The RPCBIND cataloged procedure assumes that the procedure has the authority to run as a started task. To ensure that the RPCBIND procedure has the appropriate security server access, enter the following commands as shown in SEZAINST(EZARACF):
ADDUSER RPCBIND DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
RDEFINE STARTED RPCBIND.* STDATA(USER(RPCBIND))
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
You can define the SAF resource profile EZB.RPCBIND.sysname.rpcbindname.REGISTRY in the SERVAUTH class to control which users can register or deregister applications with rpcbind. You can use wildcards. For example, if you use wildcard values for sysname and rpcbindname, the profile name is as follows:
EZB.RPCBIND.*.*.REGISTRY
In this example, suppose the MVS™ system name is MVS000 and the RPCBIND catalogued procedure is used to start the rpcbind server. This procedure uses the job name RPCBIND. RPCBIND is fewer than 8 characters, so the rpcbindname is RPCBIND1, and the profile name is as follows:
EZB.RPCBIND.MVS000.RPCBIND1.REGISTRY
The profile EZB.RPCBIND.sysname.rpcbindname.REGISTRY is optional. If it is not defined, all users can register and deregister applications with rpcbind. If the profile is defined, only users granted at least READ access to this resource profile can register or deregister applications with rpcbind.
In this example, if your SAF security product is RACF® and you want only the RPC server TRUESERV running under user ID TRUESERV to be able to register and deregister applications with rpcbind, you can use the following commands to define the profile EZB.RPCBIND.*.*.REGISTRY in the SERVAUTH class and grant TRUESERV read access to the profile:
RDEFINE SERVAUTH EZB.RPCBIND.*.*.REGISTRY UACC(NONE)
PERMIT EZB.RPCBIND.*.*.REGISTRY ID(TRUESERV) ACCESS(READ) CLASS(SERVAUTH)
PERMIT BPX.POE CLASS(FACILITY) ID(RPCBIND) ACCESS(READ)