Reducing the Cost of Computing with SFS, SafeAccess, & SafeSFS




Until now the enormous benefits of SFS have been difficult to attain!

Everyone agrees that the VM/ESA Shared File System (SFS) provides enormous benefits for VM/ESA installations. These benefits include huge cost savings, increased productivity, and easier access to information. Until now, these benefits have been beyond the reach of most VM/ESA installations. There are many obstacles in the way. Application programs must be modified to change the way they access data. Many unsolved administrative and security issues exist in SFS. The migration to SFS has been a manual, time consuming process that was prohibitively expensive. Until Now!

SafeAccess solves the SFS migration issues and eliminates the huge costs!

SafeAccess allows you to automate migration of data to SFS. SafeAccess eliminates the expensive time consuming job of manually identifying and changing every one of the thousands of occurrences of LINK, ACCESS, and other affected statements by allowing applications to access SFS data that has been migrated from minidisks without any modifications.

SafeSFS eliminates SFS administration and security issues!
SafeSFS is a high performance, complete security and administration solution for SFS. SafeSFS replaces the many thousands of native SFS authorizations with a small number of SafeSFS rules and provides a huge reduction in administrative costs. Powerful rules and an intuitive user interface make SafeSFS an essential addition to SFS. SafeSFS works with all VM/ESA CP security systems or with native VM/ESA.



The Benefits of the Shared File System


DASD cost savings of 20%-50%


Logical DASD space allocation

A typical VM/ESA system contains thousands of CMS minidisks. Each minidisk contains some amount of unused free space, typically 50%-70%. SFS allows you to allocate DASD space logically instead of physically. Only DASD space that is actually occupied by data is consumed. This eliminates unused free space. VM sites that migrate data from minidisks to SFS are able to reduce DASD consumption by 20%-50%. This translates into enormous savings in DASD costs. VM installations that migrate data to SFS free up so much DASD that they often do not need to purchase additional DASD for years.


Migration of seldom used data to less expensive media

SFS keeps track of the last time each file was referenced. This makes it possible to automate the migration of seldom used data to cheaper media, further reducing DASD costs.

Increase Productivity for Administrators and Users

DASD space management
Administrators or help desk technicians can easily change DASD space allocations with a single command, eliminating the time consuming job of defragmenting DASD space. The weekend manual relocation of minidisks, to make room for minidisks that need to be enlarged, is no longer necessary with SFS.
Hierarchical file structure with meaningful directory names
SFS has a hierarchical structure similar to that of Unix or Windows. This allows users to organize their data in a logical manner using directories and sub-directories that have meaningful names. This makes it much easier to find data and share data with others.
Cross system access to SFS data
SFS data may be accessed from other VM systems, eliminating the need to replicate data and keep redundant copies of the data in sync. This eliminates administrative costs associated with maintaining a shared DASD environment and the risk of data loss due to incorrect shared DASD minidisk definitions.
File level data sharing
Users may share data at the file level instead of the minidisk level allowing simultaneous write access by multiple users to files within the same SFS directory. With minidisks, sharing of data may occur only at the minidisk level. If a user has write access to a minidisk, other users are prevented from updating any of the files on the minidisk.


SafeAccess Completly Automates
Migration to SFS

SafeAccess migrates users, data, and applications to SFS. This allows you to take advantage of the cost and time savings provided by SFS. Most SFS migration plans only address how to copy the data from minidisks to SFS. They do not consider all of the other factors that may prevent you from taking advantage of SFS and/or burden you with expensive post migration support issues.

SFS Migration Issues


Identify minidisks that are good candidates for migration

Migrate minidisks that contain CMS data. Select minidisks that have lots of free space. Move all the disks from one pack at a time so that newly freed space can be added to SFS.  

Address access control concerns to ensure users and applications can still access their data after the migration

The most obvious and embarrassing way to find that your SFS migration has failed is to arrive in the office on Monday and find that your users cannot find or access their data anymore. You need to identify all users and applications that access each minidisk to be migrated so that you can ensure that the appropriate SFS authorizations are provided. 

Identify applications that will require modification to be able to access information in SFS

Applications will need to be modified to take advantage of SFS. Generally, most applications use a LINK and ACCESS command to access information on a minidisk. With SFS, only an ACCESS command is required. We call this the L2A problem, as in LINK to ACCESS. It is very similar in nature to the Y2K problem that many of us are currently dealing with. The complete list of VM commands that affect applications is:
Every application needs to be examined for instances of these commands. You need to examine all system and user applications. Many VM users write "EXECs" that contain these commands. Locating and modifying these user EXECs is very time consuming and expensive.

Update applications to enable them to access information in SFS

 Applications must be updated to address these changed commands and responses. Each application identified in the previous step (both system and user applications) must be updated to work with SFS instead of with minidisks. These changes must be synchronized with the migration of data used by users and applications. 

Test system with SFS data

All applications and procedures must be tested to verify that they function correctly with SFS and to ensure that nothing was overlooked when identifying the required changes. User procedures may vary from user to user. Many migrations fail to test each user's procedures. 

Train users on new commands and look and feel of SFS

Your users will be affected by the changes that occur when using SFS. While all of the commands identified in step 3 are a concern, the following are the most commonly used commands:       

SafeAccess Solves the SFS Migration Issues


SafeAccess addresses all of the SFS Migration Issues. This enables you to
cost effectively migrate to SFS and reap the many benefits of SFS


SafeAccess identifies minidisks that are good candidates for migration to SFS


SafeAccess converts existing access controls to SFS or SafeSFS rules.


SafeAccess identifies applications and users that are affected by SFS migration.


SafeAccess eliminates the need to update your applications.


SafeAccess eliminates the requirement to train users.


SafeAccess eliminates the need to perform costly, exhaustive tests.


You simply monitor the migration process and add newly freed space to SFS as necessary.


A Complete SFS Migration Solution


Identify Minidisks to Migrate

SafeAccess evaluates your system and tells you which minidisks can be migrated to SFS and which ones should be migrated first. You simply guide the process.


Determine Existing Access Control and Implement Comparable Controls in SFS

SafeAccess determines your existing minidisk access controls and produces SafeSFS or SFS rules that enable users and applications to continue to access information without costly or embarrassing outages.

Identify Applications That Require Modifications For SFS

SafeAccess evaluates your system and identifies applications that will require modifications to take advantage of SFS. SafeAccess provides you with a list of both users and applications that are using each minidisk on your system.

Update Applications That Require Modifications For SFS

SafeAccess dynamically enables your applications to use the new SFS interfaces for accessing information in SFS. SafeAccess does not modify your applications. All applications continue to work just as they did when information was located on minidisks.

Train Users on SFS

SafeAccess dynamically enables your users to use existing minidisk interfaces. This eliminates the need for user training because your users continue to LINK, ACCESS, QUERY, etc. just as they always have with minidisks.

SafeAccess Pays for Itself!

Installing and using SafeAccess is substantially cheaper than addressing all of the SFS migration issues. VM installations currently spend months or years attempting to address SFS migration concerns and the costs run into the hundreds of thousands of dollars. SafeAccess eliminates these costs and allows you to recognize the cost savings provided by SFS immediately!

SafeAccess and SafeSFS combine to provide you with a turnkey SFS migration, implementation, security, and administration solution that enables you to use SFS and substantially reduce your cost of computing on VM/ESA.



SafeSFS Enables Efficient & Secure
SFS Administration

SafeSFS enables you to effectively and efficiently manage your use of the Shared File System (SFS). SFS provides you with many benefits, but these come at the cost of several administration and security issues that have prevented VM installations from partially or fully taking advantage of SFS.

SFS Security and Administration Issues


Administration Concerns


SFS ADMIN authorization is too powerful

Users with native SFS ADMIN authorization have complete control over, and access to, the entire contents of the file pool. All other users control only the objects they own. Most VM installations need to delegate a subset of administration functions to their help desk staff – Enrolling/Deleting users, Modifying allocation (usage) limits, and helping with authorizations. You have to choose between tasking expensive systems programmers with this duty or expose your system to potential security exposures by giving help desk technicians far more authority than they require.  

SFS Catalogs are large and take a very long time to backup

SFS Catalogs contain tremendous amounts of data to maintain the authorization information. A typical SFS file pool can take 10 hours to back up and about 20 hours to restore.

SFS users can undo administrator specified security authorizations

SFS authorizations can be created by administrators and deleted by your users. You cannot guarantee that a user or application can access information, such as a .WEB directory. You cannot guarantee that a user may accidentally share information with someone that they should not.

User/Application Concerns


SFS authorizations do not apply to sub-directories or their contents

SFS authorizations do not apply to sub-directories or their contents. This forces you and your users to define and manage authorizations for sub-directories as separate objects.

SFS users cannot create directories in file spaces they don’t own

SFS authorizations do not allow users or applications to create directories in file spaces that they do not own. This requires you to intervene whenever a directory needs to be created in a different file space.

SFS has a complicated and confusing user interface

SFS authorizations are defined using a complicated, confusing line mode interface. This consistently leads to errors when creating security authorizations, and requires SFS administrator time to be spent assisting end users and determining why a user or application cannot access data.

SFS authorizations only apply to one file pool

SFS authorizations apply only to one file pool. If similar security is desired across multiple file pools, authorizations must be replicated and then manually maintained.

SafeSFS Solves Your SFS Security and Administration Issues


SafeSFS address all of the SFS Administration Issues.

SafeSFS enables you to delegate responsibility to your help desk staff or end users.
SafeSFS reduces the authorizations you manage from hundreds of thousands to hundreds.
SafeSFS speeds up your backups and restores by 90%.
SafeSFS enables you to guarantee access to data for applications and ensure that security exposures do not occur.
SafeSFS allows you to use acigroups and dynamic pattern matching.
SafeSFS gives your users and applications the SFS features that they miss the most.

SafeSFS Solves Security and Administration Issues


SafeSFS provides distributed, flexible SFS security and user administration

With SafeSFS, you define SafeSFS Managers who perform security and user administration tasks. The scope of these tasks may be limited to individual users or groups of users using Acigroups or pattern matching. You can quickly and easily distribute your SFS security and administration. VM:Secure™ Directory Manager authorizations can be used for seamless SFS administration.

SafeSFS provides dynamic Acigroup support and dynamic pattern matching

SafeSFS provides the ability to control SFS security and user administration by Acigroup. SafeSFS rules may contain pattern matching for each and every token of the requestor and target, enabling you to control a vast number of users and SFS objects with a very small number of SafeSFS rules.

SafeSFS removes the authorization information from SFS

SafeSFS rules are maintained in its database. This enables backup products to quickly backup or restore SFS. SafeSFS typically reduces SFS backup and restore time by over 90%.

SafeSFS has a multiple level rule evaluation hierarchy

SafeSFS rules have multiple levels designed to provide complete control while still providing flexible security administration. Security exposures are eliminated. SafeSFS administrators may provide or restrict access to SFS resources at system wide, Acigroup, or user levels. All three levels cannot be overridden by end users. VM:Secure customers will find this to be a familiar concept.

SafeSFS rules apply to sub-directories

SafeSFS directory rules apply to the directory, the contents of that directory, and all sub-directories and their contents. SafeSFS REJECT rules can be used to prevent access to sub-directories.

SafeSFS let's you control who can or can't create directories in other file spaces

SafeSFS rules control creation of directories. This allows end users and applications to perform these tasks for themselves without waiting for an SFS administrator.

SafeSFS provides four user interfaces: Fullscreen, Dirlist/Filelist, Xedit, & API

The SafeSFS user interfaces allow end users and administrators to define and maintain SFS security quickly and easily. The API interface allows you to automate security tasks using local applications.

SafeSFS rules may apply to one or more file pools, including remote file pools

The SafeSFS service machine may be used to control many file pools using one set of SafeSFS rules. When pattern matching is used for file pool name, a single SafeSFS rule may be used to control all or some of the file pools.

SafeSFS Full Screen Interfaces


Rule List Screen

An initial rule list, showing all the rules in a particular rule file. You simply position the cursor and press a key to add, delete, or modify a rule.

Add/Modify/Update Screen
After selecting Add, Model, or Update or when pressing the SafeSFS ADD key in FILELIST or DIRLIST, you can easily allow users to access information in SFS.


Filelist/Dirlist Interface

SafeSFS integrates into the CMS Filelist and Dirlist interfaces. You can type a SafeSFS command over an entry or simply position the cursor next to a file or directory and press the SafeSFS ADD key to enter the SafeSFS Rule Add interface.


Additional SafeSFS Features and Benefits

Runs with any VM/CP security product.


Application program interface

SafeSFS is a standalone security solution. It also integrates well with your existing CP security solution to leverage your current solution.   SafeSFS provides commands that may be issued from the CMS command line or from within application programs to manipulate SafeSFS rules or perform other SafeSFS tasks.

Flexible security for SFS data served by a VM Webserver


Easy conversion and implementation

SafeSFS eases the task of serving up data via VM based webservers by substantially reducing the SFS authorizations required.   SafeSFS provides utilities to convert existing SFS authorizations to SafeSFS rules.

High performance and capacity


Flexible auditing and audit reporting

SafeSFS was designed with high performance and capacity in mind. End users notice no change in response time and system overhead is insignificant.   SafeSFS provides you with control over audit information. Utilities allow flexible reporting of the audit information.

File space sharing via co-owner rules


Alternate userid support (Diagnose X’D4’ or SFS CSL alternate id)

"Co-owner" is a concept that Safe Software introduced for SFS. Co-owner rules allow a user to have the same capabilities over a file space as the owning user.   SafeSFS supports all forms of the CMS and CP alternate userid facilities. This allows servers such as FTP and Web servers to perform work on behalf of users using their security characteristics.

XEDIT interface


Requires no system modifications

SafeSFS provides an XEDIT interface that allows you to easily define and manipulate SafeSFS rules using XEDIT. This interface is similar in look and feel to the Sterling Software VM:Secure™ product’s "RULES" command interface and reduces training costs for VM:Secure customers.   SafeSFS uses the SFS External Security Manager exit interface provided and documented by IBM, and does not require any modifications to VM/ESA or any of the VM/ESA components.