|
Reducing the
Cost of Computing with SFS, SafeAccess, & SafeSFS |
|
 |
Until now the enormous
benefits of SFS have been difficult to attain!
Everyone agrees that the VM/ESA Shared File
System (SFS) provides enormous benefits for VM/ESA installations. These
benefits include huge cost savings, increased productivity, and easier
access to information. Until now, these benefits have been beyond the reach
of most VM/ESA installations. There are many obstacles in the way.
Application programs must be modified to change the way they access data.
Many unsolved administrative and security issues exist in SFS. The migration
to SFS has been a manual, time consuming process that was prohibitively
expensive. Until Now!
SafeAccess solves the SFS
migration issues and eliminates the huge costs!
SafeAccess allows you to automate migration of data
to SFS. SafeAccess eliminates the expensive time consuming job of manually
identifying and changing every one of the thousands of occurrences of LINK,
ACCESS, and other affected statements by allowing applications to access SFS
data that has been migrated from minidisks without any modifications.
|
 |
SafeSFS eliminates SFS
administration and security issues! |
| SafeSFS is a high performance, complete security
and administration solution for SFS. SafeSFS replaces the many thousands of
native SFS authorizations with a small number of SafeSFS rules and provides
a huge reduction in administrative costs. Powerful rules and an intuitive
user interface make SafeSFS an essential addition to SFS. SafeSFS works with
all VM/ESA CP security systems or with native VM/ESA. |
|
|
| |
|
The Benefits of the Shared
File System |
|
DASD cost
savings of 20%-50% |
| |
|
 |
Logical DASD space allocation
|
|
A typical VM/ESA system contains
thousands of CMS minidisks. Each minidisk contains some amount of unused
free space, typically 50%-70%. SFS allows you to allocate DASD space
logically instead of physically. Only DASD space that is actually occupied
by data is consumed. This eliminates unused free space. VM sites that
migrate data from minidisks to SFS are able to reduce DASD consumption by
20%-50%. This translates into enormous savings in DASD costs. VM
installations that migrate data to SFS free up so much DASD that they often
do not need to purchase additional DASD for years. |
| |
|
Migration
of seldom used data to less expensive media |
| SFS keeps track of the last time
each file was referenced. This makes it possible to automate the migration
of seldom used data to cheaper media, further reducing DASD costs.
|
| |
|
Increase
Productivity for Administrators and Users |
| |
|
DASD space management
Administrators or help desk technicians can easily
change DASD space allocations with a single command, eliminating the time
consuming job of defragmenting DASD space. The weekend manual relocation of
minidisks, to make room for minidisks that need to be enlarged, is no longer
necessary with SFS. |
Hierarchical file
structure with meaningful directory names
SFS has a hierarchical structure similar to that of Unix
or Windows. This allows users to organize their data in a logical manner using
directories and sub-directories that have meaningful names. This makes it much
easier to find data and share data with others. |
|
Cross system access to
SFS data
SFS data may be accessed from other VM systems,
eliminating the need to replicate data and keep redundant copies of the data in
sync. This eliminates administrative costs associated with maintaining a shared
DASD environment and the risk of data loss due to incorrect shared DASD minidisk
definitions. |
File level data sharing
Users may share data at the file level instead of the
minidisk level allowing simultaneous write access by multiple users to files
within the same SFS directory. With minidisks, sharing of data may occur only at
the minidisk level. If a user has write access to a minidisk, other users are
prevented from updating any of the files on the minidisk. |
| |
|
|
| |
|
SafeAccess
Completly Automates
Migration to SFS |
| |
| SafeAccess migrates users, data, and
applications to SFS. This allows you to take advantage of the cost and time
savings provided by SFS. Most SFS migration plans only address how to copy
the data from minidisks to SFS. They do not consider all of the other
factors that may prevent you from taking advantage of SFS and/or burden you
with expensive post migration support issues. |
| |
|
SFS Migration
Issues |
| |
|
Identify minidisks that are good candidates for
migration |
| Migrate minidisks that contain CMS data. Select
minidisks that have lots of free space. Move all the disks from one pack at
a time so that newly freed space can be added to SFS.
|
| |
|
Address access control concerns to ensure users and
applications can still access their data after the migration
|
| The most obvious and embarrassing way to find
that your SFS migration has failed is to arrive in the office on Monday and
find that your users cannot find or access their data anymore. You need to
identify all users and applications that access each minidisk to be migrated
so that you can ensure that the appropriate SFS authorizations are provided.
|
| |
|
Identify
applications that will require modification to be able to access information
in SFS |
| Applications will need to be modified to take
advantage of SFS. Generally, most applications use a LINK and ACCESS command
to access information on a minidisk. With SFS, only an ACCESS command is
required. We call this the L2A problem, as in LINK to ACCESS. It is very
similar in nature to the Y2K problem that many of us are currently dealing
with. The complete list of VM commands that affect applications is:
|
| |
LINK
ACCESS DETACH QUERY LINKS
QUERY V device
QUERY DISK
LISTFILE RELEASE |
| |
| Every application needs to be examined for
instances of these commands. You need to examine all system and user
applications. Many VM users write "EXECs" that contain these commands.
Locating and modifying these user EXECs is very time consuming and
expensive. |
| |
|
Update applications to enable
them to access information in SFS |
| Applications must be updated to
address these changed commands and responses. Each application
identified in the previous step (both system and user applications) must
be updated to work with SFS instead of with minidisks. These changes
must be synchronized with the migration of data used by users and
applications. |
| |
|
Test system with SFS data |
| All applications and procedures must be
tested to verify that they function correctly with SFS and to ensure
that nothing was overlooked when identifying the required changes. User
procedures may vary from user to user. Many migrations fail to test each
user's procedures. |
| |
|
Train users on new commands and look and feel
of SFS |
| Your users will be affected by the changes
that occur when using SFS. While all of the commands identified in step
3 are a concern, the following are the most commonly used commands:
|
| |
|
LINK and ACCESS
QUERY DISK RELEASE (DETACH
|
|
|
|
SafeAccess
Solves the SFS Migration Issues |
|
SafeAccess addresses all of
the SFS Migration Issues. This enables you to
cost effectively migrate to SFS and reap the many benefits of SFS |
|
|
SafeAccess identifies minidisks that are good candidates for migration
to SFS |
|
SafeAccess converts existing
access controls to SFS or SafeSFS rules.
|
|
|
SafeAccess identifies applications and users that are affected by SFS
migration. |
|
SafeAccess eliminates the need
to update your applications.
|
|
|
SafeAccess eliminates the requirement to train users. |
|
SafeAccess eliminates the need
to perform costly, exhaustive tests.
|
|
|
You
simply monitor the migration process and
add newly freed space to SFS as necessary.
|
|
|
A Complete SFS
Migration Solution |
|
|
Identify Minidisks to Migrate
|
|
SafeAccess evaluates your system
and tells you which minidisks can be migrated to SFS and which ones
should be migrated first. You simply guide the process. |
|
|
Determine Existing Access Control and Implement
Comparable Controls in SFS
|
| SafeAccess determines your existing minidisk
access controls and produces SafeSFS or SFS rules that enable users and
applications to continue to access information without costly or
embarrassing outages. |
|
|
Identify Applications That Require Modifications For
SFS |
| SafeAccess evaluates your system and
identifies applications that will require modifications to take
advantage of SFS. SafeAccess provides you with a list of both users and
applications that are using each minidisk on your system. |
|
|
Update Applications That Require Modifications For SFS |
| SafeAccess dynamically enables your
applications to use the new SFS interfaces for accessing information in
SFS. SafeAccess does not modify your applications. All
applications continue to work just as they did when information was
located on minidisks. |
|
| SafeAccess dynamically enables your users to
use existing minidisk interfaces. This eliminates the need for user
training because your users continue to LINK, ACCESS, QUERY, etc. just
as they always have with minidisks. |
|
|
SafeAccess Pays for Itself! |
|
Installing and using SafeAccess is
substantially cheaper than addressing all of the SFS migration issues.
VM installations currently spend months or years attempting to address
SFS migration concerns and the costs run into the hundreds of thousands
of dollars. SafeAccess eliminates these costs and allows you to
recognize the cost savings provided by SFS immediately!
SafeAccess and SafeSFS combine to provide you with a turnkey SFS
migration, implementation, security, and administration solution that
enables you to use SFS and substantially reduce your cost of computing
on VM/ESA.
|
|
|
SafeSFS
Enables Efficient
&
Secure
SFS Administration |
|
| SafeSFS enables you to effectively and efficiently manage your use of
the Shared File System (SFS). SFS provides you with many benefits, but
these come at the cost of several administration and security issues that
have prevented VM installations from partially or fully taking advantage
of SFS. |
|
|
SFS Security
and Administration Issues |
|
|
|
|
SFS ADMIN authorization is too powerful
|
| Users with native SFS ADMIN
authorization have complete control over, and access to, the entire
contents of the file pool. All other users control only the objects
they own. Most VM installations need to delegate a subset of
administration functions to their help desk staff – Enrolling/Deleting
users, Modifying allocation (usage) limits, and helping with
authorizations. You have to choose between tasking expensive systems
programmers with this duty or expose your system to potential security
exposures by giving help desk technicians far more authority than they
require. |
|
|
|
|
SFS Catalogs are large and take a very
long time to backup
|
| SFS Catalogs contain
tremendous amounts of data to maintain the authorization information.
A typical SFS file pool can take 10 hours to back up and about 20
hours to restore. |
|
|
SFS users can undo administrator
specified security authorizations |
| SFS authorizations can be created by administrators and deleted by
your users. You cannot guarantee that a user or application can access
information, such as a .WEB directory. You cannot guarantee that a user
may accidentally share information with someone that they should not.
|
|
|
|
User/Application Concerns |
|
|
SFS authorizations do not apply to sub-directories
or their contents |
| SFS authorizations do not apply to sub-directories or their contents.
This forces you and your users to define and manage authorizations for
sub-directories as separate objects. |
|
|
SFS users cannot create directories in file spaces they
don’t own |
| SFS authorizations do not allow users or applications to create directories
in file spaces that they do not own. This requires you to intervene whenever
a directory needs to be created in a different file space. |
|
|
SFS has a complicated and confusing user interface
|
| SFS authorizations are defined using a complicated, confusing line
mode interface. This consistently leads to errors when creating security
authorizations, and requires SFS administrator time to be spent assisting
end users and determining why a user or application cannot access data.
|
|
|
SFS authorizations only apply to one file pool
|
| SFS authorizations apply only to one file pool. If similar security
is desired across multiple file pools, authorizations must be replicated
and then manually maintained. |
|
|
|
|
|
|
SafeSFS Solves
Your SFS Security and Administration Issues |
|
|
|
SafeSFS address all of the SFS Administration Issues. |
|
| SafeSFS enables you to delegate responsibility to your help desk staff
or end users.
|
| SafeSFS reduces the authorizations you manage from hundreds of thousands
to hundreds. |
| |
| SafeSFS speeds up your backups and restores by 90%. |
| |
| SafeSFS enables you to guarantee access to data for applications and ensure
that security exposures do not occur. |
| |
| SafeSFS allows you to use acigroups and dynamic pattern matching. |
| |
| SafeSFS gives your users and applications the SFS features that they miss
the most. |
|
SafeSFS Solves Security and Administration Issues |
|
|
SafeSFS provides distributed, flexible SFS security
and user administration
|
|
| With SafeSFS, you define SafeSFS Managers who perform security and
user administration tasks. The scope of these tasks may be limited to individual
users or groups of users using Acigroups or pattern matching. You can quickly
and easily distribute your SFS security and administration. VM:Secure™
Directory Manager authorizations can be used for seamless SFS administration.
|
|
|
SafeSFS provides dynamic Acigroup support and
dynamic pattern matching |
| SafeSFS provides the ability to control SFS security and user
administration by Acigroup. SafeSFS rules may contain pattern matching
for each and every token of the requestor and target, enabling you to control
a vast number of users and SFS objects with a very small number of SafeSFS
rules. |
|
|
SafeSFS removes the authorization information
from SFS |
| SafeSFS rules are maintained in its database. This enables backup products
to quickly backup or restore SFS. SafeSFS typically reduces SFS backup
and restore time by over 90%. |
|
|
SafeSFS has a multiple level rule evaluation hierarchy
|
| SafeSFS rules have multiple levels designed to provide complete control
while still providing flexible security administration. Security exposures
are eliminated. SafeSFS administrators may provide or restrict access to
SFS resources at system wide, Acigroup, or user levels. All three levels
cannot be overridden by end users. VM:Secure customers will find this to
be a familiar concept. |
|
|
SafeSFS rules apply to sub-directories
|
| SafeSFS directory rules apply to the directory, the contents of that
directory, and all sub-directories and their contents. SafeSFS REJECT rules
can be used to prevent access to sub-directories. |
|
|
SafeSFS let's you control who can or can't
create directories in other file spaces
|
| SafeSFS rules control creation of directories. This allows end users
and applications to perform these tasks for themselves without waiting
for an SFS administrator. |
|
|
SafeSFS provides four user interfaces: Fullscreen,
Dirlist/Filelist, Xedit, & API
|
| The SafeSFS user interfaces allow end
users and administrators to define and maintain SFS security quickly
and easily. The API interface allows you to automate security tasks
using local applications. |
|
|
SafeSFS rules may apply to one or more file pools,
including remote file pools
|
| The SafeSFS service machine may be used to
control many file pools using one set of SafeSFS rules. When pattern
matching is used for file pool name, a single SafeSFS rule may be used
to control all or some of the file pools. |
|
|
|
|
SafeSFS Full Screen Interfaces |
|
|
|
An initial rule list, showing all the rules in a particular rule file.
You simply position the cursor and press a key to add, delete, or modify
a rule. |
|
|
|
| |
|
|
| After selecting Add, Model, or Update or when pressing the SafeSFS ADD
key in FILELIST or DIRLIST, you can easily allow users to access information
in SFS. |
|
|
|
|
Filelist/Dirlist Interface |
|
|
| SafeSFS integrates into the CMS Filelist and Dirlist interfaces. You can
type a SafeSFS command over an entry or simply position the cursor next
to a file or directory and press the SafeSFS ADD key to enter the SafeSFS
Rule Add interface. |
|
|
|
| |
|
Additional SafeSFS Features and
Benefits |
|
Runs with any VM/CP
security product. |
|
Application program interface |
|
SafeSFS is a standalone security solution. It
also integrates well with your existing CP security solution to leverage
your current solution. |
|
SafeSFS provides commands that may be issued
from the CMS command line or from within application programs to manipulate
SafeSFS rules or perform other SafeSFS tasks. |
| |
|
|
|
Flexible security for SFS data
served by a VM Webserver |
|
Easy conversion and implementation |
|
SafeSFS eases the task of serving up data via VM based webservers by substantially
reducing the SFS authorizations required. |
|
SafeSFS provides utilities to convert existing SFS authorizations to SafeSFS
rules. |
| |
|
|
|
High performance and capacity |
|
Flexible auditing and audit reporting |
|
SafeSFS was designed with high performance and capacity in mind. End users
notice no change in response time and system overhead is insignificant. |
|
SafeSFS provides you with control over audit information. Utilities allow
flexible reporting of the audit information. |
| |
|
|
|
File space sharing via co-owner rules |
|
Alternate userid support (Diagnose X’D4’
or SFS CSL alternate id) |
|
"Co-owner" is a concept that Safe Software introduced for SFS. Co-owner
rules allow a user to have the same capabilities over a file space as the
owning user. |
|
SafeSFS supports all forms of the CMS and CP alternate userid facilities.
This allows servers such as FTP and Web servers to perform work on behalf
of users using their security characteristics. |
| |
|
|
|
XEDIT interface |
|
Requires no system modifications |
|
SafeSFS provides an XEDIT interface that allows you to easily define and
manipulate SafeSFS rules using XEDIT. This interface is similar in look
and feel to the Sterling Software VM:Secure™ product’s "RULES"
command interface and reduces training costs for VM:Secure customers. |
|
SafeSFS uses the SFS External Security Manager exit interface provided
and documented by IBM, and does not require any modifications to VM/ESA
or any of the VM/ESA components. |
|
|
|
|
