or higher. An ADDMEM of &DFLTGRP will cause the
USERIDs default group to be used as the execution or owning group. A UACC of
NONE on the GROUP% profile will work as it always has. Because NODES
profiles only affect inbound NJE work, no profile changes need to be made for
outbound NJE work.
Copyright IBM Corp. 1994, 1996 57