A Guide to Recent ICE Enhancements · Image&Control&Environment!11.0& & 8 NewEra&Software,&Inc.&&9ImageControlEnvironment(ICE)Applications& 3.3 Sample NSEPRM00 Control Statements

Image Control Environment 11.0

1 NewEra Software, Inc. -‐ Image Control Environment (ICE) Applications

The Image Control Environment (ICE) and its Applications help you

avoid problems and improve system controls.

A Guide to Recent ICE Enhancements

11.0 ICE11

Contact us for additional information: NewEra Software Technical Support 800-‐421-‐5035 or 408-‐520-‐7100 [email protected] www.newera.com Rev: 2014-‐08-‐01



1 Foreword

1.1 Copyright, Trademark and Legal Notices

1.1.1 Copyrights

This Guide to Updates and the related Software Product(s) are protected under a Copyright dated 2014 by NewEra Software, Inc. All rights are reserved.

1.1.2 License Agreement

This Guide to Updates describes the installation and operation of the Image Control Environment (ICE). It is made available only under the terms of a license agreement between the licensee and NewEra Software, Inc. No part of this Guide or the related Software Product(s) may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose, without the express written permission of NewEra Software, Inc.

1.1.3 Trademarks and Copyrights of Others

The following products and/or registered trademarks of International Business Machines Corporation (IBM) are referenced in this document: z/OS, MVS, VM, RACF, z/OS, SYSPLEX, JES, VTAM, TSO, ISPF, ICKDSF, DFSMSdss, DF/DSS, SDSF and IBM Health Checker for z/OS. Other company, product or service names may be trademarks or service marks of IBM or other organizations.



1.2 General Information

1.2.1 The Purpose of this Document

The purpose of this document is to provide a description of recent updates to Image Control Environment (ICE) and to further provide detailed product references for use by both new and existing users. Existing users should review and become familiar with the new features. New users should do the same and, as needed, use this document as a reference during product installation, setup and initial familiarization.

1.2.2 Who Should Read this Document

Those given the responsibility to install and maintain and use the Image Control Environment (ICE) should read this document.



2 Table of Contents 1 Foreword............................................................................................................................. 2 1.1 Copyright, Trademark and Legal Notices .......................................................................2 1.1.1 Copyrights ............................................................................................................................................2 1.1.2 License Agreement ...........................................................................................................................2 1.1.3 Trademarks and Copyrights of Others ....................................................................................2

1.2 General Information ..............................................................................................................3 1.2.1 The Purpose of this Document ....................................................................................................3 1.2.2 Who Should Read this Document...............................................................................................3

2 Table of Contents.............................................................................................................. 4 3 Updates to the NSEPRM00 Control Member ........................................................... 7 3.1 BEGINPARALLEL .....................................................................................................................7 3.2 ENDPARALLEL .........................................................................................................................7 3.3 Sample NSEPRM00 Control Statements ..........................................................................8

4 Functional Enhancements............................................................................................. 9 4.1 Application Controls..............................................................................................................9 4.2 TCE Padlock Control – IPLParm and PARMLib .......................................................... 10 4.2.1 Padlock Initialization....................................................................................................................10 4.2.2 Subsequent Padlock Notification ............................................................................................11 4.2.3 Padlock Control Administration..............................................................................................11

4.3 Panel Specific Enhancements .......................................................................................... 12 4.3.1 Navigation .........................................................................................................................................12 4.3.2 Panel Specific Help ........................................................................................................................13 4.3.3 Field Sensitive Help.......................................................................................................................13

4.4 SMP/E Installation............................................................................................................... 14 4.4.1 Beta Testing......................................................................................................................................14 4.4.2 Full Support ......................................................................................................................................14

4.5 NSECTL Member – Syntax is changing .......................................................................... 14 4.5.1 Old Syntax -‐ VERS(1) ....................................................................................................................14 4.5.2 New Syntax -‐ VERS(2)..................................................................................................................14

4.6 zUnix Support ....................................................................................................................... 15 4.6.1 Initial Support..................................................................................................................................15 4.6.2 Full Support ......................................................................................................................................15

5 ProdView – Image FOCUS Background....................................................................16 5.1 BkgIRpts - Background Inspection Findings .............................................................. 17 5.1.1 Classic view of Report Clusters ................................................................................................17 5.1.2 Enhanced View of Report Clusters .........................................................................................18

5.2 Packages - Image Baseline Configurations................................................................. 25 5.2.1 Classic View of Package Operations.......................................................................................26 5.2.2 Enhanced Package Processing Options ................................................................................27

5.3 BatIRpts - BatchJob Inspection Findings ..................................................................... 34 5.3.1 Defining the Batch Report Qualifier.......................................................................................34 5.3.2 Enhanced Batch Reporting ........................................................................................................34 5.3.3 Access The Control Editor ..........................................................................................................36

6 WorkView – Image FOCUS Workbench...................................................................37



6.1 Dynamic Change Audit - Summary ................................................................................ 37 6.1.1 BPXPRM Dynamic Changes........................................................................................................37

7 Controls – The Control Editor.....................................................................................40 7.1 Padlocking IPLPARM and PARMLIB .............................................................................. 40 7.1.1 Padlock Initialization....................................................................................................................40 7.1.2 Subsequent Padlock Notification ............................................................................................41 7.1.3 Padlock Control Administration..............................................................................................41

7.2 Role Based Access Control (RBAC) ................................................................................ 42 7.2.1 Reinforcing Legacy Security......................................................................................................43 7.2.2 Enhancing Staff Productivity ....................................................................................................43 7.2.3 Using TCE to Define and Assign Access Roles ...................................................................44

7.3 Using TCE/RBAC to Define Access Controls ................................................................ 45 7.3.1 The ‘Ctls’ Column Decoded – Role Definitions ..................................................................45 7.3.2 Adding a New Role – Name, Description and Window..................................................45 7.3.3 Updating an Existing Role ..........................................................................................................46 7.3.4 Removing a Defined Role............................................................................................................46 7.3.5 Defining TCE/RBAC Access Rights – Boundary Options...............................................47

7.4 MVSCntls - MVS/BCP Categories and Datasets........................................................... 47 7.4.1 MVS Category Based Definitions .............................................................................................48 7.4.2 MVS Dataset Based Definitions ................................................................................................48

7.5 USSCntls - USS/HFS Categories and Dirs/Files........................................................... 49 7.5.1 The ‘Ctls’ Column Decoded – USS/HFS Categories ..........................................................49 7.5.2 Setting Control Elements within a Category ......................................................................49 7.5.3 zFS/HFS Control Element Types .............................................................................................50

7.6 ESMCntls - ESM/RACF Group Special Commands...................................................... 51 7.6.1 Adding a Command .......................................................................................................................51 7.6.2 Updating Command Definitions ..............................................................................................52 7.6.3 Removing a Command.................................................................................................................53 7.6.4 Command Usage Table ................................................................................................................53 7.6.5 Showing Members Assigned to a Role ..................................................................................54

7.7 Using TCE/RBAC to Assign Users to Defined Roles .................................................. 55 7.7.1 Adding Users to a Role.................................................................................................................55 7.7.2 Updating a User Role ....................................................................................................................56 7.7.3 Removing a User from a Role....................................................................................................56

7.8 TCE/RBAC Definition and Assignment Reporting .................................................... 58 7.8.1 Role Definition Reports ...............................................................................................................59 7.8.2 Role Assignment Reports ...........................................................................................................62

7.9 TCE/RBAC Configuration Monitors ............................................................................... 65 7.9.1 Role Definition Monitor...............................................................................................................65 7.9.2 Role Assignment Monitor...........................................................................................................66

7.10 The Potential of TCE/RBAC Functions ....................................................................... 67 7.10.1 Legacy Perimeters Boundaries..............................................................................................67 7.10.2 TCE Role Definition – Name and Description .................................................................68 7.10.3 TCE Resources Defined to a Role..........................................................................................68 7.10.4 TCE User Assignment to a Role .............................................................................................69

8 Defining – ICE User Access Administration & Logging.......................................70 8.1 CustDefs and Migrates........................................................................................................ 70 8.2 ICEAdmin – User Access Controls................................................................................... 70



8.2.1 SetAdmin – Naming the ICE Administrator........................................................................72 8.2.2 Padlocks – Setting the Global Padlock ..................................................................................73 8.2.3 UserMode – ICE Application Access Rights ........................................................................74 8.2.4 UserLogs – Access/Display User Activity ............................................................................76 8.2.5 Activate – Activate Control Updates ......................................................................................77

9 Appendix – Sample Batch Procedures.....................................................................78 9.1 IFOBAT PROC ........................................................................................................................ 78 9.2 IFOBATA PROC...................................................................................................................... 79 9.3 IFOBATS PROC ...................................................................................................................... 80

10 Index ................................................................................................................................82



3 Updates to the NSEPRM00 Control Member The NSEPRM00 ICE ParmLib Configuration Member has been enhanced in order to better support the initialization of certain Control Editor Functions – Shared Journals and Shared Control List. This enhancement requires the grouping of operational TASKs into two initialization Groups – Parallel and Serial.

3.1 BEGINPARALLEL

A Parallel Task Group is composed of the Named TASK defined within the BEGINPARALLEL and ENDPARALLEL Control Statements. Because of the nature of the work performed by the TASK named in this Control Statement Group, each such TASK may be started in Parallel with all others within the Group when system resources are available to start them at the same time. Within the NSEPRM00 Control Member there are two BEGINPARALLEL Task Groupings. The positioning of these two groups within the Member CANNOT be changed as it is CRITICAL to the overall successful initialization of the Image Control Environment (ICE).

3.2 ENDPARALLEL

The ENDPARALLEL Control Statement is used to signal the end of Parallel TASK processing and the Beginning of TASK Serialization of any TASKs that follow within the Group. Because of the nature of the work performed by the TASKs following this Control Statement, each such TASK is started and completes before the next TASK in the group is started. No specific Control Statement is used to signal the END of Serial TASK Processing. However, in the NSEPRM00 Control Member, the start of the second BEGINPARALLEL Group is used to end Serial TASK processing. The position of this second BEGINPARALLEL Group is CRITICAL to the overall successful initialization of the Image Control Environment (ICE).



3.3 Sample NSEPRM00 Control Statements

BEGINPARALLEL – The following tasks attach in parallel TASK=NSKINIT AUTOINDEX /* LOCAL 3270 DRIVER */ TASK=NSNLOAD MODULE(IKJEFTSR) /* AUTHORIZED COMMANDS */ TASK=NSRINIT PROC(IFOBG) START(NO) /* SERVICES TASK */ TASK=NSJINIT /* JES CONNECTION */ LOAD=NSECSCI /* SUBMIT W/SUB=MSTR */ ENDPARALLEL – Any tasks that follow attach serially TASK=NSWJSSI /* JOURNAL SUBSYSTEM */ TASK=NSWJSTI CTL(00) JRN(00) /* JOURNAL CONTROL */ TASK=NSWSCTL INTERVAL(360) /* SHARE CONTROL */ TASK=NSWJCTL INTERVAL(120) /* SHARE CNTL JOURNALS */ TASK=NSWJSCI LOG(ERRORS) /* CHANGE DETECTION */ TASK=NSWJCDT /* CHANGE AUTOMATION */ BEGINPARALLEL – The following tasks attach in parallel TASK=NSWOMST /* OP CMD LOGGING */ TASK=NSWCEFM /* FUNCTION SCHEDULER */ TASK=FDEMAIN /* FDE FOR IFO/ISPF */ ENDPARALLEL – Any tasks that follow attach serially



4 Functional Enhancements In this release of the Image Control Environment (ICE), you will find a number of changes to the Primary Menu, shown below, and those follow-‐on Menus that support the Image FOCUS Production and Worksheets Views, Disaster Recovery View, The Control Editor and the ICE Viewer.

ICE Primary Menu: ICE 11.0 - The Image Control Environment P ProdView .. - Image Focus Production Views Userid - PROBI1 Time - 09:43 W WorkView .. - Image Focus Workbench Views Terminal - 3278 System - ADCD113 R DRecView .. - Image Focus Recovery Views Applid - TEST Image Focus 11.0 C Controls .. - Controls Environment Settings Patch Level P5 V IPLViews .. - IPLCheck Results Focal Point D Defining .. - IFO Definitions and Settings **************************** * Background Task: RUNNING * * No/TSO Recovery: DOWN * **************************** X Exit - Terminate NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>

4.1 Application Controls In addition to the many Panel and Functional Enhancements, this release introduces ICE Application Control and Logging Features. For example, entering the Production View for the first time under this release you may be surprised by the following Pop-‐Up message.

◊—————————————————————————————————————————————————————————————————————◊ ◊ IFO 11.0 - ICE Dialog Access - WARN Mode ◊ ◊ ◊ ◊ Temporary Access to this ICE Dialog Services Granted. ◊ ◊—————————————————————————————————————————————————————————————————————◊

This message is intended to notify ICE users of the level of Application Access and the Control Mode under which their access is being granted – DENY|WARN|NONE. By default, all users are allowed access to ALL ICE Applications with Control Mode set to ‘WARN’. If you wish to



change these default settings, see the instructions in this document in the section headed ‘Defining -‐ ICE User Access Administration & Logging’.

To move beyond the Pop-‐Up message, press enter or PFK3.

4.2 TCE Padlock Control – IPLParm and PARMLib The TCE Padlock provides enhanced Access Control over TCE Category resources as defined in the NSECTLxx Configuration Member. Within this Member, a ‘SPECIAL’ keyword -‐ ‘*Auto*’ -‐ may be used as a ‘Named Dataset’ within the Reserved Categories Named – SYSTEM.IPLPARM and SYSTEM.PARMLIB. When used in this way, TCE automatically discovers the associated IPLParm and PARMLib Datasets and ‘Padlocks’ each of these Reserved Categories by name. By default, the Category Control MODE is set to ‘WARN’. These configuration actions will result in a change in system behavior that will be noticed by users attempting to access IPLParm or PARMLib Datasets. This means that when users attempt to access ANY dataset defined or discovered within the SYSTEM.IPLPARM or SYSTEM.PARMLIB categories, TCE will issue a ‘Warning Message’ stating that dataset access is being allowed on a temporary basis. In addition, the TCE Administrator(s) will see the following Pop-‐Up notices – Padlock Initialization and Subsequent Notification.

4.2.1 Padlock Initialization Padlock Control over SYSTEM.IPLPARM and SYSTEM.PARMLIB Categories is initialized when the ‘Controls – Controls Environment Settings’ option is selected from the ICE Primary Menu, NSECTLxx contains the Categories SYSTEM.IPLPARM and/or SYSTEM.PARMLIB, the ‘*AUTO*’ keyword is used as a dataset name, and no Padlock Control exists for the Category. An example of such a control card set follows:

NSECTLxx Control Cards FORMAT VERS(1) *----Category---|----Dateset_Name---- SYSTEM.IPLPARM *AUTO* SYSTEM.PARMLIB PAUL.PARMLIB.TEST SYSTEM.PARMLIB PLAY.PARMLIB.TEST SYSTEM.PARMLIB *AUTO* PHARL2.PARMLIB2 PHARL2.PARMLIB PHARL2.PARMLIB2 PHARL2.PARMLIB1 PHARL2.PARMLIB2 PHARL2.PARMLIBC

When these conditions exist, the following Control Cards are automatically inserted into the NSESELxx Configuration Member, the ICE Environment is Dynamically updated and a Notification Pop-‐Up is displayed.



NSESELxx Control Cards Keyword Userids Member Category/Dataset/Unix File Path ------- ------- -------- ------------------------------- CATALLI TCEUSER * SYSTEM.IPLPARM CATALLI TCEUSER * SYSTEM.PARMLIB

Notification Pop-‐Up ◊—— *AUTO* Padlock Set for Category SYSTEM.PARMLIB/SYSTEM.IPLPARM. ———◊ ◊ ◊ ◊—————————————————————————————————————————————————————————————————————◊

4.2.2 Subsequent Padlock Notification

Once Padlock Controls are in place, a different/reminder Pop-‐Up message will be displayed each time the ‘Controls – Controls Environment Settings’ option is selected.

Notification Pop-‐Up ◊—————— Control Mode of Category/Dataset Padlock set to - WARN. ——————◊ ◊ ◊ ◊—————————————————————————————————————————————————————————————————————◊

4.2.3 Padlock Control Administration

Padlock Definitions are administered using the ‘Settings’ Option accessed from the TCE Primary Menu – ‘The Control Environment Options’.



4.3 Panel Specific Enhancements

The Interface Panels supporting The Control Editor and ICE Viewer have always conformed to a design standard that supports a common panel layout, multiple methods of function selections and extensive Panel-‐Specific Help. These design criteria are now being implemented through all Image Control Environment (ICE) Applications. As a result of this, you will find that many panels and worksheets now appear differently than they did in previous releases. These panel appearance changes notwithstanding, all underlying application functions remain unchanged or have been enhanced to support new data views and/or reports.

4.3.1 Navigation

Panel navigation may now be achieved in one of three ways – Command Line, Entry Point, or by selecting Point-‐and-‐Shoot Objects. We will use the ICE Primary Menu to describe each method of Navigation.

ICE Primary Menu ICE 11.0 - The Image Control Environment P ProdView .. - Image Focus Production Views Userid - PROBI1 Time - 09:43 W WorkView .. - Image Focus Workbench Views Terminal - 3278 System - ADCD113 R DRecView .. - Image Focus Recovery Views Applid - TEST Image Focus 11.0 C Controls .. - Controls Environment Settings Patch Level P5 V IPLViews .. - IPLCheck Results Focal Point D Defining .. - IFO Definitions and Settings **************************** * Background Task: RUNNING * * No/TSO Recovery: DOWN * **************************** X Exit - Terminate NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>

4.3.1.1 Command Line Take note of the ‘Single Character’ that precedes the function’s eight-‐character ‘Short Name’. This is the ‘Selection Character’ for the related function. When this Character is entered on the Option/Command Line and enter is pressed, ICE will immediately summon the requested function.



4.3.1.2 Entry-‐Point Take note of the two dots ‘..’ that follows each function’s eight-‐character ‘Short Name’. This is the ‘Entry-‐Point’. To select a related function, place ‘S’ on the entry point and press enter.

4.3.1.3 Point-‐and-‐Shoot objects Take note that the eight-‐character ‘Short Name’, always highlighted in white, is a Point-‐and-‐Shoot object that can be used for selecting a function. To select a function using this method, cursor under the ‘Short Name’ and press enter.

4.3.2 Panel Specific Help

It is our goal to provide meaningful Panel-‐Specific Help that can guide you to a better understanding of the many functions supported in the Image Control Environment (ICE). To do this, we will provide Help Panels, as appropriate, that focus on three information areas – Panel Overview, Column Headings, and Row/Panel Commands/Functions.

4.3.2.1 Panel Overview

The Overview is intended to provide the reader with an understanding of the intent of the panel and the functions it supports.

4.3.2.2 Column Headings The Column Headings describes the columnar headings used in tabular displays and worksheets.

4.3.2.3 Row/Panel Commands

The Row/Panel Commands describe the function to be performed by an available command. Many, but not all, Command Entry-‐Points will recognize ‘/’ as a call for ‘Field-‐Sensitive’ help.

4.3.3 Field Sensitive Help

Many, but not all, TCE Panels will now support Field Sensitive Help. To display Field Help place ‘/’ on a Field Command Entry-‐Point and press enter. This action will display a Help Pop-‐Up. Press PFK3 to remove the Pop-‐Up and redisplay the original full panel.



4.4 SMP/E Installation

As the Image Control Environment has grown in scope and functionality, the need for an alternate method of installation – SMP – has become a ‘Must Have’. We will continue to provide support for existing installation processes and make investments in SMP as well.

4.4.1 Beta Testing

The first implementation of the Image Control Environment (ICE) SMP Installation is now available for ‘BETA Testing’. Customers interested in the use of this new installation process should contact NewEra Technical Support via Email at – [email protected].

4.4.2 Full Support Full SMP Support is expected shortly following the successful BETA Test.

4.5 NSECTL Member – Syntax is changing

4.5.1 Old Syntax - VERS(1)

Version One – VERS(1) -‐ of the NSECTLxx Control Card Syntax is maintained to support existing configurations and to provide temporary support for UNIX Files. Users who wish to extend the TCE Control Environment to include UNIX Files will need to upgrade to Version Two. Version Two – VERS(2) -‐ supports both MVS Datasets and UNIX Files.

4.5.2 New Syntax - VERS(2)

In VERS(2) NSECTLxx Control Cards are constructed as “Sets” of MVS Datasets or UNIX Files bracketed by CATEGORY Statements to form a Category Control BLOCK. The opening CATEGORY Statement defines the Category Name and, optionally, the ROOT Directory of a set of UNIX Directories named within the BLOCK. The closing CATEGORY Statement, ‘CATEGORY .END’, is required to terminate the Control Block. UNIX Files and MVS Datasets cannot be mixed WITHIN the same Control Block.

NSECTLxx VERS(2) Control Cards must begin as follows:

FORMAT VERS(2)



For Categories containing MVS Datasets CATEGORY category_name DSN *AUTO* DSN fully_qualified_dsn(volume,system) CATEGORY .END

For Categories containing UNIX Files CATEGORY category_name (unix_root_directory) DSN fully_qualified_dsn(volume,system) DIRS ‘/unix_directory/unix_sub_directory’ SUBD ‘/unix_sub_directory/unix_sub_directory’ PATH ‘/unix_directory_path/unix_sub_directory’ FILE ‘fully_qualified_unix_file_name’ CATEGORY .END

4.6 zUnix Support Image Control Environment (ICE) Support for monitoring zUNIX using functions provided by The Control Editor will be made available in two stages – Initial and Full – support.

4.6.1 Initial Support

Early support for Fully qualified zUNIX files is available using the VERS(1) NSECTLxx SYNTAX. This support will focus only on File Backup and the Capture recording of File Edit Events.

FORMAT VERS(1) MVS.DATASETS SYS1.DATASET UNIX.FILES ‘/etc/config/file

Do not mix MVS Datasets and UNIX files in the same Category.

4.6.2 Full Support Full support of zUNIX files will require VERS(2) NSECTLxx SYNTAX and include, where appropriate, functions comparable with those provided for -‐ MVS Datasets, Commands and Messages, Backup, Detected Changes, Edit Event Capture, Notification, and Journal Content Reporting.



5 ProdView – Image FOCUS Background

The Production View Primary Menu IFO 11.0 - Production Inspection Selection I Inspects .. - Background Inspection Definitions Userid - PROBI1 Time - 10:32 C BkgState .. - Background State/Status/Cycle Sysplex - ADCDPL System - ADCD113 R BkgIRpts .. - Background Inspection Findings IFOhlq - TEST Image Focus 11.0 P Packages .. - Image Baseline Configurations Patch Level P5 B BatIRpts .. - BatchJob Inspection Findings S Settings .. - Background Inspection Settings X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>

The Options available in the ‘ProdView’ Menu have changed. Those related to Production/Background Settings have been moved to a new sub-‐menu displayed when you select ‘Settings’. All other Options related to the current state of the Production/Background operations – Inspection Findings and Configuration Changes – have been enhanced.



5.1 BkgIRpts - Background Inspection Findings

Background Inspection and Configuration Change Findings are stored in Report Clusters and Package Datasets. A Report Cluster is a single Dataset containing All Image Inspections, Image Audit Reports, The Sysplex Inspection, The Individual Image Crosscheck, Image Change Summaries and Image Change Detail Reports. When the ‘BkgIRpts’ option is selected, the ‘New’ Background Inspection Reports Panel is displayed. Use the options available from this panel to access and display Image/Sysplex Findings and related Configuration Changes, if any. The Background Inspection Reports Panel IFO 11.0 - Background Inspection Reports C Clusters .. - Full Inspection Report Clusters Userid - PROBI1 Time - 11:44 D DshBoard .. - Local Sysplex Inspection Findings Sysplex - ADCDPL System - ADCD113 A AllPlexs .. - Sysplex Access - Local and Remote IFOhlq - TEST Image Focus 11.0 Patch Level P5 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>

5.1.1 Classic view of Report Clusters

Selecting the ‘Clusters’ option will show the Classic View of the Report Clusters: IFO 11.0 - Background Inspection Reports Row 1 to 16 of 93 Controlled Sysplex Line Commands: S - Select Report D - Delete Report DF - Delete Force DATA SET NAME CMD DATE TIME NAME CLUST ITEMS RESULT IFO.TESTBG.REPORT. .. 07/01/2014 07:01 PROD0001 Y 5 WARNING D2014182.T0701408 .. 06/30/2014 23:12 PROD0001 Y 5 WARNING D2014181.T2312432 .. 06/30/2014 00:09 PROD0001 Y 5 WARNING D2014181.T0009057 .. 06/29/2014 00:07 PROD0001 Y 5 WARNING D2014180.T0007123 .. 06/27/2014 00:03 PROD0001 Y 5 WARNING D2014178.T0003476 .. 06/26/2014 00:01 PROD0001 Y P 11 WARNING D2014177.T0001306



5.1.2 Enhanced View of Report Clusters

Selecting either the ‘DshBoard’ or ‘AllPlexs’ option provides access to unique Cluster content display options and reports. Ultimately, at the Image Level, both the ‘DshBoard’ and ‘AllPlexs’ options provide the same displays and reports. They differ only in that the ‘DshBoard’ option is specific to the running Cluster Definition while the ‘AllPlexs’ option allows you to define ‘Remote Clusters’ affording access to all – Local and Remote – Inspection Findings and Configuration Changes. Selecting the ‘DshBoard’ displays the Background Inspection Summary. Note that because of the ‘High Level’ of summarization presented, there may be some delay in panel display. Following initial usage, and assuming frequent usage, there should be no noticeable delay in display. Panel-‐Specific Help is available by pressing PFK1. The Background Inspection – Summary Panel IFO 11.0 - Background Inspection - Summary Row 1 to 9 of 9 --NSIMBLX 0621-- ---IFOClusters--- --------------- Environment is IFO.TEST - 6 Sysplex/Image Pairs --------------- Row Selections: Shows_Finding_Timeline_Report Display_Image_Inspection_Timeline - Row -----Last Inspection Findings------ Your ---------Period to Date--------- S Num -Target- -Images- -Date-Time-Finds- News Days Week Mths Qtrs Years Totals _ 001 PROD0001 IMAG0001 14/07/01-07:02-N- 0 1 1 1 72 72 80 _ 002 PROD0001 IMAG0002 14/04/22-17:46-E- 0 0 0 0 25 25 27 _ 003 PROD0001 IMAG0003 14/04/22-17:46-E- 0 0 0 0 31 31 33 _ 004 PROD0001 IMAG0004 14/07/01-07:02-N- 0 1 1 1 47 47 47 _ 005 PROD0001 IMAG0005 14/07/01-07:02-E- 0 1 1 1 18 18 24 _ 006 PROD0001 IMAG0006 13/05/21-13:31-E- 0 0 0 0 0 0 6 _ 007 -------- -------- ----------------- ---- ---- ---- ---- ---- ----- ------ _ 008 Available_Reports 0 3 3 3 193 193 217 _ 009 ======== ======== ================= ==== ==== ==== ==== ==== ===== ====== ******************************* Bottom of data ********************************

The Timeline Report is an overview of all Background Events for a selected Image. It shows a Summary of Sysplex, Image and Supplemental Findings and/or Changes. /******************************************************************************/ /* */ /* Background Inspection Findings - Inspection Timeline Detail */ /* Sysplex - PROD0001 - Image - IMAG0001 */ /* Date:2014/07/01 - Time:12:14:57 - User:PROBI1 */ /* */ /******************************************************************************/ Row ----Inspection Findings---- ----Interval---- ---Supplemental Findings--- Num PLX ZOS JES HCK VTM TCP CIC yyyy/mm/dd hh:mm LOD MBR CSD APF DSN VOL CNG --- --- --- --- --- --- --- --- ---------- ----- --- --- --- --- --- --- --- 001 Err --N E-- --- --- --- Off 2013/05/21 13:31 Off Off Off 031 097 014 Yes 002 Not --N E-- --- --- --- Off 2013/05/20 13:25 Off Off Off 031 097 014 Yes 003 Not --N E-- --- --- --- Off 2013/05/19 13:20 Off Off Off 031 097 014 Yes 004 Not --N E-- --- --- --- Off 2013/05/18 13:15 Off Off Off 031 097 014 Yes 005 Not --N E-- --- --- --- Off 2013/05/13 12:11 Off Off Off 031 097 014 Yes 006 Not --N E-- --- --- --- Off 2013/04/29 09:11 Off Off Off 031 097 014 Yes



The Image Inspection Timeline is a worksheet-‐based, interactive version of the Inspection Findings Timeline Report.

The Sysplex-‐Image Findings Timeline IFO 11.0 - Sysplex-Image Findings Timeline Row 1 to 15 of 80 --NSIMBLX 0621-- -Images Timeline- ------------ Sysplex:PROD0001 Image:IMAG0001 - 80 Inspection Events ----------- Row Selections: Sysplex_Inspection Inspection_Elements Configuration_Difference - Rows ----Inspection Findings---- ----Interval---- ---Supplemental Findings--- _ ____ ___ ___ ___ ___ ___ ___ ___ __________ _____ ___ ___ ___ ___ ___ ___ ___ S Numb PLX ZOS JES HCK VTM TCP CIC yyyy/mm/dd hh:mm LOD MBR CSD APF DSN VOL CNG _ 0001 Err -WN --- --- --- --- Off 2014/07/01 07:02 Off Off Off 032 097 013 Nop _ 0002 Err -WN --- --- --- --- Off 2014/06/30 23:15 Off Off Off 032 097 013 Nop _ 0003 Err -WN --- --- --- --- Off 2014/06/30 00:10 Off Off Off 032 097 013 Nop _ 0004 Err -WN --- --- --- --- Off 2014/06/29 00:08 Off Off Off 032 097 013 Nop _ 0005 Err -WN --- --- --- --- Off 2014/06/28 00:06 Off Off Off 032 097 013 Nop _ 0006 Err -WN --- --- --- --- Off 2014/06/27 00:04 Off Off Off 032 097 013 Nop _ 0007 Not -WN --- --- --- --- Off 2014/06/26 00:02 Off Off Off 032 097 013 Yes _ 0008 Err EWN Off --- Off Off Off 2014/06/24 08:06 Off Off Off 039 117 022 Nop _ 0009 Err -WN --- --- --- --- Off 2014/06/23 23:59 Off Off Off 032 097 013 Nop _ 0010 Err -WN --- --- --- --- Off 2014/06/22 23:57 Off Off Off 032 097 013 Nop _ 0011 Not -WN --- --- --- --- Off 2014/06/21 23:55 Off Off Off 032 097 013 Nop _ 0012 Err -WN --- --- --- --- Off 2014/06/20 23:53 Off Off Off 032 097 013 Nop _ 0013 Not -WN --- --- --- --- Off 2014/06/20 09:49 Off Off Off 032 097 013 Nop _ 0014 Not -WN --- --- --- --- Off 2014/06/19 09:47 Off Off Off 032 097 013 Nop _ 0015 Err -WN --- --- --- --- Off 2014/06/19 09:40 Off Off Off 032 097 013 Nop Option ===> Scroll ===> CSR

Take note that this display, like the Timeline report, is a Historical Record of Background Events. Depending on your Cluster and Package/Baseline Retention policy, it is possible that older Clusters and Configuration Baselines may have been deleted. In such cases, a Pop-‐Up message is displayed indicating that the Cluster and/or Package/Baseline is no longer available.

This Worksheet supports three Row Commands, each of which displays additional finding details – Sysplex Inspection, Inspection Elements, Configuration Changes. The fields in White are ‘Point-‐and-‐Shoot’ sensitive. Panel-‐Specific Help is available by pressing PFK1.



The Sysplex Inspection is extracted directly from the selected Report Cluster and is displayed in Worksheet format. The results of the Inspection are shown in the first Row of the Worksheet. To show all Inspection Records matching the overall Finding, cursor under the ‘Fnd’ field shown in that row and press enter. Cursor under the ‘Fnd’ field and press enter again to re-‐expand the worksheet. Panel-‐Specific Help is available by pressing PFK1. Sysplex Inspection Worksheet IFO 11.0 - Sysplex Inspection Findings Row 1 to 14 of 154 --NSIMBLX 0621-- --Sysplex Detail-- -------------- Sysplex:PROD0001 - 154 Sysplex Inspection Records -------------- Row Selection: Full_Sysplex_Inspection --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Count --Results-- ------------------Inspection Message Text------------------ _ _____ _______ ___ ___________________________________________________________ S -Rec- --Key-- Fnd ------------------------UnFiltered------------------------- _ 00001 IFO0999 ERR REPORT FOR SYSPLEX PROD0001 ENDED WITH ERRORS. _ 00002 IFO1003 AOK SYSPLEX INSPECTION REPORT. _ 00004 IFO1000 AOK BACKGROUND EXECUTION ON 07/01/2014 AT 07:02:53. _ 00005 IFO0000 AOK REPORT DATASET: 'IFO.TESTBG.REPORT.D2014182.T0701408'. _ 00006 IFO1008 AOK PACKAGE INDEX DATASET: 'IFO.TEST.PACKAGE.INDEX'. _ 00007 IFO1539 AOK MULTISYSTEM TYPE SELECTED DUE TO MULTIPLE IMAGES DEFINED. _ 00008 IFO1500 AOK PROCESSING IMAGE NUMBER 1. _ 00009 IFO1501 AOK OPSYS INSPECTION COMPLETED WITH WARNINGS. _ 00010 IFO1502 AOK SYSPLEX=ADCDPL; SYSNAME=BDCD113; SYSCLONE=XB. _ 00011 IFO1503 AOK IPLUNIT=0A80; IODFUNIT=0A82; LOADPARM=0A82XB... _ 00012 IFO1504 AOK PLEXCFG=ANY; GRS=STAR; ETRMODE=YES; STPMODE=NO; SIMETRID=0 _ 00013 IFO1548 AOK BPXPRM SYSPLEX=NO. _ 00014 IFO1544 AOK ASSOCIATED SYSTEM INFORMATION. _ 00015 IFO1545 AOK NO ASSOCIATED IPL INFORMATION AVAILABLE. Option ===> Scroll ===> CSR



Each Image Inspection can be broken down into a number of discrete elements. Each available element may be selected from this panel by placing ‘S’ on the Entry Point that precedes an element’s name or cursor under it and pressing enter. Take note of the Date and Time of the Inspection and the IPL Inspection Parameters used.

Inspection Elements Selection Panel IFO 11.0 - Image Inspection Element Selection Sysplex: PROD0001 Image: IMAG0001 - Date: 2014/07/01 Time: 07:02 -- .. Findings ---------IPL Inspection Parameters--------- .. View Log -- IPL Unit Address 0A80 Add'L COMMANDxx -- LOAD PARM 0A82XB.. Hardware Name --NONE-- SYSCAT Suffix -- LPAR Name --NONE-- IEASYS00 Suffix -- VM UserId --NONE-- -- .. AuditLog -------OS and Sub-System Inspections------- .. Diff:Nop -- .. ZOS -WN 7623 z/OS Configuration .. JES --- 980 JES2/3 Procedures .. HCK --- 105 IBM HealthChecker .. VTM --- 1579 VTAM Members .. TCP --- 67 TCP/IP Components .. CIC Off 4 CICS SIT Files -- .. IEASYSxx ---Supplemental Inspections and Analysis--- .. PPTables -- .. LOD Off 4 Load Module Analysis .. MBR Off 4 Member Analysis .. CSD Off 4 CICS CSDS Dataset .. APF 032 41 APF Authorized DS .. DSN 097 535 System IPL Datasets .. VOL 013 119 System IPL Volumes Option ===>

‘Findings’ should likely be your first selection when reviewing Inspection Results. This function provides a summary of all Inspection Messages of interest, as they are found in a ‘Filtered-‐State’ within the report. Inspection Findings – Image Inspection Message Summary IFO 11.0 - Image Inspection Message Summary Row 1 to 6 of 6 --NSIMBLX 0621-- -Messages Summary- -------------------- Overall Image Inspection Findings - 6 -------------------- Row Selection: Show_Image_Inspection_Detail - Rec --Inspection Result-- - ------------Inspection Message Text-------------- _ ___ ___ _____ _______ ___ _ _________________________________________________ S Num Typ -Rec- --Key-- Rsl F --------------------Filtered--------------------- _ 001 ZOS 00171 IFO0651 AOK < CMB= IGNORED/REAL IPL OF Z990/NEWER CPC. _ 002 ZOS 00226 IFO0651 AOK < CMB= IGNORED/REAL IPL OF Z990/NEWER CPC. _ 003 ZOS 00307 IFO0443 WAR - PAGE: DUPLICATE DATASETS DETECTED. _ 004 ZOS 00487 IFO0769 WAR > IFO.DEVL.LOAD/VOL LVWRKA NOT FOUND. _ 005 ZOS 00488 IFO2100 NOT - APF DATASETS DOES NOT EXIST. _ 006 ZOS 02997 IFO2102 NOT - LNKAUTH=LNKLST WAS SPECIFIED. ******************************* Bottom of data ********************************

The ‘<’ and ‘>’ indicators are used to denote whether inspection message severity has been ‘promoted’ or ‘demoted’ by message filters found in the NSEMSG00 Configuration Member.

Selecting a message with the ‘S’ Row Command will display the Image Inspection Findings Worksheet. This Worksheet contains the ‘Full Inspection’ of the selected Image.



The first line displayed in the worksheet is the point in the Inspection Report where the selected message appears. From this point you may scroll up/down as needed to display its content. This will help you to gain a full understanding of actions that may have preceded or followed the selected message. Panel-‐Specific Help is available by pressing PFK1. Inspection Findings – Image Inspection Findings IFO 11.0 - Image Inspection Findings Row 307 to 320 of 7,614 --NSIMBLX 0621-- --Sysplex Detail-- -------------- Sysplex:PROD0001 - 7614 Sysplex Inspection Records ------------- Row Selection: Full_Domain_Inspection --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Count --Results-- ------------------Inspection Message Text------------------ _ _____ _______ ___ ___________________________________________________________ S -Rec- --Key-- Fnd ------------------------UnFiltered------------------------- _ 00307 IFO0443 WAR PAGE: DUPLICATE DATASETS DETECTED. _ 00308 IFO0998 AOK SYS1.PLPA1.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00309 IFO0757 AOK 1 DASD EXTENTS. _ 00310 IFO0138 AOK ALLOCATING SYS1.PLPA1.PAGE.DATA; VOL=ZDPAGM. _ 00311 IFO0151 AOK ALLOCATED TO SYS00011. _ 00312 IFO0998 AOK SYS1.COMMON1.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00313 IFO0757 AOK 1 DASD EXTENTS. _ 00314 IFO0138 AOK ALLOCATING SYS1.COMMON1.PAGE.DATA; VOL=ZDPAGM. _ 00315 IFO0151 AOK ALLOCATED TO SYS00012. _ 00316 IFO0998 AOK SYS1.LOCALM.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00317 IFO0757 AOK 1 DASD EXTENTS. _ 00318 IFO0138 AOK ALLOCATING SYS1.LOCALM.PAGE.DATA; VOL=ZDPAGM. _ 00319 IFO0151 AOK ALLOCATED TO SYS00013. _ 00320 IFO0998 AOK SYS1.LOCALN.PAGE.DATA FOUND ON VOLUME ZDPAGN. Option ===> Scroll ===> CSR



The Sysplex-‐Image Findings Timeline also supports the display of Image Configuration Differences that were detected during Background Processing. Note: in the Timeline Worksheet, under the heading ‘CNG’ – ‘Nop’ means no changes were found, ‘Yes’ means change(s) were found, ‘Unk’ means the change detection process encountered a problem. If a Change is noted – ‘Yes’ – cursor under or enter the ‘C’ Row Command and press enter to select. If the Packages/Baselines are still available, the Compare Confirmation Panel is displayed. If either or both are not available, a Message(s) is displayed to that effect. Examine the Old and New IPL Parameters to determine if the configurations of the entities about to be compared make logical sense based on user-‐specific knowledge. If they do, press enter to continue. Compare Confirmation IFO 11.0 - Compare Confirmation Selected Package DSN: IFO.TEST.PACKAGE.IMAG0001 VOL: Now confirm the IPL Parms of your selections. If the old and New are different systems this compare function may not detect change. ----- Old IPL Parameters ----- ----- New IPL Parameters ----- DATE: 06/06/14 DATE: 06/16/14 IMAGE NAME: IMAG0001 IMAGE NAME: IMAG0001 IPL ADDRESS: 0A80 IPL ADDRESS: 0A80 LOAD PARM: 0A82XA.. LOAD PARM: 0A82XB.. SYSCATxx SUFFIX: SYSCATxx SUFFIX: IEASYSxx SUFFIX: IEASYSxx SUFFIX: HWNAME: HWNAME: LPARNAME: LPARNAME: VMUSERID: VMUSERID: Now Press Enter to begin comparing the Old and New IPL Parameters. Option ===>



Once the Package/Baseline comparison is competed, the Image Comparison Summary is displayed. Note that items that have changed are flagged in the STATUS column as ‘* DIFFERENT*’. Those configuration components that are not in one configuration or the other are flagged as ‘* MISSING *’. Selecting an Element/Member with an ‘S’ will show detail. Image Comparison Summary IFO 11.0 - Image Comparison Summary Row 1 to 15 of 67 Line Commands: S - Compare Details BN - Browse New EN - Edit New BO - Browse Old EO - Edit Old CMD MEMBER STATUS VOLUME DSNAME .. LOADXB SAME ZDSYS1 SYS1.IPLPARM .. NUCLST00 SAME ZDSYS1 SYS1.IPLPARM .. IEASYMXB SAME ZDSYS1 USER.PARMLIB .. IEASYS00 SAME ZDRES1 ADCD.Z113.PARMLIB .. IEASYSWS SAME ZDSYS1 USER.PARMLIB .. IEASYSXB SAME ZDSYS1 USER.PARMLIB .. IEASVC00 SAME ZDRES1 ADCD.Z113.PARMLIB .. PROG01 * DIFFERENT * ZDSYS1 USER.PARMLIB .. IEAFIX00 SAME ZDRES1 ADCD.Z113.PARMLIB .. IEALPA00 SAME ZDSYS1 USER.PARMLIB .. IEAPAK00 SAME ZDRES1 ADCD.Z113.PARMLIB .. LPALST01 SAME ZDSYS1 USER.PARMLIB .. DIAG00 SAME ZDSYS1 USER.PARMLIB .. IEAABD00 SAME ZDRES1 ADCD.Z113.PARMLIB .. IEADMP00 SAME ZDRES1 ADCD.Z113.PARMLIB COMMAND ===> SCROLL ===> PAGE



5.2 Packages - Image Baseline Configurations

During a Background Inspection, if a change from a prior stored Package/Baseline configuration of named Images in the Syplex is detected, a new Package/Baseline will be stored. An exception to this default processing behavior is possible if the background is configured to ignore the creation of a new Package/Baseline when the Image Inspection detects a configuration error. The Package/Baseline Operations Panel supports options that allow you to access, display, and compare available Packages/Baselines. The Baseline Package Operations Panel IFO 11.0 - Baseline Package Operations P Packages .. - List/Browse Available Packages Userid - PROBI1 Time - 11:48 I ICompare .. - Compare one Image to a Baseline Sysplex - ADCDPL System - ADCD113 O OneToOne .. - Compare One Image to Any Image IFOhlq - TEST Image Focus 11.0 D DshBoard .. - Local Sysplex Image Change Summary Patch Level P5 A AllPlexs .. - Images Changes - Local and Remote X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>



5.2.1 Classic View of Package Operations

Selecting the ‘Packages’, ‘ICompare’ and ‘OneToOne’ options, will show the Classic View of the Packages/Baselines: Packages – Stored Package – Browse Panel IFO 11.0 - Stored Package - Browse Row 1 to 3 of 3 Image Package Index Dataset: IFO.TEST.PACKAGE.INDEX VOLSER: LVWRKA Using the Selection List that follows, select a System Image by Name. Then from the displayed Panel, by Date to Browse Image Configuration. Line Command: S - Select a System Image CMD IMAGE VOLUME DATE DSNAME .. IMAG0001 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0001 .. IMAG0004 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0004 .. IMAG0005 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0005 ******************************* Bottom of data ********************************

ICompare -‐ Select “NEW” and “OLD” Package – Same Image for Comparison IFO 11.0 - Select "NEW" Package Row 1 to 9 of 9 Selected Package DSN: IFO.TEST.PACKAGE.IMAG0001 VOL: LVWRKB The Package you select from this List will be labeled the New Package. The one selected from the next panel will be labeled the Old Package. Line Commands: S - Select a Package Date CMD Date Result .. 05/30/14 W .. 06/02/14 W .. 06/03/14 W .. 06/04/14 W .. 06/04/14 W .. 06/05/14 W .. 06/06/14 W .. 06/16/14 W .. 06/26/14 W ******************************* Bottom of data ********************************



OneToOne -‐ Stored Package – Step One -‐ Cross Compare

IFO 11.0 - Stored Package - Cross Compare Row 1 to 3 of 3 Image Package Indes Dataset: IFO.TEST.PACKAGE.INDEX VOLSER: LVWRKA From the Selection Listing shown below select TWO Images for Comparison. The one on top will be labeled "New" Image the one below as "OLD" Image. Line Command: S - Select a System Image CMD SELECT IMAGE VOLUME DATE DSNAME .. IMAG0001 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0001 S. SEL IMAG0004 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0004 .. IMAG0005 LVWRKB 2014/03/03 IFO.TEST.PACKAGE.IMAG0005 ******************************* Bottom of data ********************************

OneToOne -‐ Stored Package – Step Two – Cross Compare -‐ Select TWO Image Packages

IFO 11.0 - Select TWO Image Packages Select ONE Package Date from each Selected Image and press ENTER Old = IMAG0005 New = IMAG0004 CMD Date Result CMD Date Result .. 06/16/14 W FB .. 05/30/14 W FB .. 06/26/14 W FB .. 06/02/14 W FB BOTTOM .. 06/03/14 W FB .. 06/04/14 W FB .. 06/04/14 W FE .. 06/05/14 W FB .. 06/06/14 W FB .. 06/16/14 W FB .. 06/26/14 W FB BOTTOM

For the Package/Baseline Display and Compare Panels shown above use PFK1 for Panel specific Help.

5.2.2 Enhanced Package Processing Options Selecting either the ‘DshBoard’ or ‘AllPlexs’ options provides access to unique Package/Baseline content display options and reports. Ultimately, both the ‘DshBoard’ and ‘AllPlexs’ options provide the same displays and reports. They differ only in that the ‘DshBoard’ option is specific to the running Cluster and its Image Definition while the ‘AllPlexs’ option allows you to define ‘Remote Cluster’ affording access to all – Local and Remote – Image Configuration Package/Baselines and related Changes. Selecting the ‘DshBoard’ will display the Image Configuration Change Summary. This Summary will only show Background Intervals when an Image Configuration Change was detected. An exception to this default processing behavior is possible if the background is configured to ignore the creation of a new Package/Baseline when the Image Inspection detects a configuration error. Note that the column headed “-‐Date-‐Time-‐



Chngs-‐“ reflects the Data and Time when a change was last detected for the associated Image. The Timeline Reports and Interactive Worksheets detail a more “Global View” showing ALL Background Events regardless of whether or not an Image Configuration Change was detected during a Background Interval. Note that because of the ‘High Level’ of summarization presented, there may be some delay in panel display. Following initial usage, and assuming frequent usage, there should be no noticeable delay. Panel-‐Specific Help is available by pressing PFK1.

DshBoard -‐ Image Configuration Change Summary Panel IFO 11.0 - Image Configuration Change Summary Row 1 to 9 of 9 --NSIMBLX 0621-- ---IFOPackages--- ---------------- Environment is IFO.TEST - 6 Background Images ---------------- Row Selections: Shows_Package_Timeline_Report Display_Package_Creation_Timeline - Row -----Last Inspection Findings------ Your ---------Period to Date--------- S Num -Target- -Images- -Date-Time-Chngs- News Days Week Mths Qtrs Years Totals _ 001 PROD0001 IMAG0001 14/06/26-00:02-Y- 0 0 0 0 31 31 38 _ 002 PROD0001 IMAG0002 14/04/17-17:46-Y- 0 0 0 0 19 19 20 _ 003 PROD0001 IMAG0003 14/04/17-17:46-Y- 0 0 0 0 24 24 25 _ 004 PROD0001 IMAG0004 14/06/26-00:02-Y- 0 0 0 0 10 10 10 _ 005 PROD0001 IMAG0005 14/06/26-00:02-Y- 0 0 0 0 1 1 7 _ 006 PROD0001 IMAG0006 13/05/21-13:31-Y- 0 0 0 0 0 0 6 _ 007 -------- -------- ----------------- ---- ---- ---- ---- ---- ----- ------ _ 008 Available_Package 0 0 0 0 85 85 106 _ 009 ======== ======== ================= ==== ==== ==== ==== ==== ===== ====== ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR



The Image Change Timeline Report is an overview of all Background Events for a selected Image showing both Sysplex and Image Findings. Image Findings include the Member Names of the Old and New Package/Baselines and an indicator – Some or None – to denote configuration changes. The ‘Fnd’ column matches Configuration Changes and Image Inspection Findings at the same Background Interval.

/******************************************************************************/ /* */ /* Background Inspection Findings - Image Change Timeline Detail */ /* Sysplex - PROD0001 - Image - IMAG0001 */ /* Date:2014/07/01 - Time:14:37:54 - User:PROBI1 */ /* */ /******************************************************************************/ Row --Sysplex Findings--- -------Intervals------- ------Image Findings------ Num ProdName Fnd --Name-- yyyy/mm/dd hh:mm:ss Eml -OldPak- -NewPak- Diff Fnd --- -------- --- -------- ---------- -------- --- -------- -------- ---- --- 001 PROD0001 Err BDCD113 2014/07/01 07:02:53 --- F140626B -------- None War 002 PROD0001 Err BDCD113 2014/06/30 23:15:55 --- F140626B -------- None War 003 PROD0001 Err BDCD113 2014/06/30 00:10:09 --- F140626B -------- None War 004 PROD0001 Err BDCD113 2014/06/29 00:08:22 --- F140626B -------- None War 005 PROD0001 Err BDCD113 2014/06/28 00:06:34 --- F140626B -------- None War 006 PROD0001 Err BDCD113 2014/06/27 00:04:52 --- F140626B -------- None War 007 PROD0001 Not BDCD113 2014/06/26 00:02:52 --- F140616B F140626B Some War 008 PROD0001 Err BDCD113 2014/06/24 08:06:46 --- F140616B -------- None War

The Package Creation Timeline is a worksheet-‐based, interactive version of the Image Change Timeline Report.

The Sysplex-‐Image Findings Timeline IFO 11.0 - Configuration Change Timeline Row 1 to 15 of 80 --NSIMBLX 0621-- -Events Timeline- ------------ Sysplex:PROD0001 Image:IMAG0001 - 80 Background Events ----------- Row Selections: Sysplex_Inspection Image_Configuration_Changes Image_Inspection - Rows --Sysplex Findings--- -------Intervals------- ------Image Findings------ _ ____ ________ ___ ________ __________ ________ ___ ________ ________ ____ ___ S Numb ProdName Fnd --Name-- yyyy/mm/dd hh:mm:ss Eml -OldPak- -NewPak- Diff Fnd _ 0001 PROD0001 Err BDCD113 2014/07/01 07:02:53 --- F140626B -------- None War _ 0002 PROD0001 Err BDCD113 2014/06/30 23:15:55 --- F140626B -------- None War _ 0003 PROD0001 Err BDCD113 2014/06/30 00:10:09 --- F140626B -------- None War _ 0004 PROD0001 Err BDCD113 2014/06/29 00:08:22 --- F140626B -------- None War _ 0005 PROD0001 Err BDCD113 2014/06/28 00:06:34 --- F140626B -------- None War _ 0006 PROD0001 Err BDCD113 2014/06/27 00:04:52 --- F140626B -------- None War _ 0007 PROD0001 Not BDCD113 2014/06/26 00:02:52 --- F140616B F140626B Some War _ 0008 PROD0001 Err BDCD113 2014/06/24 08:06:46 --- F140616B -------- None War _ 0009 PROD0001 Err BDCD113 2014/06/23 23:59:01 --- F140616B -------- None War _ 0010 PROD0001 Err BDCD113 2014/06/22 23:57:18 --- F140616B -------- None War _ 0011 PROD0001 Not BDCD113 2014/06/21 23:55:37 --- F140616B -------- None War _ 0012 PROD0001 Err BDCD113 2014/06/20 23:53:33 --- F140616B -------- None War _ 0013 PROD0001 Not BDCD113 2014/06/20 09:49:02 --- F140616B -------- None War _ 0014 PROD0001 Not BDCD113 2014/06/19 09:47:19 --- F140616B -------- None War _ 0015 PROD0001 Err BDCD113 2014/06/19 09:40:30 --- F140616B -------- None War Option ===> Scroll ===> CSR

Take note that this display, like the Timeline report, is a Historical Record of Background Events. Depending on your Cluster and Package/Baseline Retention policy, it is possible that older Clusters and Configuration Baselines may have been deleted. In such cases, a



Pop-‐Up message is displayed indicating that the Cluster and/or Package/Baseline member is no longer available.

This Worksheet supports three Row Commands, each of which displays additional finding details – Sysplex Inspection, Image Configuration Changes, Image Inspections. The fields in White are ‘Point-‐and-‐Shoot’ sensitive. Panel-‐Specific Help is available by pressing PFK1. Sysplex Inspection: The Sysplex Inspection is extracted directly from the selected Report Cluster and is displayed in Worksheet format. The results of the Inspection are shown in the first Row of the Worksheet. To show all Inspection Records matching the overall Finding, cursor under the ‘Fnd’ Field shown in that row and press enter. Cursor under the ‘Fnd’ Field and press enter to re-‐expand the worksheet. Panel-‐Specific Help is available by pressing PFK1. Sysplex Inspection Worksheet IFO 11.0 - Sysplex Inspection Findings Row 1 to 14 of 154 --NSIMBLX 0621-- --Sysplex Detail-- -------------- Sysplex:PROD0001 - 154 Sysplex Inspection Records -------------- Row Selection: Full_Sysplex_Inspection --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Count --Results-- ------------------Inspection Message Text------------------ _ _____ _______ ___ ___________________________________________________________ S -Rec- --Key-- Fnd ------------------------UnFiltered------------------------- _ 00001 IFO0999 ERR REPORT FOR SYSPLEX PROD0001 ENDED WITH ERRORS. _ 00002 IFO1003 AOK SYSPLEX INSPECTION REPORT. _ 00004 IFO1000 AOK BACKGROUND EXECUTION ON 07/01/2014 AT 07:02:53. _ 00005 IFO0000 AOK REPORT DATASET: 'IFO.TESTBG.REPORT.D2014182.T0701408'. _ 00006 IFO1008 AOK PACKAGE INDEX DATASET: 'IFO.TEST.PACKAGE.INDEX'. _ 00007 IFO1539 AOK MULTISYSTEM TYPE SELECTED DUE TO MULTIPLE IMAGES DEFINED. _ 00008 IFO1500 AOK PROCESSING IMAGE NUMBER 1. _ 00009 IFO1501 AOK OPSYS INSPECTION COMPLETED WITH WARNINGS. _ 00010 IFO1502 AOK SYSPLEX=ADCDPL; SYSNAME=BDCD113; SYSCLONE=XB. _ 00011 IFO1503 AOK IPLUNIT=0A80; IODFUNIT=0A82; LOADPARM=0A82XB... _ 00012 IFO1504 AOK PLEXCFG=ANY; GRS=STAR; ETRMODE=YES; STPMODE=NO; SIMETRID=0 _ 00013 IFO1548 AOK BPXPRM SYSPLEX=NO. _ 00014 IFO1544 AOK ASSOCIATED SYSTEM INFORMATION. _ 00015 IFO1545 AOK NO ASSOCIATED IPL INFORMATION AVAILABLE. Option ===> Scroll ===> CSR

Image Configuration Changes: The Package Creation Timeline displays a listing of all available Image Inspection Background Events and related Package/Baseline Activity. Take note: when a change is detected, you will find both an ‘Old’ Package/Baseline Member and a ‘New’ Package/Baseline Member accompanied by the notation ‘Some’ in the ‘Diff’ column. Cursor under a Package/Baseline Member, press enter to display its contents. If a Change is noted, cursor under the ‘Time Stamp’ or enter the ‘C’ Row Command and press enter. If the Package/Baseline Members are still available, the Compare Confirmation Panel is displayed. If either or both Members are not available, a Message(s) is displayed to that effect.



Examine the Old and New IPL Parameters to determine if the configurations of the entities about to be compared make logical sense based on user-‐specific knowledge. If they do, press enter to continue. Compare Confirmation IFO 11.0 - Compare Confirmation Selected Package DSN: IFO.TEST.PACKAGE.IMAG0001 VOL: Now confirm the IPL Parms of your selections. If the old and New are different systems this compare function may not detect change. ----- Old IPL Parameters ----- ----- New IPL Parameters ----- DATE: 06/06/14 DATE: 06/16/14 IMAGE NAME: IMAG0001 IMAGE NAME: IMAG0001 IPL ADDRESS: 0A80 IPL ADDRESS: 0A80 LOAD PARM: 0A82XA.. LOAD PARM: 0A82XB.. SYSCATxx SUFFIX: SYSCATxx SUFFIX: IEASYSxx SUFFIX: IEASYSxx SUFFIX: HWNAME: HWNAME: LPARNAME: LPARNAME: VMUSERID: VMUSERID: Now Press Enter to begin comparing the Old and New IPL Parameters. Option ===>

Once the Package/Baseline comparison is compeleted, the Image Comparison Summary is displayed. Note, items that have changed are flagged in the Status Column as ‘* DIFFERENT *’. Those configuration components that are not in one configuration or the other will be flagged as ‘* MISSING *’. Selecting an Element/Member with an ‘S’ will show detail. Image Comparison Summary IFO 11.0 - Image Comparison Summary Row 1 to 15 of 67 Line Commands: S - Compare Details BN - Browse New EN - Edit New BO - Browse Old EO - Edit Old CMD MEMBER STATUS VOLUME DSNAME .. LOADXB SAME ZDSYS1 SYS1.IPLPARM .. NUCLST00 SAME ZDSYS1 SYS1.IPLPARM .. IEASYMXB SAME ZDSYS1 USER.PARMLIB .. IEASYS00 SAME ZDRES1 ADCD.Z113.PARMLIB .. IEASYSWS SAME ZDSYS1 USER.PARMLIB .. IEASYSXB SAME ZDSYS1 USER.PARMLIB .. IEASVC00 SAME ZDRES1 ADCD.Z113.PARMLIB .. PROG01 * DIFFERENT * ZDSYS1 USER.PARMLIB .. IEAFIX00 SAME ZDRES1 ADCD.Z113.PARMLIB .. IEALPA00 SAME ZDSYS1 USER.PARMLIB .. IEAPAK00 SAME ZDRES1 ADCD.Z113.PARMLIB .. LPALST01 SAME ZDSYS1 USER.PARMLIB .. DIAG00 SAME ZDSYS1 USER.PARMLIB .. IEADMP00 SAME ZDRES1 ADCD.Z113.PARMLIB COMMAND ===> SCROLL ===> PAGE



Image Inspection: The Package Creation Timeline also supports the display of Image Inspections. The Inspection of a selected Image is broken down into a number of discrete elements. An Inspection Element may be selected from this panel by placing ‘S’ on the Entry Point that precedes the element name or by cursoring under the name and pressing enter. Take note of the Date and Time of the Inspection and the IPL Inspection Parameters used.

Inspection Elements Selection Panel IFO 11.0 - Image Inspection Element Selection Sysplex: PROD0001 Image: IMAG0001 - Date: 2014/07/01 Time: 07:02 -- .. Findings ---------IPL Inspection Parameters--------- .. View Log -- IPL Unit Address 0A80 Add'L COMMANDxx -- LOAD PARM 0A82XB.. Hardware Name --NONE-- SYSCAT Suffix -- LPAR Name --NONE-- IEASYS00 Suffix -- VM UserId --NONE-- -- .. AuditLog -------OS and Sub-System Inspections------- .. Diff:Nop -- .. ZOS -WN 7623 z/OS Configuration .. JES --- 980 JES2/3 Procedures .. HCK --- 105 IBM HealthChecker .. VTM --- 1579 VTAM Members .. TCP --- 67 TCP/IP Components .. CIC Off 4 CICS SIT Files -- .. IEASYSxx ---Supplemental Inspections and Analysis--- .. PPTables -- .. LOD Off 4 Load Module Analysis .. MBR Off 4 Member Analysis .. CSD Off 4 CICS CSDS Dataset .. APF 032 41 APF Authorized DS .. DSN 097 535 System IPL Datasets .. VOL 013 119 System IPL Volumes Option ===>

‘Findings’ should likely be your first selection when reviewing Inspection Results. This function provides a summary of all Inspection Messages of interest, as they are found in a filtered state within the report. Inspection Findings – Image Inspection Message Summary IFO 11.0 - Image Inspection Message Summary Row 1 to 6 of 6 --NSIMBLX 0621-- -Messages Summary- -------------------- Overall Image Inspection Findings - 6 -------------------- Row Selection: Show_Image_Inspection_Detail - Rec --Inspection Result-- - ------------Inspection Message Text-------------- _ ___ ___ _____ _______ ___ _ _________________________________________________ S Num Typ -Rec- --Key-- Rsl F --------------------Filtered--------------------- _ 001 ZOS 00171 IFO0651 AOK < CMB= IGNORED/REAL IPL OF Z990/NEWER CPC. _ 002 ZOS 00226 IFO0651 AOK < CMB= IGNORED/REAL IPL OF Z990/NEWER CPC. _ 003 ZOS 00307 IFO0443 WAR - PAGE: DUPLICATE DATASETS DETECTED. _ 004 ZOS 00487 IFO0769 WAR > IFO.DEVL.LOAD/VOL LVWRKA NOT FOUND. _ 005 ZOS 00488 IFO2100 NOT - APF DATASETS DOES NOT EXIST. _ 006 ZOS 02997 IFO2102 NOT - LNKAUTH=LNKLST WAS SPECIFIED. ******************************* Bottom of data ********************************

The ‘<’ and ‘>’ indicators are used to denote whether an inspection message severity has been ‘promoted’ or ‘demoted’ by message filters found in the NSEMSG00 Configuration Member.



Selecting a message with the ‘S’ Row Command will display the Image Inspection Findings Worksheet. This Worksheet contains the ‘Full Inspection’ of the selected Image. The first line displayed in the worksheet is the point in the Inspection Report where the selected message appears. From this point you may scroll up/down as needed to display its content. This will help you to gain a full understanding of actions that may have preceded or followed the selected message. Panel-‐Specific Help is available by pressing PFK1. Inspection Findings – Image Inspection Findings IFO 11.0 - Image Inspection Findings Row 307 to 320 of 7,614 --NSIMBLX 0621-- --Sysplex Detail-- -------------- Sysplex:PROD0001 - 7614 Sysplex Inspection Records ------------- Row Selection: Full_Domain_Inspection --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Count --Results-- ------------------Inspection Message Text------------------ _ _____ _______ ___ ___________________________________________________________ S -Rec- --Key-- Fnd ------------------------UnFiltered------------------------- _ 00307 IFO0443 WAR PAGE: DUPLICATE DATASETS DETECTED. _ 00308 IFO0998 AOK SYS1.PLPA1.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00309 IFO0757 AOK 1 DASD EXTENTS. _ 00310 IFO0138 AOK ALLOCATING SYS1.PLPA1.PAGE.DATA; VOL=ZDPAGM. _ 00311 IFO0151 AOK ALLOCATED TO SYS00011. _ 00312 IFO0998 AOK SYS1.COMMON1.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00313 IFO0757 AOK 1 DASD EXTENTS. _ 00314 IFO0138 AOK ALLOCATING SYS1.COMMON1.PAGE.DATA; VOL=ZDPAGM. _ 00315 IFO0151 AOK ALLOCATED TO SYS00012. _ 00316 IFO0998 AOK SYS1.LOCALM.PAGE.DATA FOUND ON VOLUME ZDPAGM. _ 00317 IFO0757 AOK 1 DASD EXTENTS. _ 00318 IFO0138 AOK ALLOCATING SYS1.LOCALM.PAGE.DATA; VOL=ZDPAGM. _ 00319 IFO0151 AOK ALLOCATED TO SYS00013. _ 00320 IFO0998 AOK SYS1.LOCALN.PAGE.DATA FOUND ON VOLUME ZDPAGN. Option ===> Scroll ===> CSR



5.3 BatIRpts - BatchJob Inspection Findings

BatIRpts – BatchJob Inspection Findings is a new option of ‘ProdView’. This function set allows users of IFOBAT, IFOBATA and IFOBATS to define Report Datasets for each Batch Process using a unique Image/LPAR name. The content of these Report Datasets may be accessed using a set of interactive reporting tools. Panel-‐Specific Help is available by pressing PFK1.

The Batch Access Setup & Selection Panel IFO 11.0 - Batch Access Setup & Selection Row 1 to 7 of 7 --NSIMBLX 0621-- --Batch Targets-- -------------- Background Processing - 7 Batch Setups are Defined ------------- Row Selection: Show_Domain_Summary Add_Targeted_Dataset Remove_Targeted_Dataset --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Row ---Defined Targeted Datasets--- -System- ----Last Reporting Intervals---- _ ___ _______________________________ ________ ___ __________ _____ ___________ S Num -------Dataset Qualifier------- -Images- Fnd yyyy/mm/dd hh:mm -Your News- _ 001 IFO.TEST.IFOBATA_______________ ADCD113 Err 2014/06/23 09:05 Image_Found _ 002 IFO.TEST.IFOBATS_______________ ADCD113 War 2014/06/23 09:06 Image_Found _ 003 IFO.TEST.IFOBAT________________ PAUL0A War 2014/06/13 23:50 Image_Found _ 004 IFO.TEST.IFOBAT________________ PAUL0B War 2014/06/14 23:50 Image_Found _ 005 IFO.TEST.IFOBAT________________ PAUL0C War 2014/06/12 23:50 Image_Found ******************************* Bottom of data ********************************

See ‘Appendix – Sample Batch Procedures’ for revised procedure set up requirements for IFOBAT, IFOBATA and IFOBATS.

5.3.1 Defining the Batch Report Qualifier This Panel allows you to Add and Remove Batch Dataset Qualifiers. Note that while the fully qualified Report Dataset name is used to store the report – which includes the Batch Process name and the LPAR/Image name – only the report qualifier up to the LPAR/Image name is required when adding a new qualifier. Any and all LPAR/Images will be added automatically with their names appearing in the ‘Images’ Column. A Global Findings Indicator – Err, War, Not, Aok – and the date and time of the last report are shown.

5.3.2 Enhanced Batch Reporting The Domain Summary shows the results of the Image Inspection. Inspected Members and Critical Configuration Components are displayed as Domains. By default, Inspection results are ordered by domain ‘As they occur’ in the IPL Process. However, results can be grouped by Inspection Result by placing the cursor under a value -‐ ERR, WAR, NOT, AOK -‐ in the ‘Rsl’ field, and pressing enter. Cursor under the ‘Rsl’ value and press enter to return to the prior sort order. Panel-‐Specific Help is available by pressing PFK1.



Image Findings – Domain Summary IFO 11.0 - Image Findings - Domain Summary Row 2 to 15 of 45 --NSIMBLX 0621-- ---Inspections--- ---------- Sysplex:ADCDPL Image:ADCD113 Date:2014/06/23 Time:09:06:37 --------- Row Selection: Show_Domain_Inspection_Detail TCE_Control_Journal_Member_History --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Rec -Inspections- ---Last Update--- -------------Source ParmLib-------------- _ ___ ___ ______ __ ________ ________ __________________________________ ______ S Num Rsl Domain Sx --User-- --Date-- -----------Dataset Names---------- Volume _ 002 AOK NUCLST 00 IBMUSER 09/05/11 SYS1.IPLPARM ZDSYS1 _ 003 AOK IEANUC 01 -------- --:--:-- SYS1.NUCLEUS ZDRES1 _ 004 AOK IEANUC 21 -------- --:--:-- SYS1.NUCLEUS ZDRES1 _ 005 AOK SCATDS -- -------- --:--:-- -----non_specific----- ------ _ 006 AOK IODFDS -- -------- --:--:-- -----non_specific----- ------ _ 007 AOK PARMDS -- -------- --:--:-- -----non_specific----- ------ _ 008 WAR IEASYS XA ADCDMST 13/02/25 USER.PARMLIB ZDSYS1 _ 009 AOK IEASVC 00 IBMUSER 11/12/04 ADCD.Z113.PARMLIB ZDRES1 _ 010 WAR PROG 01 ADCDMST 14/05/17 USER.PARMLIB ZDSYS1 _ 011 AOK IEAFIX 00 IBMUSER 11/12/04 ADCD.Z113.PARMLIB ZDRES1

Options available allow you to show a segment of the full Inspection Report that pertains to a specific Domain, or to present the History of Member Changes captured and recorded by The Control Editor if licensed and available. The Selected Domain -‐ Detail Worksheet IFO 11.0 - Selected Image Domain - IEASYSXA Row 1 to 14 of 66 --NSIMBLX 0621-- --Domain Detail-- --------------- Sysplex:ADCDPL Image:ADCD113 - 66 Domain Records -------------- Row Selection: Full_Domain_Inspection --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Count --Results-- ------------------Inspection Message Text------------------ _ _____ _______ ___ ___________________________________________________________ S -Rec- --Key-- Fnd ------------------------UnFiltered------------------------- _ 00001 IFO0935 AOK SEARCHING FOR IEASYSXA MEMBER. _ 00002 IFO0940 AOK IEASYSXA FOUND IN PARMLIB(0) VOL=ZDSYS1;DSN=USER.PARMLIB. _ 00003 IFO0675 AOK IEASYSXA LAST CHANGED DATE=2013/02/25 TIME=06:48:16 USER=A _ 00004 IFO0923 AOK IEASYSXA MEMBER CONTENTS ARE AS FOLLOWS: _ 00005 |----+----1----+----2----+----3---TOP OF MEMBER---5----+--- _ 00006 |CLOCK=X1, _ 00007 |CMD=XA, _ 00008 |CON=(XA,NOJES3), _ 00009 |COUPLE=X1, _ 00010 |GRS=STAR _ 00011 |----+----1----+----2----+----3-BOTTOM OF MEMBER--5----+--- _ 00012 | _ 00013 | _ 00014 IFO0717 AOK CHECKING DATASETS DEFINED IN IEASYSXX. _ 00015 | _ 00016 IFO0718 AOK SEARCHING FOR LOGREC DATASET(S). _ 00017 IFO0998 AOK SYS1.LOGREC FOUND ON VOLUME ZDSYS1. _ 00018 IFO0757 AOK 1 DASD EXTENTS. _ 00019 IFO0138 AOK ALLOCATING SYS1.LOGREC; VOL=ZDSYS1. _ 00020 IFO0151 AOK ALLOCATED TO SYS00009. _ 00021 | _ 00022 IFO0718 AOK SEARCHING FOR PAGE DATASET(S). _ 00023 IFO0443 WAR PAGE: DUPLICATE DATASETS DETECTED. _ 00024 IFO0998 AOK SYS1.PLPA.PAGE.DATA FOUND ON VOLUME ZDPAGA. _ 00025 IFO0757 AOK 1 DASD EXTENTS. _ 00026 IFO0138 AOK ALLOCATING SYS1.PLPA.PAGE.DATA; VOL=ZDPAGA.



This Worksheet shows Member Records and Inspection Messages related to the Domain Inspection. The Full Inspection Report is displayed when the ‘F’ Row Selection Command is used. Panel-‐Specific Help is available by pressing PFK1.

5.3.3 Access The Control Editor

When The Control Editor is active, the History of a Member is displayed by placing a ‘T’ on the Row Selection Entry Point and pressing enter. TCE Journal – Member History – ‘Full History’ Worksheet IFO 11.0 - TCE Journal - Member History Row 1 to 14 of 19 --NSIMBLX 0621-- --Dataset/Member-- ----------------- IFO.IFOP - Controlled Member Events - PROG01 ---------------- Row Selection: Show_TCE_Journal_History Browse_the_TCE_Journal_Record --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -------Detected Events-------- -----------Controlled Dataset------------ _ _____ ________ _____ _____ ________ ________ ________________________________ S Lines yy/mm/dd hh:mm Types --User-- -Member- -------Controlled Dataset------- _ 00001 14/06/25 07:00 DTCNG PHARL2 PROG01 USER.PARMLIB _ 00002 14/05/14 13:05 DELET -NoUser- PROG01 PHARL2.PARMLIBC _ 00003 14/05/17 07:00 DTCNG ADCDMST PROG01 USER.PARMLIB _ 00004 14/05/22 07:00 DTCNG GBAGS1 PROG01 GBAGS1.PARMLIB5 _ 00005 14/05/10 04:00 DTCNG GBAGS1 PROG01 GBAGS1.PARMLIB5 _ 00006 14/05/01 12:48 ATMPT PHARL3 PROG01 Attempted_Update_Failed _ 00007 14/05/01 12:48 CEDIT PHARL2 PROG01 USER.PARMLIB _ 00008 14/05/01 12:48 CEDIT PHARL3 PROG01 USER.PARMLIB _ 00009 14/05/01 12:48 DEBUG PHARL3 PROG01 Email_(______)_Trace_(12:48:52) _ 00010 14/05/01 12:48 ENOTE PHARL3 PROG01 Event_(______)_Notification _ 00011 14/05/06 10:38 ADDED -NoUser- PROG01 PHARL2.PARMLIB _ 00012 14/05/06 10:38 DELET PHARL3 PROG01 PHARL2.PARMLIBC _ 00013 14/05/06 14:12 ADDED -NoUser- PROG01 PHARL2.PARMLIBC _ 00014 14/05/06 14:16 DELET -NoUser- PROG01 PHARL2.PARMLIBC

This Worksheet shows the ‘Full History’ of all actions related to a selected member. To delimit the listing to a specific Controlled Dataset, cursor under the Dataset Name and press enter. TCE Journal – Member History – ‘Dataset History’ Worksheet IFO 11.0 - TCE Journal - Member History Row 1 to 4 of 4 --NSIMBLX 0621-- --Dataset/Member-- ----------------- IFO.IFOP - Controlled Member Events - PROG01 ---------------- Row Selection: Show_TCE_Journal_History Browse_the_TCE_Journal_Record --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -------Detected Events-------- -----------Controlled Dataset------------ _ _____ ________ _____ _____ ________ ________ USER.PARMLIB____________________ S Lines yy/mm/dd hh:mm Types --User-- -Member- -------Controlled Dataset------- _ 00001 14/06/25 07:00 DTCNG PHARL2 PROG01 USER.PARMLIB _ 00003 14/05/17 07:00 DTCNG ADCDMST PROG01 USER.PARMLIB _ 00007 14/05/01 12:48 CEDIT PHARL2 PROG01 USER.PARMLIB _ 00008 14/05/01 12:48 CEDIT PHARL3 PROG01 USER.PARMLIB ******************************* Bottom of data ********************************

This will redisplay the list showing only those events associated with the selected Dataset. Panel-‐Specific Help is available by pressing PFK1.



6 WorkView – Image FOCUS Workbench

6.1 Dynamic Change Audit - Summary

IFO 11.0 - Dynamic Change Audit Summary Row 1 to 5 of 5 Line Commands: S - Compare Details BN - Browse Running System BO - Browse Inspection CMD MEMBER STATUS COMPARE POINTS .. LNKLST SAME *LNKLST* .. APFLST SAME *APFLST* .. LPALST * DIFFERENT * *DYNLPA* .. SYMLST SAME *SYMLST* .. BPXLST * DIFFERENT * *BPXPRM* ******************************* Bottom of data ********************************

6.1.1 BPXPRM Dynamic Changes

By Placing an S to do a Compare Details: BROWSE SYS14198.T113451.RA000.TESTS.R0103311 Line 00000000 Col 001 080 ********************************* Top of Data ********************************** ISRSUPC - MVS/PDF FILE/LINE/WORD/BYTE/SFOR COMPARE UTILITY- ISPF FOR z/OS NEW: SYS14198.T113451.RA000.TESTS.R0103310(BPXLST) OLD: SYS14198.T1134 LISTING OUTPUT SECTION (LINE COMPARE) ID SOURCE LINES ----+----1----+----2----+----3----+----4----+----5----+----6----+----7----+- I - IPCSHMMPAGES 131072 D - IPCSHMMPAGES 25600 .DEF ISRSUPC - MVS/PDF FILE/LINE/WORD/BYTE/SFOR COMPARE UTILITY- ISPF FOR z/OS NEW: SYS14198.T113451.RA000.TESTS.R0103310(BPXLST) OLD: SYS14198.T1134 LINE COMPARE SUMMARY AND STATISTICS 32 NUMBER OF LINE MATCHES 1 TOTAL CHANGES (PAIRED+NONPAIRED 0 REFORMATTED LINES 1 PAIRED CHANGES (REFM+PAIRED INS 1 NEW FILE LINE INSERTIONS 0 NON-PAIRED INSERTS 1 OLD FILE LINE DELETIONS 0 NON-PAIRED DELETES 33 NEW FILE LINES PROCESSED 33 OLD FILE LINES PROCESSED LISTING-TYPE = DELTA COMPARE-COLUMNS = 1:72 LONGEST-LINE = 80 PROCESS OPTIONS USED: SEQ(DEFAULT) ******************************** Bottom of Data ********************************



By Placing a BN -‐ Browse Running System

BROWSE SYS14198.T113451.RA000.TESTS.R0103310(BPXL Line 00000000 Col 001 080 ********************************* Top of Data ********************************** CTRACE CTIBPX00 .DEFAULT FORKCOPY COW IPCSEMNIDS 500 IPCSEMNSEMS 1000 .DEFAULT IPCSHMMPAGES 131072 IPCSHMNIDS 500 IPCSHMNSEGS 500 LOSTMSG ON MAXCORESIZE 4194304 MAXCPUTIME 1000 .DEFAULT MAXFILEPROC 400 MAXFILESIZE NOLIMIT MAXIOBUFUSER 2048 .DEFAULT MAXMMAPAREA 40960 MAXPIPEUSER 8730 .DEFAULT MAXPROCSYS 200 MAXPTYS 256 MAXQUEUEDSIGS 1000 .DEFAULT MAXSHAREPAGES 131072 MAXTHREADS 10000 MAXTHREADTASKS 1000 .DEFAULT MAXUIDS 200 .DEFAULT MAXUSERMOUNTSYS 0 .DEFAULT MAXUSERMOUNTUSER 0 .DEFAULT RESOLVER_PROC DEFAULT .DEFAULT SHRLIBMAXPAGES 4096 SHRLIBRGNSIZE 67108864 SUPERUSER BPXROOT .DEFAULT SWA BELOW SYSCALL_COUNTS NO .DEFAULT SYSPLEX NO .DEFAULT TTYGROUP TTY VERSION 'Z113' ******************************** Bottom of Data ********************************



By Placing a BO -‐ Browse Inspection:

BROWSE SYS14198.T113450.RA000.TESTS.R0103309(BPXL Line 00000000 Col 001 080 ********************************* Top of Data ********************************** CTRACE CTIBPX00 BPXPRMCS FORKCOPY COW .DEFAULT IPCSEMNIDS 500 .DEFAULT IPCSEMNSEMS 1000 .DEFAULT IPCSHMMPAGES 25600 .DEFAULT IPCSHMNIDS 500 .DEFAULT IPCSHMNSEGS 500 .DEFAULT LOSTMSG ON .DEFAULT MAXCORESIZE 4194304 .DEFAULT MAXCPUTIME 1000 .DEFAULT MAXFILEPROC 400 BPXPRMCS MAXFILESIZE NOLIMIT .DEFAULT MAXIOBUFUSER 2048 .DEFAULT MAXMMAPAREA 40960 .DEFAULT MAXPIPEUSER 8730 .DEFAULT MAXPROCSYS 200 BPXPRMCS MAXPTYS 256 BPXPRMCS MAXQUEUEDSIGS 1000 .DEFAULT MAXSHAREPAGES 131072 .DEFAULT MAXTHREADS 10000 BPXPRMCS MAXTHREADTASKS 1000 .DEFAULT MAXUIDS 200 BPXPRMCS MAXUSERMOUNTSYS 0 .DEFAULT MAXUSERMOUNTUSER 0 .DEFAULT RESOLVER_PROC DEFAULT .DEFAULT SHRLIBMAXPAGES 4096 .DEFAULT SHRLIBRGNSIZE 67108864 .DEFAULT SUPERUSER BPXROOT .DEFAULT SWA BELOW .DEFAULT SYSCALL_COUNTS NO .DEFAULT SYSPLEX NO .DEFAULT TTYGROUP TTY .DEFAULT VERSION 'Z113' BPXPRMCS ******************************** Bottom of Data ********************************



7 Controls – The Control Editor

7.1 Padlocking IPLPARM and PARMLIB The TCE Padlock provides enhanced Access Control over TCE Category resources as defined in the NSECTLxx Configuration Member. Within this Member, a ‘SPECIAL’ keyword -‐ ‘*Auto*’ -‐ may be used as a ‘Named Dataset’ within the Reserved Categories Named – SYSTEM.IPLPARM and SYSTEM.PARMLIB. When used in this way, TCE automatically discovers the associated IPLParm and PARMLib Datasets, and ‘Padlocks’ each of these Reserved Categories by name. By default, the Category Control MODE is set to ‘WARN’. These configuration actions will result in a change in system behavior that will be noticed by users attempting to access IPLParm or PARMLib Datasets. This means that when users attempt to access ANY dataset defined or discovered within the SYSTEM.IPLPARM or SYSTEM.PARMLIB categories, TCE will issue a ‘Warning Message’ stating that dataset access is being allowed on a temporary basis. In addition, the TCE Administrator(s) will see the following Pop-‐Up notices – Padlock Initialization and Subsequent Notification.

7.1.1 Padlock Initialization Padlock Control over SYSTEM.IPLPARM and SYSTEM.PARMLIB Categories is initialized when the ‘Controls – Controls Environment Settings’ option is selected from the ICE Primary Menu, NSECTLxx contains the Categories SYSTEM.IPLPARM and/or SYSTEM.PARMLIB, the ‘*AUTO*’ keyword is used as a dataset name, and no Padlock Control exists for the Category. An example of such a control card set follows:

NSECTLxx Control Cards FORMAT VERS(1) *----Category---|----Dateset_Name---- SYSTEM.IPLPARM *AUTO* SYSTEM.PARMLIB PAUL.PARMLIB.TEST SYSTEM.PARMLIB PLAY.PARMLIB.TEST SYSTEM.PARMLIB *AUTO* PHARL2.PARMLIB2 PHARL2.PARMLIB PHARL2.PARMLIB2 PHARL2.PARMLIB1 PHARL2.PARMLIB2 PHARL2.PARMLIBC

When these conditions exist, the following Control Cards are automatically inserted into the NSESELxx Configuration Member, the ICE Environment is Dynamically updated and a Notification Pop-‐Up is displayed.



NSESELxx Control Cards Keyword Userids Member Category/Dataset/Unix File Path ------- ------- -------- ------------------------------- CATALLI TCEUSER * SYSTEM.IPLPARM CATALLI TCEUSER * SYSTEM.PARMLIB

Notification Pop-‐Up ◊—— *AUTO* Padlock Set for Category SYSTEM.PARMLIB/SYSTEM.IPLPARM. ———◊ ◊ ◊ ◊—————————————————————————————————————————————————————————————————————◊

7.1.2 Subsequent Padlock Notification

Once Padlock Controls are in place, a different/reminder Pop-‐Up message will be displayed each time the ‘Controls – Controls Environment Settings’ option is selected.

Notification Pop-‐Up ◊—————— Control Mode of Category/Dataset Padlock set to - WARN. ——————◊ ◊ ◊ ◊—————————————————————————————————————————————————————————————————————◊

7.1.3 Padlock Control Administration

Padlock Definitions are administered using the ‘Settings’ Option accessed from the TCE Primary Menu.



7.2 Role Based Access Control (RBAC) Role Based Access Control (RBAC) is a Management Technique in which roles are defined for various job functions. The permissions to perform certain system operations are assigned to one or more of these roles. Technical Support Staff (or other system users) are then assigned to those roles that best fit the scope of their support responsibilities.

When RBAC is employed, users are not assigned access rights/permissions directly, but only acquire them through their role (or roles). Management of individual user rights becomes a matter of simply assigning individual users to appropriate roles thus simplifying common operations, such as adding or deleting users, or changing the operational scope of an existing Role.

When applied within the System z Environment, RBAC can be seen as reinforcing the Configuration Control Boundaries maintained by the Policy Rules defined to and enforced by the External Security Manager (ESM). Used in this way, RBAC establishes and enforces ‘Fine-‐Grained, Micro-‐Perimeter’ controls around critical System z Configuration Resources – IPLParm, ParmLib, ProcLib -‐ and as a result, enhances and extends the System z Configuration Security-‐Control Continuum. RBAC is an acceptable response to Audit Findings that question existing Managerial Control Processes that appear to convey excessive access privileges to users thus weakening existing ESM Policy Rules. In many cases, ESM Policy Rules provide access to system resources that ARE NOT actually required by Technical Support Staff in the normal course of them performing their assigned duties. RBAC resolves this dilemma by enforcing a second set of Access Policies that are specifically designed and deployed to insure that resource access is provided only to those that actually require it.

Within the Image Control Environment (ICE), RBAC is -‐ Defined, Assigned, Enforced -‐ using functions found within The Control Editor (TCE). But TCE is much more than a Control Tool.



The TCE Development Team creates a balance between reinforcing legacy security and enhancing staff productivity in the enterprise-‐wide System z Environment.

7.2.1 Reinforcing Legacy Security

The examples listed below raise questions concerning the responsibility and accountability between colleagues and consultants supporting the System z environment and speak to the need for enhanced configuration control; control that focuses on an individual’s Role within the Technical Support Organization.

Consider the following:

• Do “READ” only users access, alter/submit and cancel out without documentation? • Do outside consultants need view/update access to every configuration component? • Do Application Programmers need access to everything in a shared configuration? • Do ESM policies enforce accountability when Parmlib is shared across functions? • Do controls over APF Authorization allow for the assignment of responsibility? • Do access rights to network configurations invite mainframe intrusions?

These represent but a few examples of issues that may be inching your organization ever closer to a state of non-‐compliance when actual control over System z changes is brought into question. They speak to a need for the collection and reporting of configuration event detail beyond that supported by Legacy Systems, the System Management Facility (SMF) and conventional Change Management Processes.

7.2.2 Enhancing Staff Productivity

Configuration Access Control is first of two TCE goals. The second is to improve Staff Productivity through a product design that ‘Leads them’ towards the achievement of System z Support Best Practices. These practices include:

• Taking a Backup before making changes to a system configuration component. • Testing changes to configuration components before committing them to production. • Researching the History of prior changes before attempting new ones. • Documenting Actual changes at the point where the changes actually take place. • Notifying those that need to know that a change has been made.

These sound System Support Best Practices are straightforward and simple enough. However, we’re all human, we’re all busy, and we all forget. Our best intentions to conform to these practices sometimes go unfulfilled. TCE can ensure that these practices are achieved, automatically guiding its users, without interruption of normal workflow -‐ “no ifs, ands buts”. In doing so changes are fully documented, system configuration integrity is enhanced, and when necessary, regulatory requirements can be satisfied.



7.2.3 Using TCE to Define and Assign Access Roles

TCE Role Based Access Control (TCE/RBAC) can be used to reinforce and add depth to those resource control boundaries already established and enforced by the External Security Manager. Using TCE/RBAC helps to improve the Managerial Control Processes used to convey access privileges to those system resources actually required by users in the normal course of them performing assigned duties. Using functions accessed via this panel, you may define Roles and the resources they control, assign Roles to individuals that best fit their duties and access Role Definition and Assignment Reports. Define/Assign Role Based Controls Panel TCE 8.0 - Define/Assign Role Based Controls D RoleDefs .. - Define Role Based Access Controls Userid - PROBI1 Time - 08:04 A AsgnMent .. - Assign Role Based Access Controls Sysplex - ADCDPL System - ADCD113 R RoleRpts .. - TCE/RBAC - Configuration Reports IFOhlq - TEST ICE 11.0 - TCE 8.0 M Monitors .. - TCE/RBAC - Configuration Monitors Patch Level R08 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity.

To reach this panel, select the ‘Controls -‐ Controls Environment Settings’ -‐ option found on the ICE Primary Menu. Next, select The Controls Environment option ‘Settings -‐ Configuration Settings Overview’. Using the Settings Panel select ‘RoleBase -‐ Define and/or Assign User Roles’. Using the functions accessed from this panel, you may define and/or assign TCE Role Based Access Controls (TCE/RBAC). Panel-‐Specific Help is available by pressing PFK1.



7.3 Using TCE/RBAC to Define Access Controls To Define a Role, start by giving it a meaningful six-‐character Role Name and Description. Next, you may refine the Role by adding an optional ‘Mode Control’ setting -‐ DENY, WARN, NONE – and an Access Window based on Day, Date, and Time. Finally, associate with each Role a set of Controlled Categories/Datasets/Files/RACF Commands.

Defined Role Control Selections Panel TCE 8.0 - Defined Role Control Selections Row 1 to 6 of 6 --NSIMRBX 0627-- -RBAC Definitions- ----------------------- 6 Access Roles Currently Defined ---------------------- Row Selection: Define_Resources Shows_Assigned Add_Role Update_Role Remove_Role --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line Usr --------Role Based Control Definitions------- -----Last Updated----- _ ____ ___ ______ ____ ____ ____________________________ ______________________ S Numb Asg -Role- Ctls Mode ---Brief Role Description--- ---Date_Time_UserId--- _ 0001 004 NETWRK CMUE DENY NETWORK_MANAGEMENT_TEAM 14/07/06_15:13_PROBI1 _ 0002 004 CICS01 CM-E DENY CICS_APPLICATION_DEVELOPMENT 14/07/07_14:32_PROBI1 _ 0003 003 VTAM01 C--E DENY VTAM_SUPPORT_AND_APPLICATION 14/07/07_14:32_PROBI1 _ 0004 001 PLAY01 C-UE NONE PLAYING_A1D_TESTING_DEFINITI 14/07/07_14:33_PROBI1 _ 0005 003 SYSPRO ---E DENY Z/OS_SYSTEM_PROGRAMM_TEAM 14/07/07_14:57_PROBI1 _ 0006 002 PLAY02 ---- WARN PLAYING_AND_TESTING_PLUS 14/06/30_14:08_PROBI1 ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR

7.3.1 The ‘Ctls’ Column Decoded – Role Definitions

The ‘Ctls’ Column shows a ‘Four-‐Byte’ summary of Active/Inactive Control Elements defined to a related Role. The first Byte ‘C’ indicates that a Controlled Category is defined to the Role. The second Byte ‘M’ indicates that a specific MVS Dataset within a Controlled Category is defined to the Role. The third Byte ‘U’ is used to indicate that a Controlled zFS/HFS File Element has been defined to the Role. The fourth and last Byte is used to indicate that one or more External Security Manager (ESM) Operator Commands is defined to the Role.

7.3.2 Adding a New Role – Name, Description and Window

Adding a New Role is a 'Two-‐Step' process. First, use this panel to 'Name' the New Role and give it a 'Brief-‐Description' and then return to the prior menu. Take note that the Newly Added Role Name and Description now appears as entries in the updated panel. For the second step, use the 'D -‐ Define Access Rights’ row command to select the new entry. In the panel that follows, select Category and/or Datasets to be included within the scope of the selected Role. Category and Dataset definitions may be updated at any time.



• RoleId -‐ This required six-‐character value serves as an Identifier of the Role in all

Panels, Reports and Control Files. It is a 'Best Practice' to SELECT CAREFULLY as

changing it, once it has been in common use, will prove to be difficult, at best.

• BriefDesc -‐ The Brief Role Description is used to describe the Role. While 'Brief' the

description should be such that it is meaningful to you and others that may be charged with the responsibility of Updating Roles and/or assigning them to individual users. It is 'Best Practice' to define roles and document them completely.

7.3.3 Updating an Existing Role

The Role Name is a required six-‐character value that serves as the Identifier of the Role in all Panels, Reports and Control Files. The Role name CANNOT be changed. If necessary return to prior panel, 'Remove' the Role, Add a New Role and subsequently Reassign Resources and Users to it.

7.3.4 Removing a Defined Role

A Role Definition is stored in three separate datasets. The Role Definition Dataset -‐ HLQ.$TCEROLE.DEFINED – is used to store the Role Name and Role Description. During a removal, the single line that contains this information is deleted and the Dataset is updated. The Role/Membership assignments are stored in the ICE ParmLib Member -‐ HLQ.PARMLIB -‐ in the NSEGRPxx member. During a Removal, the TCEGROUP Action Block, containing the UserId(s) is deleted and the member is updated and saved. The Padlock Control Cards that name the Keywords that Control Member Access Levels and the Members are stored in -‐ HLQ.PARMLIB -‐ in NSESELxx. During Removal, all related Control Cards are deleted and the NSESELxx Member is updated and saved. Confirm RBAC Removal ◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Confirm RBAC Removal - Definition ◊ ◊ Selected Role CICS01 ◊ ◊ .. Yes .. No ◊ ◊—————————————————————————————————————————————————————————————————————◊

Take care in using this function as no RECOVERY function is provided for restoring Removed/Deleted Roles.



7.3.5 Defining TCE/RBAC Access Rights – Boundary Options

TCE/RBAC supports three unique Boundary Options – MVS Dataset, USS zFS/HFS Files, External Security Manager (ESM) Operator Commands. These options are accessed by selecting them from the Panel shown below.

TCE/RBAC Boundary Options TCE 8.0 - TCE/RBAC Boundary Options - NETWRK M MVSCntls .. - MVS/BCP Categories and Datasets Userid - PROBI1 Time - 12:54 U USSCntls .. - USS/HFS Categories and Dirs/Files Sysplex - ADCDPL System - ADCD113 E ESMCntls .. - ESM/RACF Group Special Commands IFOhlq - TEST ICE 11.0 - TCE 8.0 Patch Level R08 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity.

7.4 MVSCntls - MVS/BCP Categories and Datasets

Once named, a Role is further defined to contain a set of System Resources. From this panel, you may select any previously defined or ‘*Auto*’ Controlled Category or any Controlled Dataset within an 'MVS' Category.

TCE 8.0 - Role Control Boundary Selection Row 1 to 12 of 12 --NSIMRBX 0627-- -Control Boundary- ------------ CICS01 Role Boundaries - 3 Categories and 12 Datasets ------------ Row Selection: Category_Based_Member_Definition Dataset_Based_Member_Definition --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -------Categories------- --------------Controlled Datasets-------------- _ ____ ___ ___ ________________ ___ ___________________________________________ S Numb Mbr zOS -Category Names- Mbr ---------------Dataset Names--------------- _ 0001 *01 BCP SYSTEM.IPLPARM --- SYS1.IPLPARM _ 0002 --- BCP SYSTEM.PARMLIB --- PAUL.PARMLIB.TEST _ 0003 --- PLAY.PARMLIB.TEST _ 0004 --- USER.PARMLIB _ 0005 --- ADCD.Z113.PARMLIB _ 0006 --- SYS1.PARMLIB _ 0007 --- BCP PHARL2.PARMLIB2 *01 PHARL2.PARMLIB _ 0008 --- PHARL2.PARMLIB1 _ 0009 --- PHARL2.PARMLIBC _ 0010 --- BCP NSESEL.AUTOCNTL --- PLAYFUL.PARMLIB _ 0011 --- SYS1.PARMLIB _ 0012 --- USER.PARMLIB ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR



It is a Best Practice to always set a Global Control Boundary for all Categories or Datasets added to a Role using a Member Name of '*'. This approach sets a Global Perimeter around the entire Category and/or Dataset allowing refinement at the Member Level when needed.

7.4.1 MVS Category Based Definitions Define Member Control Boundaries Panel TCE 8.0 - Define Member Control Boundaries Row 1 to 1 of 1 --NSIMRBX 0627-- --Category Based-- ------------------ SYSTEM.IPLPARM Category Member Boundaries ------------------ Row Selection: Add_Member_Boundary Update_Boundary Remove_Boundary Notification --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -----Access Granted----- ------------Configuration Comments------------- _ ____ ________ ___ ___ ___ ___ ______________________ ________________________ S Numb -Member- Ctl Upd Brw Sub -----Last Updated----- -----Freeform Text------ _ 0001 * INC YES --- --- 14/06/30_14:08_PROBI1 Full_Perimeter_Boundary ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR

Row Command Functions allow for the following:

• The addition of a Member to a Role Control Boundary with specified Access Rights. • The Update of Member/Access Rights within a Role Control Boundary. • The Removal of Members from a Control Boundary. • The Display of the Email Notification Set-‐up Panel for the selected Category, allowing

activation of 'UserId Action Notification'. Panel-‐Specific Help is available, within all panels and Pop-‐ups, by pressing PFK1.

7.4.2 MVS Dataset Based Definitions

$DSN105 TCE 8.0 - Define Member Control Boundaries Row 1 to 1 of 1 --NSIMRBX 0721-- ---Dataset Base--- ------------------- PHARL2.PARMLIB Dataset Member Boundaries ------------------- Row Selection: Add_Member_Control Updates_Member_Control Removs_Member_Control --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -----Access Granted----- ------------Configuration Comments------------- _ ____ ________ ___ ___ ___ ___ ______________________ ________________________ S Numb -Member- All Upd Brw Sub -----Last Updated----- -----Freeform Text------ _ 0001 PROG00 INC YES --- --- 14/07/23_11:50_PROBI1 Dataset Within Boundary ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR



7.5 USSCntls - USS/HFS Categories and Dirs/Files

USS/UNIX Category Boundary Selection TCE 8.0 - Role Control Boundary Selection Row 1 to 14 of 27 --NSIMRBX 0721-- -Control Boundary- --------- NETWRK - USS/UNIX Boundaries - 2 Categories and 27 Elements --------- Row Selection: Category_Based_Control_Boundaries Element_Based_Control_Boundary --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line -------Categories------- ------------Controlled USS Element------------- _ ____ ___ ___ ________________ ____ ____ _____________________________________ S Numb Ctl zOS -Category Names- Ctls Type -------------Element Name------------ _ 0001 YES USS OLDUSS.SERVICE I-B- ROOT /ADCD113/ETC _ 0002 I-B- DIRS /SSH _ 0003 IU-- EILE /NOHUP.OUT _ 0004 IU-- FILE /SSH_CONFIG _ 0005 I-B- DIRS /SSH_HOST _ 0006 IU-- FILE /HOST_RSA_KEY.PUB _ 0007 IU-- FILE /SSHD.SH _ 0008 --- USS NEWUSS.SERVICE ---- ROOT /CDCD113/ETC _ 0009 ---- DIRS /SSH _ 0010 ---- FILE /NOHUP.OUT _ 0011 ---- FILE /SSH_CONFIG _ 0012 ---- FILE /SSH_HOST_DSA_KEY.PUB _ 0013 ---- FILE /SSH_HOST_RSA_KEY.PUB _ 0014 ---- FILE /SSHD.SH Option ===> Scroll ===> CSR

7.5.1 The ‘Ctls’ Column Decoded – USS/HFS Categories

The shows a ‘Four-‐Byte’ summary of defined zFS/HFS Element Controls. The first Byte, when active may be either ‘I or E’, indicates if the defined zFS/HFS Control Element Type – ROOT, DIRS, PATH, FILE -‐ will ‘INCLUDE or EXCLUDE’ – GRANT or DENY -‐ the access rights indicated by the remaining three bytes. The second byte ‘U’, if present, indicates that ‘UPDATE’ access is granted or denied. The third byte ‘B’, if present, indicates that ‘BROWSE’ access is granted or denied. The fourth byte ‘X’ is used to indicate that a file may or may not be executed.

7.5.2 Setting Control Elements within a Category

To define a zFS/HFS Control Element, use the ‘S’ Row Selection Command, placing it into a Row that corresponds to the Controlled Category and/or Control Element Type within that Category that is desired and press enter. This action will display the USS Category Boundary Definition Panel.

Note that the Panel supports ALL Control Elements – ROOT, DIRS, PATH, SUBD, FILE -‐ within each named Controlled Category and therefore all desired Element Controls are set for each Controlled Category using this single panel. When finished setting the needed controls and access rights use PFK3 to return to the USS/UNIX Category Boundary Selection Panel. Take note that the ‘Ctls’ column now reflects the updated settings for ALL Control Elements of the same type within the same Controlled Category.



USS/UNIX Category Boundary Definition TCE 8.0 - Define USS Category Boundaries - NETWRK --------TCE Controlled Target-------- ---SELxx--- ------Last Update------ L ADCD113 IFO.TEST.PARMLIB 00 00 Yes 0 PROBI1 14/07/23 06:37 P --LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls -UserId- yy/mm/dd hh:mm ------------------- Select USS Category - OLDUSS.SERVICE ---------------- -FilePath- -Controls- --Access Privilege-- Ck Levels Cm -State- Cm Upd Cm Brw Cm Exc /. ROOT .. INCLUDE .. --- .. YES .. --- /. DIRS .. INCLUDE .. --- .. YES .. --- .. PATH .. ------- .. --- .. --- .. --- .. SUBD .. ------- .. --- .. --- .. --- /. FILE .. INCLUDE .. YES .. --- .. --- USS/UNIX Category Access Controls may be set to one or to all of the Levels shown above. To select/un-select a level cursor into 'Cm'/'Levels' fields and press enter, note 'Check Mark'. Only Checked entries are Active Controls. Now cursor into any of the - 'Control'/'Upd'/'Brw'/'Exc' - fields and press enter to toggle values: INCLUDE/EXCLUDE and YES/NOP. PFK1 for Help. Option ===>

7.5.3 zFS/HFS Control Element Types

There are five zFS/HFS Control Element Types – ROOT, DIRS, PATH, SUBD, FILE – each has its origin in the NSECTLxx Configuration Control Member. From the NSECTLxx operational perspective such Control Element definitions are cumulative in the determination of the final fully qualified file name that will be used by TCE to Backup a file, Capture file related change events and Detect Policy Violations. From the NSESELxx operational perspective, such a Control Element definition is a ‘Stand-‐Alone’ control definition up to the defined Type of Control Element. This means for example, if a DIRS element is defined to a Controlled Category with a Control State ‘INCLUDE’ and an Access Privilege ‘UPD’ that all zFS/HFS files that appear at that ‘Level’ with the file system would be included with the TCE/RBAC Role Definition. Users assigned to the Role, if they otherwise had access to files at that Control Level, would be allowed access for Update and others, without specific TCE Update access rights, would be Denied Update Access.

Note that Element Controls and Access Privileges defined to a Control Element Type – ROOT, DIRS, PATH, SUBD, FILE – apply to all such similar Element Types with a named Controlled Category. For this reason Control Element Types that require unique Control and Access Privileges should be defined within their own unique Controlled Categories.



7.6 ESMCntls - ESM/RACF Group Special Commands It is a common practice for a member of the technical team to be given External Security manager (ESM) Special Group Authority. Such authority allows the assigned Group Administrator to access and use ESM Commands for adding, permitting, deleting, etc. users within the ESM Resource Boundaries. Using TCE/RBAC access to these ESM Commands and their usage may be limited to a Role Defined Set. When the ‘ESMCntls’ option is selected the ESM Command Definitions Panel is displayed. The Panel shows which Commands are ‘INCLUDED|EXCLUDED’ from the Role. Last Update Statistics and Freeform Text Documentation.

Note that the value shown in the ‘JRN’ column must be ‘YES’ for the Command to be actively controlled by TCE. Such control definitions are automatically added to NSEJRNxx when commands are added to a Role.

ESM Command Definitions TCE 8.0 - ESM Command Definitions - CICS01 Row 1 to 7 of 7 --NSIMSLX 0710-- -Command Controls- ---------------------- 7 ESM Command Definitions - CICS01 --------------------- Row Selection: Add_Commands Update_Commands Remove_Commands Command_Usage_Table --- Select Sub-Head to Sort, Query above Sub-Head, Enter Saves a Row Update --- - Line --Control Elements-- ------------Command Record Documentation----------- _ ____ _______ ________ ___ ________________________ __________________________ S Numb Control Commands JRN ------Last Updated------ ------Freeform Text------- _ 0001 EXCLUDE ADDUSER YES 2014/07/13_15:12_PROBI1 DOCUMENT_COMMAND_ADDITION _ 0002 INCLUDE RDELETE YES 2014/07/14_13:34_PROBI1 DOCUMENT_COMMAND_ADDITION _ 0003 INCLUDE ALTGROUP YES 2014/07/14_13:36_PROBI1 DOCUMENT_COMMAND_ADDITION _ 0004 EXCLUDE ADDGROUP YES 2014/07/14_13:39_PROBI1 DOCUMENT_COMMAND_ADDITION _ 0005 EXCLUDE DELGROUP YES 2014/07/16_15:13_PROBI1 DOCUMENT_COMMAND_ADDITION _ 0006 INCLUDE ADDSD YES 2014/07/17_09:48_PROBI1 EXCLUDING_THIS_COMMAND _ 0007 EXCLUDE ALTDSD YES 2014/07/17_09:54_PROBI1 TESTING_COMMAND_UPDATE ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR

7.6.1 Adding a Command

The Add Command option displays the Add Command Pop-‐Up. The RoleId is entered automatically and cannot be updated. Control alternatives are ‘INCLUDE|EXCLUDE’; they may be entered directly when you cursor into the Control Field, under ‘-‐-‐Key-‐-‐‘ and press enter. This action will toggle the two alternatives. Add Command Definitions ◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Add RBAC Command Control Rule ◊ ◊ ESM Operator Command - RACFCMD ◊ ◊ Control RoleIds Commands ----Reason for Addition---- ◊ ◊ --Key-- +CICS01 --CMDS-- DOCUMENT_COMMAND_ADDITION ◊ ◊—————————————————————————————————————————————————————————————————————◊



Commands may be entered directly by entering the full command or may be selected from the Supported Command List. To display the Supported Command List cursor into the Commands Field, under ‘-‐-‐CMDS-‐-‐‘ and press enter. Supported RACF Command Selection List TCE 8.0 - Command List - RACF Operator Commands --------TCE Controlled Target-------- ---SELxx--- ------Last Update------ T THIS_SYS THIS_PRMDSN TH TH THI THIS THIS_USE THIS_UPD THIS_ P --LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls -UserId- yy/mm/dd hh:mm -------------------------Supported RACF Commands------------------------- Cm --Name-- Cm --Name-- Cm --Name-- Cm --Name-- Cm --Name-- Cm --Name-- .. ALTDSD__ .. ALTGROUP .. ALTUSER_ .. ADDSD___ .. ADDGROUP .. ADDUSER_ .. CONNECT_ .. DELDSD__ .. DELGROUP .. DELUSER_ .. LISTDSD_ .. LISTGRP_ .. LISTUSER .. PASSWORD .. PERMIT__ .. RALTER__ .. RDEFINE_ .. RDELETE_ .. REMOVE__ .. RLIST___ .. SEARCH__ .. SETROPTS .. ALTDSD__ .. ALTGROUP .. ALTUSER_ .. ADDSD___ .. ADDGROUP .. ADDUSER_ .. CONNECT_ .. DELDSD__ .. DELGROUP .. DELUSER_ .. LISTDSD_ .. LISTGRP_ .. LISTUSER .. PASSWORD .. PERMIT__ .. RALTER__ .. RDEFINE_ .. RDELETE_ .. REMOVE__ .. RLIST___ .. SEARCH__ .. SETROPTS .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ Option ===>

To select from the displayed list place ‘S’ before a command or cursor under the command and press enter. These actions will redisplay the Pop-‐Up with the selected command inserted into the Commands Field. Note that commands that are Highlighted are those that have already been selected for inclusion in the Role.

7.6.2 Updating Command Definitions

Only The Control Field and its valid values -‐ INCLUDE, EXCLUDE -‐ and the Reason for Update Fields can be updated. If a command name needs updating return to the prior menu, select -‐ Remove Commands -‐ then, the required Command as a New Entry. Updating Command Definitions ◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Update RBAC Command Control Rule ◊ ◊ ESM Operator Command - RACFCMD ◊ ◊ Control RoleIds Commands -----Reason for Update----- ◊ ◊ EXCLUDE +CICS01 ADDGROUP 2014/07/16_15:12_PROBI1 ◊ ◊—————————————————————————————————————————————————————————————————————◊



7.6.3 Removing a Command

Placing ‘R’ on the entry point before a Command to be removed and pressing enter will display a Confirmation Pop-‐Up. Select ‘Yes’ to remove the command from NSESELxx. Note however that the Command is not removed from NSEJRNxx. This residual Control Care in NSEJRNxx has no effect on the TCE/RBAC Definition. Removing Command Definitions ◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Confirm RBAC Removal - ESM Command ◊ ◊ Selected Command ALTGROUP ◊ ◊ .. Yes .. No ◊ ◊—————————————————————————————————————————————————————————————————————◊

7.6.4 Command Usage Table The command usage provides an overview of which Roles include a selected command with their Resource Boundary and the level of control applied – INCLUDE, EXCLUED.

Command Usage Table TCE 8.0 - ESM Command Where-Used List - DELDSD --------TCE Controlled Target-------- ---SELxx--- ------Last Update------ L ADCD113 IFO.TEST.PARMLIB 00 00 Yes 7 PROBI1 14/07/19 12:38 P --LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls -UserId- yy/mm/dd hh:mm -------------------------ESM Command Where-Used-------------------------- Controls RoleId Controls RoleId Keywords RoleId Keywords RoleId -------- ------ -------- ------ -------- ------ -------- ------ INCLUDE_ CICS01 EXCLUDE_ NETWRK ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ ________ ______ Option ===>



7.6.5 Showing Members Assigned to a Role

Once Roles are defined, individuals with duties that require access to the system resources controlled within the Role's boundary may be assigned to it. The Individual TsoUserId(s) shown in this panel is assigned access rights to the Role selected in the prior panel.

Role Based Group Assignment TCE 8.0 - Role Based Group Assignment - NETWRK --------TCE Controlled Target-------- ---SELxx--- ------Last Update------ L ADCD113 IFO.TEST.PARMLIB 00 00 Yes 4 -------- --/--/-- --:-- P --LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls PHARL2 14/07/04 13:06 -----------------Users Assigned to This Selected Role------ NETWRK ------ Cm -UserId- Cm -UserId- Cm -UserId- Cm -UserId- Cm -UserId- Cm -UserId- .. PROBI1__ .. PHARL1__ .. MRCHIN__ .. GORDON__ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ .. ________ Option ===>

Row Command Functions allow for the following: • Place 'S' before a TsoUserId, or cursor under it and press enter. These actions will

immediately display the selected User's Role Assignment Profile Panel. The Profile Panel details -‐ First, those specific Roles to which the user is assigned. Second, Control MODE of user access rights -‐ DENY, WARN, NONE. Third, the optional START and STOP times that can be used to create an 'Access Window' for controlled access rights within a 24-‐hour period. Fourth, Notification of User Actions. Notification of User Actions is configured at the time a Category is created or updated naming a specific User. These User Notification settings can be Globally turned ON/OFF from the Category Notification Panel.

• Place 'R' before a TsoUserId and press enter to remove it from Role Membership.

Remove Confirmation is required, no recovery is provided.



7.7 Using TCE/RBAC to Assign Users to Defined Roles Once Roles are defined, Users are assigned to appropriate Roles by ESM TsoUserId. Assignments may be time sensitive, allowing creation of 'Access Windows'. It is critical to the success of an RBAC that each such Role Assignment is made in conformity with the Organization’s Policy and must be appropriately Documented and Authorized.

User Role Assignment Definitions Panel TCE 8.0 - User Role Assignment Definitions Row 1 to 6 of 6 --NSIMRBX 0627-- ---Active User--- ----------------------------- 6 Active User Record ---------------------------- Row Selections: Add_UserId_Profile Update_UserId_Profile Removes_UserId_Profile --- Select Sub-Head to Sort, Query above Sub-Head, Enter Saves a Row Update --- - Line Role ---Access--- ------Users Name or Title------ -----Last Updated----- _ ____ ____ ________ ___ _______________________________ ______________________ S Numb TTLs -UserId- Act ---------Freeform Text--------- ---Date_Time_UserId--- _ 0001 0003 PROBI1 YES TCE_APPLICATION_SUPPORT 14/07/02_12:43_PHARL1 _ 0002 0002 PHARL1 YES TECHNICAL_SUPPORT_MANAGER 14/07/03_12:17_PROBI1 _ 0003 0003 MRCHIN YES SUPPEMENTAL_SUPPORT_TECH 14/07/02_08:38_PHARL1 _ 0004 0004 GORDON YES BIG_PROGRAMMING_DOG 14/07/05_08:45_PROBI1 _ 0005 0001 RICHARD YES TECH_SUPPORT_REP_IN_TRAINING 14/07/06_12:16_PROBI1 _ 0006 0003 CHIN01 YES SUPPLEMENTAL_APPS_SUPPORT 14/07/06_09:29_PHARL1 ******************************* Bottom of data ******************************** Option ===> Scroll ===> CSR

7.7.1 Adding Users to a Role

To add a New User and Assign that User to a Role(s) that matches the individuals' duties, complete the required, and as necessary, the optional fields shown in this Panel. Be certain to Check -‐ '/' -‐ fields you want to MAKE ACTIVE. Adding New User Role Assignment Panel TCE 8.0 - Adding New User Role Assignment(s) <> .. UserId: New_User UserName: New_UserName_Optional <> Check/UnCheck to Assign/UnAsssign UserId to a Named Role: Cm -Role- Cm -Role- Cm -Role- Cm -Role- Cm -Role- Cm -Role- -- ------ -- ------ -- ------ -- ------ -- ------ -- ------ .. NETWRK .. CICS01 .. VTAM01 .. PLAY01 .. SYSPRO .. PLAY02 .. ______ .. ______ .. ______ .. ______ .. ______ .. ______ Cursor Under Role Name, Press Enter to View Definition. <> Check/UnCheck to Set/UnSet UserId Padlock MODE Control(s): Cm User ---Start--- ---Stops--- ----------Comment---------- -- Mode yymmdd hhmm yymmdd hhmm --------------------------- .. ____ ______ ____ ______ ____ ___________________________ <> User Activity Email Notice. .. Check/UnCheck to Set/Unset Category Activity Notification.



Row Commands, Entry-‐Points and Fields allow for the following: • NewUser -‐ For New User, enter the required UserId and optional User Name/Job Title.

Place a '/' on the entry-‐point preceding the UserId field. The named user becomes active when 'Checked'.

• Assigning Roles – To assign a Role, review the listing of Defined Roles; it shows those available. Cursor under the Role Name, press enter will show the Role Definition Panel. Place a Check '/' before the Role(s) that are needed by the named user. If you

wish to remove a user from a currently checked role, simply uncheck it. • Control Mode -‐ By default, a user’s Control MODE of Access -‐ DENY, WARN, NONE – is

determined by Global Settings. This Global Setting may be overridden on a user-‐by-‐user basis by placing values in 'User Mode' field. Cursor under, press enter to toggle through available options.

• Access Window – User access may be delimited by Start and Stop values entered in these fields. To complete this optional 'START/STOP' Access Window, enter values in the Date/Time fields. Be certain to place a check '/' before the MODE field to

ACTIVATE the MODE and the optional Window settings. • User Activity Notice -‐ Notice Settings of a 'User Activity' are set within the Category

Notification Definition Panel. Check ‘/’ to Set/Unset this user's Notification function.

7.7.2 Updating a User Role

Over time, as an individual's duties change, it may be necessary to update their Role Assignments, remove them from outdated Roles or assign them to new Roles. All required and optional fields in this panel may be modified, by typing or overtyping existing values, as needed but you cannot update the 'UserId' Field. Remember to check '/' or uncheck when necessary to make your updates active or inactive.

7.7.3 Removing a User from a Role

When a UserId is assigned to a Role, the NSEGRPxx Member, found in HLQ.Parmlib, is updated by adding the UserId to a Group. The name of the NSEGRPxx group corresponds to the Name of the Role being assigned. Confirm RBAC Removal ◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Confirm RBAC Removal - All Assignments ◊ ◊ Selected User PHARL1 ◊ ◊ .. Yes .. No ◊ ◊—————————————————————————————————————————————————————————————————————◊

When a UserId is removed, this process is reversed with the one exception that the selected UserId is removed from ALL the Roles to which it has been assigned. In addition, during removal, if an 'Access Window' has been created for the selected UserId, it is removed by updating 'USRMODE' setting specified in the NSESELxx Member. Finally, if



UserId has been named in the NSEENSxx Member, as a candidate whose actions would trigger Email Notification to others, these settings are also removed.



7.8 TCE/RBAC Definition and Assignment Reporting

TCE 8.0 - Role Based Access Control Reports D RoleDefs .. - Role Definition Report Interface Userid - PROBI1 Time - 08:45 A AsgnMent .. - Role Assignment Report Interface Sysplex - ADCDPL System - ADCD113 IFOhlq - TEST ICE 11.0 - TCE 8.0 Patch Level P5 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>



7.8.1 Role Definition Reports

The Role Definition Report details Role Description, Control Mode, Access Window, Assigned Users, Resources, Documentation and Updates. Review its content carefully and as needed use the Update and List Row Command to modify details that don't fit your current Best Practices.

Role Definition Report Selection TCE 8.0 - Defined Role Control Reporting Row 1 to 6 of 6 --NSIMRBX 0627-- ---RBAC Reports--- ----------------------- 6 Access Roles Currently Defined ---------------------- Row Selection: Show_Role_Definition_Report Update_Role_Definition List_Assigned --- To Sort select a Sub-Head, To Query enter above Sub-Head, PFK1 for Help --- - Line Usr --------Role Based Control Definitions------- -----Last Updated----- _ ____ ___ ______ ____ ____ ____________________________ ______________________ S Numb Asg -Role- Ctls Mode ---Brief Role Description--- ---Date_Time_UserId--- _ 0001 004 NETWRK CMUE DENY NETWORK_MANAGEMENT_TEAM 14/07/06_15:13_PROBI1 _ 0002 004 CICS01 CM-E DENY CICS_APPLICATION_DEVELOPMENT 14/07/07_14:32_PROBI1 _ 0003 003 VTAM01 C--E DENY VTAM_SUPPORT_AND_APPLICATION 14/07/07_14:32_PROBI1 _ 0004 001 PLAY01 C-UE NONE PLAYING_A1D_TESTING_DEFINITI 14/07/07_14:33_PROBI1 _ 0005 003 SYSPRO ---E DENY Z/OS_SYSTEM_PROGRAMM_TEAM 14/07/07_14:57_PROBI1 _ 0006 002 PLAY02 ---- WARN PLAYING_AND_TESTING_PLUS 14/06/30_14:08_PROBI1 ******************************* Bottom of data ********************************

Sample Role Definition Report /******************************************************************************/ /* */ /* TCE Role "NETWRK" Definition Report */ /* */ /* Date:2014/07/24 - Time:09:28:16 - User:PROBI1 */ /* */ /******************************************************************************/ <> Role Name:NETWRK - Description:NETWORK MANAGEMENT TEAM --------------------- Control MODE:DENY - Updated:14/07/06 15:13 PROBI1 <> Role Access Window - Description:OPEN 30 DAY WINDOW FOR NETWRK TEAM -------- Start Date:--/--/-- - Time:--:-- - End Date:--/--/-- - Time:--:-- Window is:INACTIVE - At Date and Time of this Report <> User(s) Assigned User(s) Managed by this Role - 4 -------------------------- Row -UserId- Act -------User Name/Job Description---- -----Last Updated----- --- -------- --- ------------------------------------ ---------------------- 001 PROBI1 YES PAUL R. ROBICHAUX 14/07/23 09:13 PROBI1 002 PHARL1 YES SUPER TECHNICAL GURU 14/07/07 11:33 PROBI1 003 MRCHIN YES OUR SUPPLEMENTAL TECH MAN 14/07/07 11:34 PROBI1 004 GORDON YES THE ICE WIZARD 14/07/07 11:34 PROBI1 <> Controlled MVS Categories and their Datasets - Summary of All --------------- Row Act zOS -Category Names- Act --------Dataset or File Name-------- Volume --- --- --- ---------------- --- ------------------------------------ ------ 001 *01 MVS SYSTEM.PARMLIB 001 TEST.PARMLIB ZDSYS1 002 --- TEST.Z113.PARMLIB ZDRES1 003 --- PLAY.PARMLIB ZDRES1 004 --- USER.PARMLIB ZDSYS1 005 --- ADCD.Z113.PARMLIB ZDRES1 006 --- SYS1.PARMLIB ZDRES1 007 --- MVS NSESEL.AUTOCNTL --- PLAYFUL.PARMLIB NEWVOL 008 --- PHARL2.PARMLIB ------ 009 --- USER.PARMLIB ------ 010 --- SYS1.PARMLIB ------ 011 --- ADCD.Z113.PARMLIB ------



012 --- SYS1.IPLPARM ------ 013 --- PAUL.PARMLIB.TEST ------ <> Category Based MVS Member Controls - SYSTEM.PARMLIB ------------------------ Row zOS --------Category Dataset Concatenation-------------- Volume -System- --- --- ---------------------------------------------------- ------ -------- 001 MVS TEST.PARMLIB ZDSYS1 ADCD113 002 MVS TEST.Z113.PARMLIB ZDRES1 ADCD113 003 MVS PLAY.PARMLIB ZDRES1 ADCD113 004 MVS USER.PARMLIB ZDSYS1 ADCD113 005 MVS ADCD.Z113.PARMLIB ZDRES1 ADCD113 006 MVS SYS1.PARMLIB ZDRES1 ADCD113 Row -Member- All Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 * EXC --- YES --- DOCUMENT_CHANGES 14/07/23_12:37_PROBI1 <> Category Based MVS Member Controls - NSESEL.AUTOCNTL ----------------------- Row zOS --------Category Dataset Concatenation-------------- Volume -System- --- --- ---------------------------------------------------- ------ -------- 001 MVS PLAYFUL.PARMLIB NEWVOL ADCDXXXX 002 MVS PHARL2.PARMLIB ------ -------- 003 MVS USER.PARMLIB ------ -------- 004 MVS SYS1.PARMLIB ------ -------- 005 MVS ADCD.Z113.PARMLIB ------ -------- 006 MVS SYS1.IPLPARM ------ -------- 007 MVS PAUL.PARMLIB.TEST ------ -------- Row -Member- All Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- --None-- <> Dataset Based MVS Member Controls ------------------------------------------ Dsn zOS --------Category Dataset Concatenation-------------- Volume -System- --- --- ---------------------------------------------------- ------ -------- 001 MVS TEST.PARMLIB ------ -------- Row -Member- All Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 PROG00 INC YES --- --- DOCUMENT_CHANGES 14/07/23_11:50_PROBI1 <> Controlled USS Categories and their Elements - Summary of All ------------- Num Ctl zOS -Category Names- Ctls Type -------------Element Name------------ --- --- --- ---------------- ---- ---- ------------------------------------- 001 --- USS OLDUSS.SERVICE ---- ROOT /ADCD113/ETC 002 ---- DIRS /SSH 003 ---- FILE /NOHUP.OUT 004 ---- FILE /SSH_CONFIG 005 ---- DIRS /SSH_HOST 006 ---- FILE /HOST_RSA_KEY.PUB 007 ---- FILE /SSHD.SH 008 YES USS NEWUSS.SERVICE IE-- ROOT /CDCD113/ETC 009 I-B- DIRS /SSH 010 ---- FILE /NOHUP.OUT 011 ---- FILE /SSH_CONFIG 012 ---- FILE /SSH_HOST_DSA_KEY.PUB 013 ---- FILE /SSH_HOST_RSA_KEY.PUB 014 ---- FILE /SSHD.SH 015 I-B- DIRS /DCE 016 ---- SUBD /HOME 017 ---- SUBD /DTS_NULL_PROVIDER 018 ---- FILE /SOME.FILE 019 ---- FILE /OTHER.FILES 020 ---- PATH /Z113 021 ---- SUBD /SAMPLES 022 ---- FILE /DIALCODES 023 ---- FILE /MAKEFILE 024 ---- FILE /PORTED_TOOLS_LICENSE.README 025 ---- PATH /BDCD113/ETC/DCE 026 ---- SUBD /HOME/DTS_NULL_PROVIDER 027 ---- FILE /MAYBE.FILE



USS Category Element Control Detail - NEWUSS.SERVICE ----------------------- Row /Element Ctl Edt Brw Exc -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 ROOT INC YES --- --- NO_COMMENT_FOUND NO_UPDATE_FOUND 002 DIRS INC --- YES --- NO_COMMENT_FOUND NO_UPDATE_FOUND <> External Security Manager (ESM) - Controlled Commands ---------------------- Row Control Commands -------Freeform Text--------- -------Last Updated------ --- ------- -------- ----------------------------- ------------------------- 001 INCLUDE DELGROUP DOCUMENT_COMMAND_ADDITION 2014/07/19_12:38_PROBI1 002 INCLUDE SETROPTS DOCUMENT_COMMAND_ADDITION 2014/07/23_12:15_PROBI1 /******************************************************************************/ /* */ /* IFO.TEST.$TCETEMP.REPORTS($ROLERD) */ /* */ /******************************************************************************/ NewEra Software, Inc. Our Job? Help you avoid problems and improve z/OS integrity. ******************************** Bottom of Data ********************************



7.8.2 Role Assignment Reports

The Role Assignment Report details User Name/Title, Assigned Roles, Control Mode, Access Window and Notification Status. Review the report content carefully and if need be use the Update Option provided to modify detail settings to best fit with current assignment practices. All updates are immediately available and will appear when Assignment Report is next shown. For changes to become effective return to Primary Menu, select Activate.

Role Assignment Report Selection TCE 8.0 - User Assignment Report Selection Row 1 to 6 of 6 --NSIMRBX 0627-- ---Active User--- ----------------------------- 6 Active User Record ---------------------------- Row Selections: Show_UserId_Assignment_Report Update_Current_UserId_Assignments --- Select Sub-Head to Sort, Query above Sub-Head, Enter Saves a Row Update --- - Line Role ---Access--- ------Users Name or Title------ -----Last Updated----- _ ____ ____ ________ ___ _______________________________ ______________________ S Numb TTLs -UserId- Act ---------Freeform Text--------- ---Date_Time_UserId--- _ 0001 0003 PROBI1 YES PAUL_R._ROBICHAUX 14/07/07_11:31_PROBI1 _ 0002 0002 PHARL1 YES SUPER_TECHNICAL_GURU 14/07/07_11:33_PROBI1 _ 0003 0003 MRCHIN YES OUR_SUPPLEMENTAL_TECH_MAN 14/07/07_11:34_PROBI1 _ 0004 0004 GORDON YES THE_ICE_WIZARD 14/07/07_11:34_PROBI1 _ 0005 0001 RICHARD YES TECHNICAL_REP_IN_TRAINING 14/07/07_11:34_PROBI1 _ 0006 0003 CHIN01 YES THE_OTHER_MR._CHIN 14/07/07_11:35_PROBI1 ******************************* Bottom of data ********************************

Sample Role Assignment Report /******************************************************************************/ /* */ /* TCE UserId "MRCHIN" Assignment Report */ /* */ /* Date:2014/07/24 - Time:16:45:32 - User:PROBI1 */ /* */ /******************************************************************************/ <> UserId - MRCHIN - Full Name and/or Job Title - OUR SUPPLEMENTAL TECH MAN --- User Active - YES - Last Update - 14/07/24 16:31 PROBI1 Assigned Roles - NETWRK,CICS01,VTAM01 >User Access Window - Description: Window is specific to - MRCHIN Control Mode - DENY - Last Update - 14/07/24 16:31 PROBI1 Start Date - 14/07/24 - Time - 16:30 - End Date - --/--/-- - Time - --:-- Window is:OPENED - At Date and Time of this Report <> Role - NETWRK - Descripiton - NETWORK MANAGEMENT TEAM ---------------------- Control MODE - DENY - Updated - 14/07/06 15:13 PROBI1 Users Assigned - PROBI1,PHARL1,MRCHIN,GORDON ****** >Role Access Window - Description - OPEN 30 DAY WINDOW FOR NETWRK TEAM Start Date - --/--/-- - Time - --:-- - End Date - --/--/-- - Time - --:-- Window is:INACTIVE - At Date and Time of this Report <> Controlled Categories, Datasets, Files and Commands Defined to - NETWRK ---- >MVS Category Name - SYSTEM.PARMLIB Row zOS --------Category Dataset Concatenation-------------- Volume -System- --- --- ---------------------------------------------------- ------ -------- 001 MVS TEST.PARMLIB ZDSYS1 ADCD113 002 MVS TEST.Z113.PARMLIB ZDRES1 ADCD113



003 MVS PLAY.PARMLIB ZDRES1 ADCD113 004 MVS USER.PARMLIB ZDSYS1 ADCD113 005 MVS ADCD.Z113.PARMLIB ZDRES1 ADCD113 006 MVS SYS1.PARMLIB ZDRES1 ADCD113 Row -Member- Ctl Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 * INC --- YES --- NO_COMMENT_FOUND NO_UPDATE_FOUND >MVS Dataset Name - TEST.PARMLIB - VOLUME:------ - SYSTEM:-------- Row -Member- All Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 PROG00 INC YES --- --- NO_COMMENT_FOUND NO_UPDATE_FOUND >USS Category Elements - NEWUSS.SERVICE Num Ctl zOS -Category Names- Ctls Type -------------Element Name------------ --- --- --- ---------------- ---- ---- ------------------------------------- 001 YES USS NEWUSS.SERVICE IE-- ROOT /CDCD113/ETC 002 I-B- DIRS /SSH 003 ---- FILE /NOHUP.OUT 004 ---- FILE /SSH_CONFIG 005 ---- FILE /SSH_HOST_DSA_KEY.PUB 006 ---- FILE /SSH_HOST_RSA_KEY.PUB 007 ---- FILE /SSHD.SH 008 I-B- DIRS /DCE 009 ---- SUBD /HOME 010 ---- SUBD /DTS_NULL_PROVIDER 011 ---- FILE /SOME.FILE 012 ---- FILE /OTHER.FILES 013 ---- PATH /Z113 014 ---- SUBD /SAMPLES 015 ---- FILE /DIALCODES 016 ---- FILE /MAKEFILE 017 ---- FILE /PORTED_TOOLS_LICENSE.README 018 ---- PATH /BDCD113/ETC/DCE 019 ---- SUBD /HOME/DTS_NULL_PROVIDER 020 ---- FILE /MAYBE.FILE >USS Category Element Controls - NEWUSS.SERVICE Row -/Level- Ctl Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 ROOT INC YES --- --- NO_COMMENT_FOUND NO_UPDATE_FOUND 002 DIRS INC --- YES --- NO_COMMENT_FOUND NO_UPDATE_FOUND >Controlled Commands - External Security Manager (ESM) Row Control Commands -------Freeform Text--------- -------Last Updated------ --- ------- -------- ----------------------------- ------------------------- 001 INCLUDE DELGROUP DOCUMENT_COMMAND_ADDITION 2014/07/19_12:38_PROBI1 002 INCLUDE SETROPTS DOCUMENT_COMMAND_ADDITION 2014/07/23_12:15_PROBI1 <> Role - CICS01 - Descripiton - CICS APPLICATION DEVELOPMENT ----------------- Control MODE - DENY - Updated - 14/07/07 14:32 PROBI1 Users Assigned - PROBI1,RICHARD,MRCHIN,GORDON ****** >Role Access Window - Description - OPERATIONAL WINDOW FOR CICS TEAM Start Date - --/--/-- - Time - --:-- - End Date - --/--/-- - Time - --:-- Window is:INACTIVE - At Date and Time of this Report <> Controlled Categories, Datasets, Files and Commands Defined to - CICS01 ---- >MVS Category Name - SYSTEM.IPLPARM Row -Member- Ctl Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 * INC YES YES YES NO_COMMENT_FOUND NO_UPDATE_FOUND >MVS Category Name - SYSTEM.PARMLIB



Row -Member- Ctl Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 * INC YES YES YES NO_COMMENT_FOUND NO_UPDATE_FOUND 002 CLOCK* INC YES YES YES NO_COMMENT_FOUND NO_UPDATE_FOUND >MVS Dataset Name - PAUL.PARMLIB.TEST - VOLUME:------ - SYSTEM:-------- Row -Member- All Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 IEASYS* INC YES --- --- NO_COMMENT_FOUND NO_UPDATE_FOUND >Controlled Commands - External Security Manager (ESM) Row Control Commands -------Freeform Text--------- -------Last Updated------ --- ------- -------- ----------------------------- ------------------------- 001 EXCLUDE ADDUSER COMMENT UPDATE 002 INCLUDE ALTGROUP COMMENT UPDATE 003 EXCLUDE DELGROUP DOCUMENT_COMMAND_ADDITION 2014/07/16_15:13_PROBI1 004 EXCLUDE ADDSD EXCLUDING_THIS_COMMAND 2014/07/17_09:48_PROBI1 005 INCLUDE RDELETE COMMENT UPDATE 006 EXCLUDE ADDGROUP 2014/07/16_15:12_PROBI1 2014/07/16_15:12_PROBI1 007 INCLUDE DELDSD DOCUMENT_RACFCMD_ADDITION 2014/07/19_08:26_PROBI1 <> Role - VTAM01 - Descripiton - VTAM SUPPORT AND APPLICATION ----------------- Control MODE - DENY - Updated - 14/07/07 14:32 PROBI1 Users Assigned - PROBI1,MRCHIN,GORDON ****** >Role Access Window - Description - --ADD VTAM01 COMMENT-- Start Date - --/--/-- - Time - --:-- - End Date - --/--/-- - Time - --:-- Window is:INACTIVE - At Date and Time of this Report <> Controlled Categories, Datasets, Files and Commands Defined to - VTAM01 ---- >MVS Category Name - SYSTEM.PARMLIB Row -Member- Ctl Edt Brw Sub -----Freeform Text------ -----Last Updated----- --- -------- --- --- --- --- ------------------------ ---------------------- 001 * INC --- --- YES NO_COMMENT_FOUND NO_UPDATE_FOUND 002 PROG00 EXC YES --- --- NO_COMMENT_FOUND NO_UPDATE_FOUND >Controlled Commands - External Security Manager (ESM) Row Control Commands -------Freeform Text--------- -------Last Updated------ --- ------- -------- ----------------------------- ------------------------- 001 INCLUDE LISTDSD DOCUMENT_COMMAND_ADDITION 2014/07/23_12:43_PROBI1 /******************************************************************************/ /* */ /* IFO.TEST.$TCETEMP.REPORTS($ROLERA) */ /* */ /******************************************************************************/ NewEra Software, Inc. Our Job? Help you avoid problems and improve z/OS integrity. ******************************** Bottom of Data ********************************



7.9 TCE/RBAC Configuration Monitors

TCE 8.0 - TCE/RBAC - Configuration Monitors D RoleDefs .. - Role Definition Monitor Interface Userid - PROBI1 Time - 08:11 A AsgnMent .. - Role Assignment Monitor Interface Sysplex - ADCDPL System - ADCD113 IFOhlq - TEST ICE 11.0 - TCE 8.0 Patch Level R08 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity.

7.9.1 Role Definition Monitor

TCE 8.0 - TCE Monitor Interval Configuration /. TCERBACDEFS TCE/RBAC Definition Monitor_ .. Detail .. Report Inventory /. Day - Set Time 02 : 00 and Interval 1_ __(Specify One Interval) hh : mm Values 1|2|3|4|6|8|12 .. Wks - Set Time __ : __ and Interval ___________________________ hh : mm Values SUN,MON,TUE,WED,THR,FRI,SAT .. Mth - Set Time __ : __ and Interval ___________________________ hh : mm Values 1,2,3,10,15,20,25,EOM /. EMAILREPORT Subject: TCE/RBAC_DEFINITION_CHANGES______________________ /. 1-To [email protected]______________________________________________ /. 2-To [email protected]______________________________________________ .. From ____________________________________________________________ /. AltHLQ IFO.TEST_____________ /. JrlPost OK /. CngOnly OK /. Retain _10 .. Notice Method Yes .. Monitor PROC TESTDET_ .. Notice Active Off Option ===>



7.9.2 Role Assignment Monitor

TCE 8.0 – TCE/RBAC Monitor Interval Configuration /. TCERBACASGN TCE/RBAC Assignment Monitor_ /. Detail .. Report Inventory /. Day - Set Time 04 : 00 and Interval 1_ __(Specify One Interval) hh : mm Values 1|2|3|4|6|8|12 .. Wks - Set Time __ : __ and Interval ___________________________ hh : mm Values SUN,MON,TUE,WED,THR,FRI,SAT .. Mth - Set Time __ : __ and Interval ___________________________ hh : mm Values 1,2,3,10,15,20,25,EOM /. EMAILREPORT Subject: TCE/RBAC_ASSIGNMENT_CHANGES______________________ /. 1-To [email protected]______________________________________________ /. 2-To [email protected]______________________________________________ .. From ____________________________________________________________ .. AltHLQ IFO.TEST_____________ .. JrlPost NO .. CngOnly NO .. Retain _10 .. Notice Method Yes .. Monitor PROC TESTDET_ .. Notice Active Off Option ===>



7.10 The Potential of TCE/RBAC Functions Role Based Access Control (RBAC) can be used to reinforce and add depth to the resource control boundaries established and enforced by the External Security Manager (ESM). RBAC should be viewed as a Managerial Control Process that conveys access privileges to system resources that best fit those actually required by users in the normal course of performing assigned duties. The diagrams shown below are intended to illustrate the relationship between the ESM and the functions of TCE/RBAC that can be used to enhance and reinforce its control boundaries.

7.10.1 Legacy Perimeters Boundaries

This diagram illustrates the relationship between Legacy Perimeter Boundaries and system users. In this example, users (Mary Sue, Rick, Tommy, Andrew and Bonnie) are assigned Access Credentials – UserId and Password/Passphrase -‐ that are known to, and controlled by, the ESM. These Credentials, which are hopefully not stolen or otherwise lent, provide each user with Admin-‐level access to system resources such as System z PARMs – z/OS ParmLib, The UNIX Configuration Directory /etc, and Group Special RACF Commands.



7.10.2 TCE Role Definition – Name and Description

Using TCE/RBAC, System Resources -‐ System z PARMs -‐ z/OS ParmLib, The UNIX Configuration Directory /etc, and Group Special RACF Commands -‐ can be easily defined to a Named Role with specific Access Rights. Under TCE/RBAC, a Named Role can permit or restrict rights to Update, Browse, Submit and Execute functions. In the example below, access to System Resources is controlled by the Named Roles -‐ VTAM, PROG, and NET – by creating a Supplemental Access List enforced by TCE/RBAC.

7.10.3 TCE Resources Defined to a Role

The result of the Role Definition Process is illustrated below using the ‘PROG’ Role. In this case, Resources from all three Resource Classes -‐ z/OS ParmLib, The UNIX Configuration Directory /etc, and Group Special RACF Commands – are grouped, together each with its own specific Access Privileges.



7.10.4 TCE User Assignment to a Role

The resulting collection of Resources, and related Privileges form a Role Definition that may be assigned to one or more users. In this example, Mary Sue and Harry are being assigned to the ‘PROG’ role. It is important to note that, regardless of ESM Policy, Mary Sue and Harry will not be able to access resources outside this boundary nor will any other user be allowed to access any resource within the original ESM.

As a user’s duties change, additional Access Rights may be assigned. A user may be defined within multiple roles, or an existing role definition may be updated to include/exclude other TCE/RBAC Controlled Resources.



8 Defining – ICE User Access Administration & Logging The Image Control Environment (ICE) offers users a unique set of system inspection, system reporting, and background processing features. However, some features may not be useful or advisable for all ICE users. The ‘ICEAdmin’ Option, added to the Definitions/Migration/Control Aids Option Selection Panel, will help in creating custom user interfaces that provide only the functions ICE users require. Panel-‐Specific Help is available by pressing PFK1.

Definitions/Migration/Control Aids IFO 11.0 - Definitions/Migration/Control Aids C CustDefs .. - Define Custom Inspectors/Apps Userid - PROBI1 Time - 09:32 M Migrates .. - Migrate Definitions & Settings Sysplex - ADCDPL System - ADCD113 I ICEAdmin .. - Set Admin/User Access Controls IFOhlq - TEST Image Focus 11.0 Patch Level P5 X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity.

8.1 CustDefs and Migrates The Custom Definition and Migrations Aid functions remain unchanged with the exception that the Primary and Support Panels now include Help Panels, some of which are yet to be fully populated.

8.2 ICEAdmin – User Access Controls In addition to the many Panel and Functional Enhancements, this release also introduces the ICE Application Control and Logging Features. Entering the Production View for the first time under this release, the following Pop-‐Up message will appear.

◊—————————————————————————————————————————————————————————————————————◊ ◊ IFO 11.0 - ICE Dialog Access - WARN Mode ◊ ◊ ◊ ◊ Temporary Access to this ICE Dialog Services Granted. ◊ ◊—————————————————————————————————————————————————————————————————————◊



This message is intended to notify ICE users of their level of Application Access and the Control Mode under which their access is being granted – DENY|WARN|NONE. By default, all users are allowed access to ALL ICE Applications as Control Mode, by default, is set to ‘WARN’. The functional options accessed from the ICE Administrator/User Controls Panel are used to control/modify settings, name ICE Administrators, establish Global Control Mode, define user Application Access Rights and review user Application usage. Panel-‐Specific Help is available by pressing PFK1.

ICE Administrator/User Controls: IFO 11.0 - ICE Administrator/User Controls I SetAdmin .. - Authorize ICE Administrators Userid - PROBI1 Time - 09:43 P Padlocks .. - Global Padlock Access Controls Sysplex - ADCDPL System - ADCD113 U UserMode .. - ICE User/Application Controls IFOhlq - TEST Image Focus 11.0 L UserLogs .. - ICE User/Application Audit Log Patch Level P5 A Activate .. - Dynamically Activate Controls X Exit - Return to the TCE Primary Menu NewEra Software, Inc. Our Job? Help you make repairs, avoid problems, and improve IPL integrity. Option ===>

Of the available options, the first two – SetAdmin and Padlocks – are used to define ICE Environment Global Settings. The next two options – UserMode and UserLogs – are ICE user Specific. The final option – Activate – is used to dynamically activate any changes/updates to ICE Application Control settings.



8.2.1 SetAdmin – Naming the ICE Administrator

Optionally, ICE Administrators may be defined in this panel by entering their TSOUserId. By Default, All named ICE Administrators are granted unrestricted access to All ICE Applications. The Primary and Supplemental classifications differ only in that the Primary Administrator is the ONLY Administrator allowed to Dynamically Update ICE Control Settings. Upon entry into the panel, the current Administrators are shown in both the left and right columns. To update or add an Administrator, over type or type the TSOUserId into the Updated Definition field. Selecting a field using the ‘/’ Row Command and pressing enter will display field specific help. Panel-‐Specific Help is available by pressing PFK1. ICE Administrator Assignments TCE 8.0 - ICE Administrator Assignments --------ICE Controlled Target-------- ---JRNxx--- ------Last Update------ L ADCD113 IFO.TEST.PARMLIB 00 00 Yes 26 -------- --/--/-- --:-- P --LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls -UserId- yy/mm/dd hh:mm -------------------------ICE Administrators-------------------------- ----Current Definition---- Cm --Primary User-- Cm ----Updated Definition---- PROBI2 .. ICE Primary Admn .. PROBI2 -------------------------- -- --Supplemental-- -- -------------------------- PHARL2 .. Assigns Admin 01 .. PHARL2 .. Assigns Admin 02 .. .. Assigns Admin 03 .. .. Assigns Admin 04 .. .. Assigns Admin 05 .. .. Assigns Admin 06 .. Note: The Primary ICE Adminstrator Cannot be Dynamically Updated. Option ===>

Administrator Settings are found in the NSEJRNxx Configuration Member.



8.2.2 Padlocks – Setting the Global Padlock

This panel displays the current Padlock Global and Boundary Settings. To change the Padlock Access Control Settings, cursor under – Deny|Warm|None – and press enter. To activate – ON – or deactivate – OFF – a control Boundary, cursor under the value shown in the left column and press enter. This action will toggle the value between ON and OFF. Selecting a field using the ‘/’ Row Command will display field specific help. Panel-‐Specific Help is available by pressing PFK1. Padlock Access Control Features TCE 8.0 – Padlock Access Control Features --------TCE Controlled Target-------- ---JRNxx--- ------Last Update------ L ADCD113 IFO.TEST.PARMLIB 00 00 Yes 26 -------- --/--/-- --:-- P –LPAR-- ---ParmDsn Qualifier--- Sf Sf Act Ctls –UserId- yy/mm/dd hh:mm -----------------------Padlock Access Controls----------------------- TCE Padlock Mode of Controlling Access: .. Deny /. Warn .. None Mode – WARN – Users without Padlock Access Rights Warned of Denials. ----Current Definition---- Cm ---Boundaries--- Cm ----Updated Definition---- ON .. Control Category .. ON ON .. Control Datasets .. ON OFF .. Control Commands .. OFF OFF .. Control WrkGroup .. OFF OFF .. Control Projects .. OFF ON .. Control IFOUsers .. ON .. CatRules .. DsnRules .. CmdRules .. WgpRules .. PjtRules .. AidRules Option =!

The Settings in this panel are ‘Global’, meaning that they are shared between all ICE Applications. If you specifically want to activate/deactivate Image FOCUS Application Control, update just the IFOUsers Control Boundary.

Boundary Control Settings are found in the NSEJRNxx Configuration Member.



8.2.3 UserMode – ICE Application Access Rights

If the IFOUsers Boundary Control is set to ‘ON’, All ICE Users with the exception of ICE Primary or Supplemental Administrators, will fall within the ICE Application Control Boundary -‐ under the defined MODE of Global Padlock Control – DENY, WARN, NONE. In this state, all ICE Users – Except Administrators – are treated – Denied or Warned – equally. Using the Row Commands provided in the Worksheet shown below, you can override the Global or Custom Application Settings on a User-‐by-‐User basis, building application sets that are specific to a user’s role within the organization. Panel-‐Specific Help is available by pressing PFK1. ICE Application User Access Rules TCE 8.0 - ICE Application User Access Rules Row 1 to 1 of 1 --NSIMSLX 0602-- -ICEAccess Rules- ---------------------- 1 Controlled Application AccessId ---------------------- Row Selections: Add_User_Rule Deletes_User Rule Copy_User_Rule Update_User_Rule --- Select Sub-Head to Sort, Query above Sub-Head, Enter Saves a Row Update --- - Row -------User State------- ---Start--- ---Stops--- --User Record Comments-- _ ___ ________ _____ ____ ____ ______ ____ ______ ____ ________________________ S Num -UserId- Admin Apps Mode yymmdd hhmm yymmdd hhmm ------Freeform Text----- _ 001 PROBI1 ----- PROD WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 002 PHARL1 ----- WORK WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 003 GBAGS1 ----- DEFS WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 004 MCHIN1 ----- CNTL WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 005 MCHIN1 ----- WORK WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 006 MCHIN1 ----- PROD WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 _ 007 MCHIN1 ----- DEFS WARN ------ ---- ------ ---- 14/07/01 09:40 PROBI1 ******************************* Bottom of data ********************************

8.2.3.1 Adding User Access Privileges

To define a user’s ‘Access Rights’ with respect to a ‘Single ICE Application’, place ‘A’ on any Row Command Entry-‐Point and press enter. This action will display the ‘Adding ICE User Access Rules’ Pop-‐Up. Panel-‐Specific Help is available by pressing PFK1.

◊—————————————————————————————————————————————————————————————————————◊ ◊ TCE 8.0 - Adding ICE User Access Rules ◊ ◊ IFO - Select Application ◊ ◊ --User-- -----Application Access Rule----- ----FreeForm Comment---- ◊ ◊ ---Id--- --Rules-- ---Start--- ---Stops--- ----------Text---------- ◊ ◊ -------- Prod Mode yymmdd hhmm yymmdd hhmm ------------------------ ◊ ◊ -USERID- ---- ---- ------ ---- ------ ---- 14/07/02_11:27_PROBI1 ◊ ◊—————————————————————————————————————————————————————————————————————◊

With this release of ICE, five ICE Applications are Controlled. They include:

• PROD – The Image FOCUS Production View • WORK – The Image FOCUS Workbench View



• DEFS – ICE Environment Definitions and Controls • CNTL – Access to The Control Editor Configuration Dialogs • ADMN – ICE System Administration Dialogs

Any user may be given access to one or all of these ICE Applications, but only one application may be added at a time. To complete and save a new or updated Rule Definition, return to the prior panel and reselect ‘Add New‘. Specify ‘****’ as the Product Name to denote – access or restrictions – to all possible controlled ICE Applications in a single entry.

8.2.3.2 USERMODE To override the Default or Custom Global Padlock MODE – DENY, WARN, NONE – enter the desired MODE. If the Global MODE is set to ‘DENY’, but the USERMODE is set to ‘WARN’, the user will be given access to the Named Application – PROD, WORK, DEFS, CNTL, ADMN – however, the user will receive a Pop-‐Up Warning when accessing the Application. MODE assignments are Application/UserId specific.

8.2.3.3 Access Window Each User may be assigned to an optional ‘Access Window’. If an ‘Access Window’ is assigned, it will applied on an Application/UserId basis.



8.2.4 UserLogs – Access/Display User Activity

ICE Application Users -‐ Summary IFO 11.0 - ICE Application Users - Summary Row 1 to 7 of 7 --NSIMILX 0621-- --ICEApps Users-- ---------------- Environment is IFO.TEST - 4 Application Users ---------------- Row Selections: Shows_ICEUser_Timeline_Report Display_Application_User_Timeline - Row -----Application Last Used----- Bkg Your ---------Period to Date--------- S Num -UserId- ----Date-Time-Last---- Set News Days Week Mths Qtrs Years Totals _ 001 PROBI1 14/07/02-11:27--ADMN-- --- 0 13 37 37 246 246 246 _ 002 PHARL3 14/06/18-07:50--ADMN-- --- 0 0 0 0 4 4 4 _ 003 PHARL2 14/06/17-17:22--ADMN-- --- 0 0 0 0 4 4 4 _ 004 RFAUL2 14/06/13-14:41--PROD-- --- 0 0 0 0 23 23 23 _ 005 -------- ---------------------- --- ---- ---- ---- ---- ---- ----- ------ _ 006 Total All_Application_Access --- 0 13 37 37 277 277 277 _ 007 ======== ====================== === ==== ==== ==== ==== ==== ===== ====== ******************************* Bottom of data ********************************

Application User Timeline Report /******************************************************************************/ /* */ /* ICEUserId "PHARL3" Application Usage - Timeline Detail */ /* */ /* Date:2014/07/06 - Time:10:17:41 - User:PROBI1 */ /* */ /******************************************************************************/ Rows --Access Control-- -Access Attempts- -GblRules- ----UserApp Specific---- Numb -UserId- Apps Mode yy/mm/dd hh:mm:ss Admin Mode Ctl Mode Window yy/mm/dd ---- -------- ---- ---- -------- -------- ----- ---- --- ---- ------ -------- 0001 PHARL3 WORK WARN 14/07/03 15:07:59 ----- WARN NOP ---- ------ -------- 0002 PHARL3 CTLS WARN 14/07/03 15:06:14 ----- WARN NOP ---- ------ -------- 0003 PHARL3 CTLS WARN 14/07/03 15:05:53 ----- WARN NOP ---- ------ -------- 0004 PHARL3 CTLS WARN 14/07/03 14:25:35 ----- WARN NOP ---- ------ -------- 0005 PHARL3 ADMN WARN 14/06/18 07:50:21 ----- WARN NOP ---- ------ -------- 0006 PHARL3 DEFS WARN 14/06/18 07:50:06 ----- WARN NOP ---- ------ -------- 0007 PHARL3 ADMN WARN 14/06/18 07:47:48 ----- WARN NOP ---- ------ -------- 0008 PHARL3 DEFS WARN 14/06/18 07:47:36 ----- WARN NOP ---- ------ -------- Command ===> Scroll ===> PAGE



Application User Timeline Worksheet TCE 8.0 - ICE User Application Audit Log Row 29 to 42 of 246 --NSIMILX 0621-- --ICE Audit Log-- ---------------------- 246 Application Audit Log Records ---------------------- Row Selections: Show_Application_Access --- Select Sub-Head to Sort, Query above Sub-Head, Enter Saves a Row Update --- - Rows --Access Control-- -Access Attempts- -GblRules- ----UserApp Specific---- _ ____ ________ ____ ____ ________ ________ _____ ____ ___ ____ ______ ________ S Numb -UserId- Apps Mode yy/mm/dd hh:mm:ss Admin Mode Ctl Mode Window yy/mm/dd _ 0029 PROBI1 CTLS DENY 14/07/01 09:38:45 ----- DENY NOP ---- ------ -------- _ 0030 PROBI1 DEFS DENY 14/07/01 09:38:32 ----- DENY NOP ---- ------ -------- _ 0031 PROBI1 DEFS DENY 14/07/01 09:38:19 ----- DENY NOP ---- ------ -------- _ 0032 PROBI1 PROD DENY 14/07/01 09:38:12 ----- DENY NOP ---- ------ -------- _ 0033 PROBI1 ADMN NONE 14/07/01 09:37:26 PRIME DENY NOP ---- ------ -------- _ 0034 PROBI1 DEFS NONE 14/07/01 09:37:21 PRIME DENY NOP ---- ------ -------- _ 0035 PROBI1 ADMN NONE 14/07/01 08:08:01 PRIME DENY NOP ---- ------ -------- _ 0036 PROBI1 DEFS NONE 14/07/01 08:07:56 PRIME DENY NOP ---- ------ -------- _ 0037 PROBI1 PROD NONE 14/07/01 08:07:45 PRIME DENY NOP ---- ------ -------- _ 0038 PROBI1 CTLS NONE 14/06/30 13:45:48 PRIME DENY NOP ---- ------ -------- _ 0039 PROBI1 CTLS NONE 14/06/30 13:43:45 PRIME DENY NOP ---- ------ -------- _ 0040 PROBI1 CTLS NONE 14/06/30 13:21:25 PRIME DENY NOP ---- ------ -------- _ 0041 PROBI1 CTLS NONE 14/06/30 13:14:14 PRIME DENY NOP ---- ------ -------- _ 0042 PROBI1 CTLS NONE 14/06/30 12:54:20 PRIME DENY NOP ---- ------ -------- Option ===> Scroll ===> CSR

8.2.5 Activate – Activate Control Updates

All IFO User Control settings MUST be activated using this dynamic update option before they become effective.



9 Appendix – Sample Batch Procedures

9.1 IFOBAT PROC

//*----------------------------------------------------* 00000100 //* NEWERA IMAGE FOCUS ENVIRONMENT * 00000200 //* BATCH IMAGE FOCUS PROCEDURE * 00000300 //* * 00000400 //* IMAGE FOCUS * 00000500 //* * 00000600 //* NSSPRFX - PREFIX FOR IMAGE FOCUS DATASETS * 00000700 //* SPFPRFX - PREFIX FOR IBM ISPF/PDF DATASETS * 00000800 //* PRM - SUFFIX FOR NSEPRMXX MEMBER * 00000900 //* * 00001000 //* * 00001100 //*----------------------------------------------------* 00001200 //* 00001300 //IFOBATS PROC NSSPRFX='IFO', 00001400 // SPFPRFX='ISP', 00001500 // PRM='00', 00001600 // IPLU='*', IPL UNIT ADDRESS (4 CHARS; REQUIRED) 00001700 // LPRM='*', LOADPARM (1 - 8 CHARS; OPTIONAL) 00001800 // HWN='*', HARDWARE NAME (1 - 8 CHARS; OPTIONAL) 00001900 // LPN='*', LPAR NAME (1 - 8 CHARS; OPTIONAL) 00002000 // VMN='*', VM USERID (1 - 8 CHARS; OPTIONAL) 00002100 // MDP=Y, MEMBER DISPLAY (Y OR N ; OPTIONAL) 00002200 // RLV=1, REPORT LEVEL (1,2,3, OR 4; OPTIONAL) 00002300 // ADDC=, ADD'L COMMNDXX (2 CHARS; OPTIONAL) 00002400 // DSR=Y, DATASET REPORT (Y OR N ; OPTIONAL) 00002500 // CAT=, SYSCAT SUFFIX (0, 2 CHARS; OPTIONAL) 00002600 // SYS=, IEASYS SUFFIX (0, 2 CHARS; OPTIONAL) 00002700 // IHLQ=, IPLPARM HLQ (1 - 8 CHARS; OPTIONAL) 00002800 // PKG=N, PACKAGE CREATE (Y OR N ; OPTIONAL) 00002900 // RLS=, RELEASE LEVEL (3 DIGITS ; OPTIONAL) 00003000 // CHG=N DYNAMIC CHANGE (Y OR N ; OPTIONAL) 00003100 //* 00003200 //IEFPROC EXEC PGM=NSIBBAT, 00003300 // PARM='ISPSTART CMD(%IFBGBATS &PRM,&IPLU,&LPRM,&HWN,&LPN,&VMN,&MDP, 00003400 // &RLV,&ADDC,&DSR,&CAT,&SYS,&IHLQ,&PKG,&RLS,&CHG)', 00003500 // DYNAMNBR=600, 00003600 // REGION=40M 00003700 //STEPLIB DD DSN=&NSSPRFX..LOAD,DISP=SHR 00003800 //*---------------------------------------------------------------* 00003900 //* 00004000 //* SETUP INSPECTION REPORT LOG BY UNCOMMENTING ONLY ONE BELOW 00004100 //* 00004200 //* 00004300 //*RPT SET RDSN='DUMMY,',SELECT=SYSOUT /* USE SYSOUT */ 00004400 //RPT SET RDSN=,SELECT=LOG /* USE PREALLOCATED DATASET*/ 00004500 //*---------------------------------------------------------------* 00004600 //* 00004700 //REPORT DD DDNAME=R&SELECT 00004800 //RSYSOUT DD SYSOUT=A,HOLD=YES 00004900 //RLOG DD &RDSN.DISP=SHR,DSN=&NSSPRFX..IFOBATS.&SYSNAME..LOG 00005000 //* 00005100 //NSEPARM DD DSN=&NSSPRFX..PARMLIB,DISP=SHR 00005200 //ISPPROF DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00005300 // BLKSIZE=3120,LRECL=80,RECFM=FB 00005400 //ISPTABL DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00005500 // BLKSIZE=3120,LRECL=80,RECFM=FB 00005600 //SYSPROC DD DISP=SHR,DSN=&NSSPRFX..SISPCLIB 00005700 // DD DISP=SHR,DSN=&SPFPRFX..SISPCLIB ISPF 00005800 //SYSEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00005900 //ISPMLIB DD DISP=SHR,DSN=&NSSPRFX..SISPMENU 00006000 // DD DISP=SHR,DSN=&SPFPRFX..SISPMENU ISPF 00006100



//ISPEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00006200 //ISPPLIB DD DISP=SHR,DSN=&NSSPRFX..SISPPENU 00006300 // DD DISP=SHR,DSN=&SPFPRFX..SISPPENU ISPF 00006400 //ISPSLIB DD DISP=SHR,DSN=&SPFPRFX..SISPSENU ISPF 00006500 // DD DISP=SHR,DSN=&SPFPRFX..SISPSLIB ISPF 00006600 //ISPTLIB DD DISP=SHR,DSN=&SPFPRFX..SISPTENU ISPF 00006700 //SYSTSIN DD DUMMY 00006800 //SYSTSPRT DD SYSOUT=A,HOLD=YES 00006900 //SYSUDUMP DD SYSOUT=A,HOLD=YES 00007000 //ISPLOG DD SYSOUT=A,HOLD=YES, 00007100 // BLKSIZE=129,LRECL=125,RECFM=VA 00007200 //NSETABL DD DISP=SHR,DSN=&NSSPRFX..SISPTABB 00007300 //NSEPWORK DD UNIT=SYSDA,SPACE=(CYL,(5,1)) 00007400 //NSEPWRK2 DD UNIT=SYSDA,SPACE=(CYL,(5,1)) 00007500

9.2 IFOBATA PROC

//*----------------------------------------------------* 00000100 //* NEWERA IMAGE FOCUS ENVIRONMENT * 00000200 //* BATCH IMAGE FOCUS PROCEDURE * 00000300 //* * 00000400 //* IMAGE FOCUS * 00000500 //* * 00000600 //* NSSPRFX - PREFIX FOR IMAGE FOCUS DATASETS * 00000700 //* SPFPRFX - PREFIX FOR IBM ISPF/PDF DATASETS * 00000800 //* PRM - SUFFIX FOR NSEPRMXX MEMBER * 00000900 //* * 00001000 //* * 00001100 //*----------------------------------------------------* 00001200 //* 00001300 //IFOBATA PROC NSSPRFX='IFO', 00001400 // SPFPRFX='ISP', 00001500 // PRM='00', 00001600 // IPLU='*', IPL UNIT ADDRESS (4 CHARS; REQUIRED) 00001700 // LPRM='*', LOADPARM (1 - 8 CHARS; OPTIONAL) 00001800 // HWN='*', HARDWARE NAME (1 - 8 CHARS; OPTIONAL) 00001900 // LPN='*', LPAR NAME (1 - 8 CHARS; OPTIONAL) 00002000 // VMN='*', VM USERID (1 - 8 CHARS; OPTIONAL) 00002100 // MDP=Y, MEMBER DISPLAY (Y OR N ; OPTIONAL) 00002200 // RLV=1, REPORT LEVEL (1,2,3, OR 4; OPTIONAL) 00002300 // ADDC=IF, ADD'L COMMNDXX (2 CHARS; OPTIONAL) 00002400 // DSR=Y, DATASET REPORT (Y OR N ; OPTIONAL) 00002500 // JX=Y, INSPECT JES2/3 (Y ON N ; OPTIONAL) 00002600 // CI=Y, INSPECT CICS (Y ON N ; OPTIONAL) 00002700 // VT=Y, INSPECT VTAM (Y ON N ; OPTIONAL) 00002800 // TC=Y, INSPECT TCPIP (Y ON N ; OPTIONAL) 00002900 // U0=N, INSPECT LOAD (Y ON N ; OPTIONAL) 00003000 // IHLQ=, IPLPARM HLQ (1 - 8 CHARS; OPTIONAL) 00003100 // PKG=N, PACKAGE CREATE (Y OR N ; OPTIONAL) 00003200 // RLS=, RELEASE LEVEL (3 DIGITS ; OPTIONAL) 00003300 // CHG=N DYNAMIC CHANGE (Y OR N ; OPTIONAL) 00003400 //* 00003500 //IEFPROC EXEC PGM=NSIBBAT, 00003600 // PARM='ISPSTART CMD(%IFBGBATA &PRM,&IPLU,&LPRM,&HWN,&LPN,&VMN, 00003700 // &MDP,&RLV,&ADDC,&DSR,&JX,&CI,&VT,&TC,&U0,&IHLQ,&PKG, 00003800 // &RLS,&CHG)', 00003900 // DYNAMNBR=600, 00004000 // REGION=40M 00004100 //STEPLIB DD DSN=&NSSPRFX..LOAD,DISP=SHR 00004200 //*---------------------------------------------------------------* 00004300 //* 00004400 //* SETUP INSPECTION REPORT LOG BY UNCOMMENTING ONLY ONE BELOW 00004500 //* 00004600 //* 00004700 //*RPT SET RDSN='DUMMY,',SELECT=SYSOUT /* USE SYSOUT */ 00004800 //RPT SET RDSN=,SELECT=LOG /* USE PREALLOCATED DATASET*/ 00004900



//*---------------------------------------------------------------* 00005000 //* 00005100 //REPORT DD DDNAME=R&SELECT 00005200 //RSYSOUT DD SYSOUT=A,HOLD=YES 00005300 //RLOG DD &RDSN.DISP=SHR,DSN=&NSSPRFX..IFOBATA.&SYSNAME..LOG 00005400 //* 00005500 //NSEPARM DD DSN=&NSSPRFX..PARMLIB,DISP=SHR 00005600 //NSEULIB DD DSN=&NSSPRFX..USERLIB,DISP=SHR 00005700 //ISPPROF DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00005800 // BLKSIZE=3120,LRECL=80,RECFM=FB 00005900 //ISPTABL DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00006000 // BLKSIZE=3120,LRECL=80,RECFM=FB 00006100 //SYSPROC DD DISP=SHR,DSN=&NSSPRFX..SISPCLIB 00006200 // DD DISP=SHR,DSN=&SPFPRFX..SISPCLIB ISPF 00006300 //SYSEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00006400 //ISPMLIB DD DISP=SHR,DSN=&NSSPRFX..SISPMENU 00006500 // DD DISP=SHR,DSN=&SPFPRFX..SISPMENU ISPF 00006600 //ISPEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00006700 //ISPPLIB DD DISP=SHR,DSN=&NSSPRFX..SISPPENU 00006800 // DD DISP=SHR,DSN=&SPFPRFX..SISPPENU ISPF 00006900 //ISPSLIB DD DISP=SHR,DSN=&SPFPRFX..SISPSENU ISPF 00007000 // DD DISP=SHR,DSN=&SPFPRFX..SISPSLIB ISPF 00007100 //ISPTLIB DD DISP=SHR,DSN=&SPFPRFX..SISPTENU ISPF 00007200 //SYSTSIN DD DUMMY 00007300 //SYSTSPRT DD SYSOUT=A,HOLD=YES 00007400 //SYSUDUMP DD SYSOUT=A,HOLD=YES 00007500 //ISPLOG DD SYSOUT=A,HOLD=YES, 00007600 // BLKSIZE=129,LRECL=125,RECFM=VA 00007700 //NSETABL DD DISP=SHR,DSN=&NSSPRFX..SISPTABB 00007800 //NSEPWORK DD UNIT=SYSDA,SPACE=(CYL,(5,1)) 00007900 //NSEPWRK2 DD UNIT=SYSDA,SPACE=(CYL,(5,1)) 00008000

9.3 IFOBATS PROC

//*----------------------------------------------------* 00000100 //* NEWERA IMAGE FOCUS ENVIRONMENT * 00000200 //* BATCH IMAGE FOCUS PROCEDURE * 00000300 //* * 00000400 //* IMAGE FOCUS * 00000500 //* * 00000600 //* NSSPRFX - PREFIX FOR IMAGE FOCUS DATASETS * 00000700 //* SPFPRFX - PREFIX FOR IBM ISPF/PDF DATASETS * 00000800 //* PRM - SUFFIX FOR NSEPRMXX MEMBER * 00000900 //* * 00001000 //* * 00001100 //*----------------------------------------------------* 00001200 //* 00001300 //IFOBAT PROC NSSPRFX='IFO', 00001400 // SPFPRFX='ISP', 00001500 // PRM='00', 00001600 // IPLU='*', IPL UNIT ADDRESS (4 CHARS; REQUIRED) 00001700 // LPRM='*', LOADPARM (1 - 8 CHARS; OPTIONAL) 00001800 // HWN='*', HARDWARE NAME (1 - 8 CHARS; OPTIONAL) 00001900 // LPN='*', LPAR NAME (1 - 8 CHARS; OPTIONAL) 00002000 // VMN='*', VM USERID (1 - 8 CHARS; OPTIONAL) 00002100 // MDP=Y, MEMBER DISPLAY (Y OR N ; OPTIONAL) 00002200 // RLV=1, REPORT LEVEL (1,2,3, OR 4; OPTIONAL) 00002300 // ADDC=, ADD'L COMMNDXX (2 CHARS; OPTIONAL) 00002400 // DSR=Y, DATASET REPORT (Y OR N ; OPTIONAL) 00002500 // IHLQ=, IPLPARM HLQ (1 - 8 CHARS; OPTIONAL) 00002600 // PKG=N PACKAGE CREATE (Y OR N ; OPTIONAL) 00002700 //* 00002800 //IEFPROC EXEC PGM=NSIBBAT, 00002900 // PARM='ISPSTART CMD(%IFBGBAT &PRM,&IPLU,&LPRM,&HWN,&LPN,&VMN,&MDP, 00003000 // &RLV,&ADDC,&DSR,&IHLQ,&PKG)', 00003100 // DYNAMNBR=600, 00003200 // REGION=40M 00003300



//STEPLIB DD DSN=&NSSPRFX..LOAD,DISP=SHR 00003400 //*---------------------------------------------------------------* 00003500 //* 00003600 //* SETUP INSPECTION REPORT LOG BY UNCOMMENTING ONLY ONE BELOW 00003700 //* 00003800 //* 00003900 //*RPT SET RDSN='DUMMY,',SELECT=SYSOUT /* USE SYSOUT */ 00004000 //RPT SET RDSN=,SELECT=LOG /* USE PREALLOCATED DATASET*/ 00004100 //*---------------------------------------------------------------* 00004200 //* 00004300 //REPORT DD DDNAME=R&SELECT 00004400 //RSYSOUT DD SYSOUT=A,HOLD=YES 00004500 //RLOG DD &RDSN.DISP=SHR,DSN=&NSSPRFX..IFOBAT.&SYSNAME..LOG 00004600 //* 00004700 //NSEPARM DD DSN=&NSSPRFX..PARMLIB,DISP=SHR 00004800 //ISPPROF DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00004900 // BLKSIZE=3120,LRECL=80,RECFM=FB 00005000 //ISPTABL DD SPACE=(TRK,(5,5,5)),UNIT=SYSDA, 00005100 // BLKSIZE=3120,LRECL=80,RECFM=FB 00005200 //SYSPROC DD DISP=SHR,DSN=&NSSPRFX..SISPCLIB 00005300 // DD DISP=SHR,DSN=&SPFPRFX..SISPCLIB ISPF 00005400 //SYSEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00005500 //ISPMLIB DD DISP=SHR,DSN=&NSSPRFX..SISPMENU 00005600 // DD DISP=SHR,DSN=&SPFPRFX..SISPMENU ISPF 00005700 //ISPEXEC DD DISP=SHR,DSN=&SPFPRFX..SISPEXEC ISPF 00005800 //ISPPLIB DD DISP=SHR,DSN=&NSSPRFX..SISPPENU 00005900 // DD DISP=SHR,DSN=&SPFPRFX..SISPPENU ISPF 00006000 //ISPSLIB DD DISP=SHR,DSN=&SPFPRFX..SISPSENU ISPF 00006100 // DD DISP=SHR,DSN=&SPFPRFX..SISPSLIB ISPF 00006200 //ISPTLIB DD DISP=SHR,DSN=&SPFPRFX..SISPTENU ISPF 00006300 //SYSTSIN DD DUMMY 00006400 //SYSTSPRT DD SYSOUT=A,HOLD=YES 00006500 //SYSUDUMP DD SYSOUT=A,HOLD=YES 00006600 //ISPLOG DD SYSOUT=A,HOLD=YES, 00006700 // BLKSIZE=129,LRECL=125,RECFM=VA 00006800 //NSETABL DD DISP=SHR,DSN=&NSSPRFX..SISPTABB 00006900 //NSEPWORK DD DUMMY 00007000



10 Index

A

Access The Control Editor, 36 Access Window, 75 Access/Display User Activity, 76 Activate Control Updates, 77 Adding a New Role, 45 Adding User Access Privileges, 74 Adding Users to a Role, 55 Application Controls, 9 Assign Users to Defined Roles, 55

B

BatIRpts -‐ BatchJob Inspection Findings, 34 BEGINPARALLEL, 7 BkgIRpts -‐ Background Inspection Findings, 17

C

Classic View of Package Operations, 26 Classic view of Report Clusters, 17 Column Headings, 13 Command Line, 12 Controls – The Control Editor, 40 Copyrights, 2 Copyrights of Others, 2 CustDefs and Migrates, 70

D

Define Role Based Access Controls, 45 Defining – ICE User Access, 70 Defining Access Rights, 47 Defining the Batch Report Qualifier, 34

E

ENDPARALLEL, 7 Enhanced Batch Reporting, 34 Enhanced Package Processing Options, 27 Enhanced View of Report Clusters, 18 Enhancing Staff Productivity, 43 Entry-‐Point, 13

F

Field Sensitive Help, 13 Functional Enhancements, 9

I

ICEAdmin – User Access Controls, 70

L

Legacy Perimeters Boundaries, 67 License Agreement, 2

N

Navigation, 12 New Syntax -‐ VERS(2), 14

O

Old Syntax -‐ VERS(1), 14 Overview of TCE Role Base Access Controls, 67

P

Packages -‐ Image Baseline Configurations, 25 Padlock Control Administration, 11, 41 Padlock Initialization, 10, 40 Padlocking IPLPARM and PARMLIB, 40 Padlocks – Setting the Global Padlock, 73 Panel Overview, 13 Panel Specific Enhancements, 12 Panel Specific Help, 13 Point-‐and-‐Shot objects, 13 ProdView – Image FOCUS Background, 16

R

Reinforcing Legacy Security, 43 Removing a Defined Role, 46 Removing a User from a Role, 56 Role Based Access Control (RBAC), 42 Row/Panel Commands, 13

S

Sample NSEPRM00, 8 SetAdmin – Naming the ICE Administrator, 72 Showing Members Assigned to a Role, 54 SMP/E Installation, 14 Subsequent Padlock Notification, 11, 41



T

TCE Padlock Control, 10 TCE Resources Defined to a Role, 68 TCE User Assignment to a Role, 69 Trademarks, 2

U

Updates to the NSEPRM00, 7 Updating a User Role, 56 Updating an Existing Role, 46

USERMODE, 75 UserMode – ICE Application Access Rights, 74 Using TCE to Define and Assign Access Roles, 44

W

Who Should Read, 3

Z

zUnix Support, 15



NewEra Software, Inc.

Mailing Address:

155 E. Main Avenue, Suite 130 Morgan Hill, CA 95037

Phone:

(408) 520-‐7100 (800) 421-‐5035

FAX:

(888) 939-‐7099

Email Address:

[email protected]

Web Site:

http://www.newera.com

Technical Support:

24 hours a day, 7 days a week

1-‐800-‐421-‐5035 [email protected]

Documents

A Guide to Recent ICE Enhancements · Image&Control&Environment!11.0& & 8 NewEra&Software,&Inc.&&9ImageControlEnvironment(ICE)Applications& 3.3 Sample NSEPRM00 Control Statements