IBM Z Software
This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Thank you for the addition information. After some investigation by the team we have found that the behaviour you require, "z/OS Connect EE to pick up security changes without commands or restart", can be achieved through use of existing function in the product today provided by base function in Liberty.
You can use the Authentication Cache in Liberty to control how long subjects are stored (if at all) before they are refreshed. By default the cache is on and the timeout is 5 minutes which is why you would have not seen z/OS Connect EE honour newly assigned permissions immediately meaning that a server restart was necessary to force a refresh. You can configure the Authentication Cache with settings to better suit your needs for a more timely refresh of the permissions.
Information about how to configure the Authentication Cache can be found in the "Configuring the authentication cache in Liberty" topic of the Liberty knowledge centre here: https://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_cache.html
As the function above is available in the product today we will be closing this RFE as delivered. If you have additional needs over and above "z/OS Connect EE to pick up security changes without commands or restart" we will be happy to handle these in an additional RFE.
Similarly, I should not expect the RACF admins or the zCEE admins to issue any commands to zCEE to refresh any cached security blocks.
The specific case we encountered was after granting a group or user access to the CLASS(APPL) profile, we had to bounce the task to pick up changes. Until then, the zCEE instances that had already been hit by the newly permitted user ID before the permit were continuing to fail the access request
The issue we were trying to resolve is eliminating the need to bounce the zCEE started task to pick up RACF changes, such as modified group connects and permissions.
Listening to RACF ENF would eliminate the need for the security team to contact the system programmers to bounce the task when they made a RACF change to resolve an application issue. This is especially useful due to the restrictions operations has on bouncing tasks, such as only between midnight and 6am, while security changes have different change window guidelines that allows them to resolve issues more quickly.
Thank you for this RFE. I wonder if you could be more specific about:
- What you are trying to achieve (be specific about the types of "Security Issues" you are trying to track and why)
- Why you find that difficult or impossible to do today with the product in it's current form
- How you think the product could be changed to allow for a better experienced
- What value this would bring to you and other users of this product
Thank you.