You can define a System Authorization Facility (SAF) resource
profile in the SERVAUTH class to control which applications can bind
to create dynamic VIPAs (DVIPAs) within a specific VIPARANGE subnet.
Procedure
Perform the following steps to control whether an application
can bind to create a DVIPA within a specific VIPARANGE subnet for
use by only that application:
- Define the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource
profile in the SERVAUTH class. For example, to protect
a VIPARANGE subnet for application APPL1, you can define the EZB.BINDDVIPARANGE.sysname.tcpname.APPL1
resource profile using the following command:
RDEFINE SERVAUTH (EZB.BINDDVIPARANGE.sysname.tcpname.APPL1) UACC(NONE)
- On the VIPARANGE statement, include the SAF parameter with
a resname value that matches the resname value
of the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource
profile. For example:
VIPARANGE DEFINE 255.255.255.255 10.10.10.1 SAF APPL1
For
more information about the SAF parameter on the VIPARANGE
statement, see z/OS Communications Server: IP Configuration
Reference.
- Give the user ID that is associated with the application
READ access to the EZB.BINDDVIPARANGE.sysname.tcpname.resname resource. For example:
PERMIT EZB.BINDDVIPARANGE.sysname.tcpname.APPL1 ACCESS(READ) CLASS(SERVAUTH) ID(userid)
- Refresh the resource profile by issuing the following RACF® command:
SETROPTS RACLIST(SERVAUTH) REFRESH
Results
In this example, sysname is
the name of the MVS™ system, userid is
the user ID that is associated with the application, and tcpname is
the job name of the TCP/IP started task. For information about how
the job name for a started task, such as TCP/IP, is determined, see Steps for controlling which applications can bind to create a DVIPA.