Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on Apr 20, 2012

Enhance RACF-DELEGATED support for FTP to include when z/OS is the FTP client

I would like the z/OS Communications server to delegate z/OS FTP client activity outbound to another ID.

That is as documented here:
http://publib.boulder.ibm.com/infocenter/zos/v1r13/index.jsp?topic=/com.
ibm.zos.r13.halz002/encalg.htm

I understand that is when the z/OS is functioning as the FTP server but I'd like it to also work this way when z/OS is the FTP client as well.

Idea priority Medium
  • Guest
    Reply
    |
    Nov 19, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS Communications Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Enterprise Networking
    Product - z/OS Communications Server

  • Guest
    Reply
    |
    Dec 12, 2012

    This requirement would need to be addressed via RACF. As RACF is not yet using RFE for requirements management, a FITS requirement (MR1212123050) has been opened against RACF. This RFE will be closed.

  • Guest
    Reply
    |
    Jul 4, 2012

    I was actually afraid RACF delegated wouldn't work here as the FRACHECK is occuring inside of my address space and of course where else could the FRACHECK occur when my address space is running as a client of some other server.

    That solution of creating a group for the users of FTP won't really work here at Publix due to audit restrictions. They view anything related to crypto as something that has to be audited every quarter. So if I build that group as you suggest multiple managers will be re-approving this access QUARTERLY unil the end of time.

    I've often though of just opening profiles like this up to everyone with a UACC of READ because who really cares what FTP sessions are crypto accelerated vs. which are not but after a conversaion with level 2 via a PMR I understand the idea is that you don't want just anyone able to find out what APIs your crypto hardware supports.

    The only other thing I could think of is delete our ** profile in the CSFSERV class which would default the SAF return code to a 4 because CSFSERV defaults to a 4 if no profile is found. Then perhaps because NO profile is found it works. But that goes against what I see in the manual.

    Perhaps program control? But implementing PADS is painful unless I wish to program control every load library the FTP users might ever use and some of them have access to TSO. Ugh.

    What other possible solutions might IBM be capable of coming up with?
    I was hoping for a technological enhnacment of some kind of ease the burden of my particular situation.

    Thanks,
    Joel

  • Guest
    Reply
    |
    Jun 26, 2012

    The suggested solution of using RACF delegated access does not fit for the FTP client because the client runs directly under the invoking user's address space. In other words, there is no other userid that to which access can be delegated (with FTPD, the delegation is handled by the userid of the FTP daemon address space).

    However, I believe the problem is easily solved through the use of RACF groups. Here's what I suggest. (Note that the complete command syntax is not shown - just enough to get the point across.)

    Create a group profile for all FTP client users:

    ADDGROUP FTPCLNTS OWNER(ownerid) SUPGROUP(superior group, if any)

    Permit the new FTPCLNTS group to all of the required CSFSERV resources:

    PERMIT profile-name CLASS(CSFSERV) ID(FTPCLNTS) ACCESS(READ)

    Connect the required userids to the FTPCLNTS group:

    CONNECT userid GROUP(FTPCLNTS)

    After setting up the group this way, any userid that's a member of the group will have access to the permitted CSFSERV resources. In addition, the use of the group adds exactly one entry to the the ACL list for each profile, which should address your concern about building long ACLs.

    Does this appear to be a viable solution to your request?