For the administration of admission profiles, openFT-AC offers the FTAC administrator the following commands:
FTCREPRF | create admission profile |
FTDELPRF | delete admission profile |
FTMODPRF | modify admission profile |
FTSHWPRF | show admission profile |
The FTAC administrator has the option of modifying foreign admission profiles:
The administrator can create admission profiles for foreign users with the FTCREPRF command. However, certain restrictions apply (see "Administrating admission profiles" ).
He can view them with the command FTSHWPRF . The transfer admission of an admission profile is not output. This means that the FTAC administrator does not have access rights to the files of foreign user IDs.
He can delete them with the command FTDELPRF . This is the most radical of all options which should only be used in extreme cases and with good reason and upon consultation with the owner of the profile.
He can privilege them with the command FTMODPRF , or conversely revoke privileges.
He can also modify them with FTMODPRF . If the FTAC neither possesses the SU privilege nor specifies the complete USER-ADMISSION including the account and the password of the owner of the profile then the access to the admission profile will be blocked until the owner of the profile acknowledges these modifications by resetting the transfer admission to “valid”, for example with FTMODPRF <profile> TRANSFER- ADMISSION=*OLD-ADMISSION(VALID=*YES).
Creating admission profiles for foreign user IDs
When the FTAC administrator wants to create an admission profile for a foreign user by means of the FTCREPRF command, he can proceed in the following two ways:
If the FTAC administrator possesses the SU privilege (see "ftzos_inst_en" ), then he may set up admission profiles for other user IDs without restriction even if he does not know the current user password. The FTAC administrator may specify a TRANSFER- ADMISSION in these profiles. This can be used in FT requests immediately after being set up. Please note that FTAC administrators who possess the "SU privilege" can get access to the files belonging to any and all user IDs by setting up the corresponding admission profiles and may therefore be able to by-pass protection mechanisms!
Provided the FTAC administrator (without the SU privilege) knows all the data required for the USER-ADMISSION (i.e. user ID, account number and password) and specifies them when creating the admission profile, it is also possible to specify a TRANSFER- ADMISSION, with which a valid admission profile is created, i.e. the profile can immediately be used in file transfer and file management jobs.
The password is stored as a part of this type of admission profile, so if a user changes his password, the admission profile also has to be changed.
Example
The FTAC administrator creates a valid admission profile for USER1 . To do so, the administrator needs to enter the user's account number ( 123456 ) and password ( PASSWD1 ).
FTCREPRF NAME=HISPROF1, TRANS-ADM=READYFORUSE, -USER-ADM=(USER1,123456,PASSWD1)The FTAC administrator can also create an admission profile for a foreign user that does not contain the user's password. (When an FT job refers to this type of profile, FTAC enters the z/OS password currently valid for the user ID. That way the admission profile will not have to be changed should the z/OS password ever be modified.)
In this case, the FTAC administrator (without the SU privilege) cannot specify TRANSFER-ADMISSION when creating the admission profile. That would create a locked admission profile, i.e. the profile can only be used in file transfer and file management jobs after the user has specified a TRANSFER-ADMISSION using the FTMODPRF command and after completed the USER-ADMISSION data.
Example
The FTAC administrator creates an admission profile for USER1 . For the USER- ADMISSION, he specifies only the user ID, not the account number and the password. In that case the administrator may not specify a TRANSFER- ADMISSION.
FTCREPRF NAME=HISPROF2, TRANS-ADM=*NOT-SPECIFIED, -USER-ADM=(USER1,*NOT-SPECIFIED,*NOT-SPECIFIED)The FTAC administrator views the admission profile using the FTSHWPRF
command. The short output shows that the profile is locked (indicated by the "!" in front of the profile name):FTSHWPRF NAME=HISPROF2, SEL=(OWNER=*ALL)OWNERNAMEUSER1!HISPROF2The long output shows that no valid TRANSFER-ADMISSION was specified in the profile:
FTSHWPRF NAME=HISPROF2, SEL=(OWNER=*ALL), INF=*ALLHISPROF2TRANS-ADM= (NOT-SPECIFIED)USER-ADM= (USER1,NOT-SPECIFIED,NOT-SPECIFIED)PROC-ADM= SAMEFT-FUNCTION = (TRANSFER-FILE, MODIFY-FILE-ATTRIBUTES,READ-FILE-DIRECTORY)LAST-MODIF= 2017-01-18 11:22:26The user now assigns a TRANSFER-ADMISSION and supplements the USER- ADMISSION data:
FTMODPRF NAME=HISPROF2, TRANS-ADM=NOWREADYFORUSE, -USER-ADM=(USER1,123456,PASSWD1)Now the admission profile can be used in file transfer and file management jobs as well.
The user views the admission profile with the FTSHWPRF command.
The short output shows that the profile is no longer locked:
FTSHWPRF NAME=HISPROF2OWNERNAMEUSER1HISPROF2The long output shows that the user's account number has been included in the admission profile along with the identifier YES for the USER-ADMISSION password:
FTSHWPRF NAME=HISPROF2, INF=*ALLHISPROF2USER-ADM= (USER1,123456,YES)PROC-ADM= SAMEFT-FUNCTION = (TRANSFER-FILE, MODIFY-FILE-ATTRIBUTES,READ-FILE-DIRECTORY)LAST-MODIF= 2017-01-18 11:28:12
Privileging admission profiles
In exceptional cases, the FT user can use a privileged admission profile to disregard the specifications of own admission profile. Exceptional cases where this is allowed include:
if a particular file needs to be transferred,
if follow-up processing is not permitted or severely restricted,
if a partner system with a higher security level is permitted to carry out file transfers with the user ID, but others with lower security levels are not.
The user ID protection is maintained in this case, by the fact that only very restricted access is permitted into the admission profile.
The procedure to follow when privileging an admission profile is simple:
The user creates an admission profile for the planned task with the command FTCREPRF .
The FTAC administrator views the admission profile with the command FTSHWPRF to determine if the profile presents a threat to data security.
Example
FTSHWPRF NAME=PROFPROD,SELECT-PARAMETER=(OWNER-IDENTIFICATION=STEVEN), -INFORMATION=*ALLShort form:
FTSHWPRF PROFPROD,SEL=(,STEVEN),INF=*ALLThe output has the following form:
PROFPRODIGN-MAX-LEV = (IBR)FILE-NAME= UMSATZUSER-ADM= (STEFAN,M4711DON,OWN)PROC-ADM= SAMESUCC-PROC= NONEFAIL-PROC= NONEFT-FUNCTION = (TRANSFER-FILE, MODIFY-FILE-ATTRIBUTES,READ-FILE-DIRECTORY)LAST-MODIF= 2017-01-18 11:43:57The first line of the output shows the name of the admission profile, the second line the values which STEVEN has set in the command FTCREPRF or which are determined by the default values, if Steven doesn’t set them himself.
If the profile will not endanger security, the FTAC administrator privileges it with the help of the command MODIFY-FT-PROFILE.
Example
FTMODPRF NAME=PROFPROD,SELECT-PARAMETER=(OWNER-IDENTIFICATION=STEVEN), -PRIVILEGED=*YESWhen used with the modified profile, the command FTSHWPRF
UMSAWARE,SEL=(,STEFAN),INF=*ALL returns the same output as in the example above but with the addition of PRIVILEGED:PROFPRODPRIVILEGEDIGN-MAX-LEV = (IBR)FILE-NAME= UMSATZ...
In a privileged admission profile, only the transfer admission and the parameter PRIVI- LEGED may be modified by the user. This prevents the misuse of any profiles, once privileged.