Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on May 14, 2019

RACF interface to PAGENT to allow users to access pagent defined resources

When we are in our disaster recovery environment we have users that access it via vpn. We block most ip addresses unless they tell us to add it to pagent. One user had a different ip addr each time he logged in and had to contact us to add it to the pagent config. I am asking you to consider allowing RACF to talk to pagent and grant access to the user. If RACF passes the user id to pagent and it is in the "new" portion of the pagent config then the user gets the access.

Idea priority Medium
  • Guest
    Reply
    |
    Jul 25, 2019

    Hi... just a quick reminder to clarify the specific policy agent-based technology you are referring to here. Also interested in your thoughts regarding the points I mentioned in my June 25 update. Thanks!

  • Guest
    Reply
    |
    Jun 25, 2019

    Thanks for submitting this requirement. When you mention pagent, we are assuming that you are talking about IP packet filtering (part of the IPSecurity policy) - is this correct? If not, please clarify which technology you mean.

    If so, it isn't possible to do what you are asking based purely on IP packet filtering technology. The problem is that the filtering is based on the network and transport layer attributes of each IP packet (IP addresses, IP protocol, TCP ports, etc.). Numerous IP packets will flow before and during a TCP connection before any z/OS user credentials (including the user ID) would ever flow. Because of this, several packets in your scenaroi will have already been denied based on their IP addresses before RACF would ever get a chance to recognize a z/OS user ID.

    Note that some applications and middleware support the concept of ports of entry based on the IP address -- in this case, the origin address is considered as part of the overall user authorization process that is driven through RACF. Would this be a possible solution in your case? Since it would require pre-knowledge of the origin addresses, I suspect you would still be facing the same issue. Is there any way to predict the address range or subnet from which a given user might come from when logging in over a VPN? If so, you could pre-populate filter rules based on those ranges or subnets as long as that is acceptable within your company's security policy.