IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Not under consideration
Workspace z/OS
Categories Communications Server
Created by Guest
Created on Jul 28, 2016

RELATED IDEAS

VERIFYAPPL and VTAM generic resources for TSO

Customers should be able to exploit both VTAM generic resources as well as the TSO VERIFYAPPL function to limit access by system/APPLID.

Currently, if one wishes to control exactly which systems a TSO user has access to using the VERIFYAPPL keyword in the TSOKEYxx member, the systems programmer works with the external security manager to protect certain specific APPLIDs and prevent the TSO LOGON when the user attempts to LOGON to a specific system. When VTAM generic resources are used for TSO, WLM decides which single system is used for the LOGON and the user has no way to know which system is selected. The problem is that there may be systems where these "generic" LOGONs are not welcome and when TSO does the APPLID security check, it uses the VTAM generic resource name as defined by the GNAME parameter in the TSOKEYxx member. And presumably, the GNAME is the generic name for the entire collection of systems in the SYSPLEX, so when the security check is made for that APPLID using the generic name, there is no way to prevent a LOGON from happening on any single system or subset of the systems in a SYSPLEX. The only way to accomplish that is to remove the GNAME parameter from certain specific TSOKEYxx members in PARMLIB and have TSO fall back to the pre-VTAM generic resource method of LOGON restriction using the SMFID of the individual systems. But this creates a complication in PARMLIB trying to ensure that the security rules are in-sync with the TSOKEYxx PARMLIB definitions--that is... any systems that are eligible for a generic TSO LOGON can have the GNAME parameter defined in TSOKEYxx and any systems that are restricted can only use the TSOKEYxx members that have the individual SMFID defined.

Users should be able to set up PARMLIB with a single member that contains the GNAME parameter and permit VTAM/WLM to route the TSO LOGON to the best candidate system in the SYSPLEX, but also use the VERIFYAPPL function to check to see if the user is permitted to LOGON to that system. If not, VTAM/WLM should select the next best system and so on, until either there is a system available for the LOGON or there are no systems available at which time the LOGON just fails for lack of an available system.

Idea priority Medium
  • Guest
    Reply
    |     Aug 29, 2016

    The solution being requested herew ould not be consistent with the single-system image model of generic resources each instance of the generic resource is assumed to be identical and eligible for use by all users. As an alternative, you could consider creating two or more TSO GR names such that each GR name only has GRs with the same security authority: (1) TSO1 TSO2 TSO3 register as GRNAME  TSOGR and use  VERIFYAPPL of TSOGR,  and (2) TSO4 TSO5 TSO6 are more secure and register as GRNAME TSOGRSEC and use VERIFYAPPL of TSOGRSEC. Users logon to either TSOGR or TSOGRSEC and they are RACF authorized to either TSOGR or TSOGRSEC.

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.