IBM Z Software
This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Some additional explanation/example on request of Anders Persson.
Lets assume for this example we have 2 different user(groups)
- GDPSLOW ==> Group of users with limited permits in GDPS. Mostly for Viewing status/definitions.
- GDPSHIGH ==> Group of userid's that are allowed to perform the more exiting GDPS tasks like DASD Remote copy functions and Config management.
With GDPS 4.7 access to VPCPFUS1 Planned Actions panel, including all the functionalities, was protected by only "GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*". This was ALL or NOTHING.
Only GDPSHIGH had READ permit, so GDPSHIGH was permitted to enter VPCPFUS1 Planned Actions panel and GDPSLOW was not.
With GDPS 4.8 we added GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*.SCRDFLT with permit for GDPSHIGH
(So nothing changed for them)
We added READ permit for GDPSLOW on GDPSADMIN.GDPSCTL.PLANNEDACTIONS.* so they have access to VPCPFUS1 Planned Actions panel too. Without permit on GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*.SCRDFLT they could View scripts, but not execute.
We added GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*.SCRLOW with ALTER permit for GDPSLOW so we can present them a few scripts to execute.
The last profile we added was GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*.SCRIPTMANAGEMENT, with only READ permit for GDPSHIGH, as this gives access to scriptmanagement where you can stop or reset ANY script. (Not something we can give access for to GDPSLOW now)
Problem:
GDPSLOW is permitted to Execute a script with tag <security=scrlow>. But as we can't give access to Script management panel, this is causing GDPSLOW to be unable to Stop or Reset that script.
If we would give GDPSLOW access to Script management panel, then GDPSLOW is able to stop or reset that script, but then GDPSLOW is also able to Stop/Reset other scripts with <security=scrdflt>.
So GDPSLOW cannot Start such a script, but GDPSLOW can Stop/Reset such a script.
We should be able to give READ permit on GDPSADMIN.GDPSCTL.PLANNEDACTIONS.*.SCRIPTMANAGEMENT for GDPSLOW, so GDPSLOW can access Script management panel. If panel shows a script with <security=scrlow>, then Stop/Reset should be permitted. If panel shows a script with <security=scrdflt>, then Stop/Reset should not be permitted.
Looks like a part of script security isn't covered properly.