Safe Software and Sears Team Up for Success!


The Safer Side of Sears


By Adrian Clark of Sears Canada


We saw the potential benefits of SFS, but SFS issues prevented full implementation.

At Sears Canada, we have been watching IBM's development of the VM/ESA Shared File System (SFS) since its early incarnations under VM/SP. We started limited use of SFS under VM/XA for managing the promotion of code from development, to QA, to our production systems. Over 80% of our 16,000 VM users are also Office Vision users. Until IBM supported SFS as an "A disk", we had no big plans for exploiting SFS. When we saw opportunities for exploiting SFS, we realized we had to do something about the authorizations. We had VM programmers that often granted authorizations incorrectly. This would go unnoticed until some time down the road when the original files were replaced by maintenance procedures and the authorizations for the original files disappeared. We looked at front-ending the IBM commands with our own panel driven interface, but this meant additional development and support efforts for our lightly staffed VM group and it didn't really provide all the flexibility that an SFS External Security Manager could provide.



SafeSFS solves the SFS issues and allows us to reap the benefits of SFS!

We evaluated SafeSFS and were quite surprised with some of the data that it unveiled. We had seven filepools with only 760 userids enrolled and we already had 75,768 SFS authorizations. We projected that we would have over 1.5 million SFS authorizations after fully implementing SFS. SafeSFS allowed us to delete these SFS authorizations and provide the identical authorizations through SafeSFS rules. The SafeSFS rules looked a lot like the VM:SecureTM rules that our users are already used to. We felt that deleting the rules from the SFS catalogue was important because VM:BackupTM had to extract all these authorizations via CSL routines when we backed up SFS. The CSL routines are very slow and this would eventually have caused significant delays in backups and greatly extended restore times at our disaster recovery site (or onsite if we ever have a DASD failure).


SafeSFS reduces our costs and saves us much
more than the cost of the product!

When we examined the rules that were generated by the SafeSFS conversion utility, several other things became obvious:
1.  Many extra rules for our service machines were added unnecessarily because we forgot to add the "NEWREAD" or "NEWWRITE" authorization. The native SFS GRANT command is confusing and difficult to use. Users frequently made errors when attempting to GRANT authorities in SFS. Since IBM's SFS authorization really only works at the file level, no one had authorizations to the files that were added to the directory after the initial IBM authorization was entered with incorrect parameters. This caused many problems and would have required system administrators to get involved to correct them. With SafeSFS, users may use the fullscreen or dirlist/filelist interfaces to create SafeSFS rules. SafeSFS rules are easy to create and have easily understandable, English like syntax. This prevents problems with incorrect or missing authorizations and saves the cost of system administrator time.
2.  Someone had to enter most of these commands and there were many more that would need to be entered as we rolled out SFS. We estimated that if only 11% of our users required rules, similar to the current percent of users with rules, this would add about 1.2 million IBM SFS grants. This was far too many for our small catalogue disks. We conservatively estimated the salary cost to deploy SFS using IBM's authorization scheme would be over $199,000.
3.  We also realized early in the SafeSFS evaluation that we could get rid of 98% of the rules by defining SYSTEM wide rules and ACIGROUP level rules. This virtually eliminates the enormous administration costs. These factors made it easy to justify the software cost for SafeSFS. By implementing it early in our SFS deployment, we avoided having large SFS catalogues that would be difficult to reclaim space from and our backup times didn't degrade to the point where we were getting unacceptable backup windows.

SafeSFS provides new functionality and allows
us to improve our business procedures!

Our first wide spread use of SFS was for providing information bulletins near all our POS (Point of Sale) terminals. These users run on a VM id that provides no access to CMS resources, but they often need to print out a bulletin. The base for this code was OV/VM's BBOARD system. The obvious way to allow easy printing was to place $$PRNT$$ $FILE$s on each user's directory with only their local printer in it. These updates were to be performed by an End User who knew where all the printers were and what userids were in that area. With the native IBM SFS authorizations, we would have to create an empty or dummy $$PRNT$$ file, then give the user the authorization to write to that file. We would have to do this every time a new store was opened or divisions were moved around in the existing stores. This solution appeared to be too error prone and was never implemented. When we installed SafeSFS, we were able to set-up a single ACIGROUP rule allowing the appropriate person to update the $$PRNT$$ file for all of the users. This moved all the administration to a single person, the one responsible for the task, and saved us from having to add the one authorization to each of the 3000+ members of this ACIGROUP. It also solved problems that occur when users are converted from just using bulletins to a full-blown OV/VM id. We simply change their ACIGROUP and the administrative person no longer has the authority to change their OV/VM printer file.

SafeSFS allows us to fully deploy our Intranet!

Our next SFS opportunity came along when VM wanted to participate in the Intranet. While some users had access to the Internet, there was no common method for users to publish web pages internally. We put a web server on VM and felt that SFS was a better way to go than mini-disk, so we decided that the web server would serve out data from a user's .WEB directory. With native SFS, we could enroll a user in SFS, create a .WEB directory for them, and then do a GRANT AUTH ... (NEWREAD to the .WEB directory for the web server. This would work until the user created a new directory and forgot to grant the authorization to the web server. Then administrators would have to get involved to assist the users with authorizations for the new directory. With SafeSFS, we were able to add a single GLOBAL rule that allowed the web server and it's worker machines to read the .WEB directory and all subdirectories. This let us remove thousands of file level rules that are no longer required and avoid the administrative headaches associated with creating and maintaining them.
SafeSFS allows us to use SFS for OV/VM and dramatically reduce DASD usage!
This year we will be rolling out OV/VM 1.4 and at that time we can move a large portion of our users to SFS.  This allows us to reclaim the DASD free space that is present on each user's "A disk". We estimate that about 30% of our DASD use is free space that we can now recover. This amounts to about 42 gigabytes of DASD.One of IBM's OV/VM requirements for "SFS toleration" is that no two users can be writing to the same OV file at the same time. To prevent this happening accidentally, we have added a SafeSFS rule to REJECT anyone other than the owner from reading or writing to OFSLOGfl files and a few other files in the root directory. With SafeSFS, this "* OFSLOGfl" file specification works with existing and future files. With IBM's native SFS, only existing notelogs would be protected if we tried to implement the same sort of protection. New notelogs would not be protected. If a user does want to share a notelog, then they can create a subdirectory to contain it and share it from there.

SafeSFS makes everyone's job easier and reduces administrative costs!

SafeSFS continues to provide cost savings through reduced administration costs. The GLOBAL and ACIGROUP level rules that are in place have replaced tens of thousands of IBM SFS authorizations. With the original installation of SafeSFS, we looked at the list of existing SFS rules that was generated by the SafeSFS conversion utility. We found that by using SafeSFS GLOBAL & ACIGROUP level rules, we could get rid of 98% of the existing SFS authorizations.

SafeSFS reveals hidden problems and prevents future expense!

Examination of the SafeSFS SFS conversion utility output also revealed problems where a user was supposed to have access to all files in a directory, but the conversion utility had generated "REJECT" rules for many of the files. This turned out to be caused by users forgetting to specify NEWWRITE access. Users could only see the files that were in place at the time the original authorization was done.

SafeSFS saves us the costs associated with updating applications!

Applications that update files via a temporary file and then an ERASE and RENAME caused the IBM SFS authorizations for the files to disappear. SafeSFS rules saved having to make any application changes and the SFS catalogue disk remains small. With SafeSFS you can give a user access to a few thousand files in a directory in a few seconds instead of waiting for a "GRANT AUTH * * ..." to slowly run through granting access to each individual file.

SafeSFS facilitates Y2K projects while maintaining security!

SafeSFS was also beneficial for Y2K scanning. A consultant would require SFS ADMIN authorization prior to SafeSFS. This would allow them to scan every file without a lot of GRANTs, but also gave them write access to the files. In this case SafeSFS prevented a potential breech of security or loss of data.

Purchasing SafeSFS was an easy decision for Sears!

SafeSFS allows us to save enormous amounts of money in the areas of SFS administration, system resources, security, and user training expenses. These cost savings greatly exceed the cost of SafeSFS itself. SafeSFS also solves the problems we expect with native SFS and allows us to proceed with SFS migration and implementation. We received the added benefits of a product that is easy to use and provides new functionality. We expect to realize even more benefits from SafeSFS as we move forward with our use of VM/ESA and SFS. All of this made the decision to purchase SafeSFS an easy one for Sears.