Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Program access to SERVAUTH resources in BASIC or ENHANCED mode z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
You can allow users to access IP addresses only when executing certain programs when you protect the names of network security zones (containing IP addresses) using SERVAUTH class resources. For example, when you control access to network security zones, you can permit network administrators to access certain zones only when using the ping and traceroute commands. For more information about using SERVAUTH resources to control access to network security zones, see z/OS Communications Server: IP Configuration Guide. To set up program control for a SERVAUTH resource (representing a network security zone), create a profile in the SERVAUTH class specifying UACC(NONE), or specify ID(*) ACCESS(NONE) to ensure no access by general users. Then, permit certain users using WHEN(PROGRAM(program-name)) with the ID and ACCESS operands on the PERMIT command: Example:
This
example permits the specified users or groups to access network security
zones protected by SERVAUTH resources only when executing the specified
program or command.Program access to SERVAUTH resources in ENHANCED program security
mode operates much the same as it does in BASIC program security mode,
with one exception. RACF® allows
program access to SERVAUTH resources to operate in ENHANCED program
security mode only when one of the following is true:
Note: For checking MAIN programs, the environment is considered established by
the initial program executed in the job step, or the initial program
executed by TSOEXEC or the IKJEFTSR service, or the initial UNIX program exec()ed or spawn()ed
(non-local case only).
As with program access to data sets, you must maintain a clean environment to control program access to SERVAUTH resources. (For details, see Maintaining a clean environment in BASIC or ENHANCED mode.) Unlike program access to data sets, the PADCHK/NOPADCHK operands have no meaning and are ignored. |
Copyright IBM Corporation 1990, 2014
|