Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Authorizing use of SMP/E commands and services SMP/E for z/OS User's Guide SA23-2277-01 |
|||||||||||||||||||||||
The System Authorization Facility (SAF) restricts the use of certain SMP/E functions to users who have appropriate access to the SAF resources that protect those functions. The functions being controlled are all the SMP/E commands processed by program GIMSMP (for example, SET, RECEIVE, APPLY, ACCEPT, UCLIN, LIST, REPORT, and so on), the GIMZIP and GIMUNZIP service routines, and the GIMIAP copy utility invocation program. The SAF FACILITY class resource names corresponding to these functions
are of the following form:
To allow SMP/E users to execute SMP/E functions, you must protect the appropriate SAF FACILITY class resources in the active security manager and grant read access to those users that should be allowed to invoke the controlled SMP/E functions. However, of all the functions described previously, several need
to be controlled carefully. Users who are granted access to these
resources have the potential to undermine system security regardless
of any data set protections you may have in place. Therefore, they
should be as trusted, for example, as users who have authority to
update APF-authorized libraries. The functions that need to be controlled
carefully and the corresponding SAF FACILITY class resources that
SMP/E checks, are as follows:
You may define discrete profiles to control individual SMP/E functions,
or you may choose to define generic profiles. However, if the resources
are not protected by the security manager, or a user does not have
READ authority to those resources, then SMP/E processing will stop.
A sample RACF® command to define
a single generic FACILITY class profile and to define a user ID in
the access list of that profile is as follows:
If you have activated SETROPTS RACLIST processing for the FACILITY
class, you must also refresh SETROPTS RACLIST processing for the updates
to take affect:
It might be difficult to identify and add all necessary user IDs
to the access list for the subject profiles, whether using a single
generic profile as in the previous example, or multiple discrete profiles.
With this in mind, although not recommended by IBM®, it is possible to define the profiles with
WARNING and AUDIT(FAILURES(READ)) to help identify and log all user
IDs that currently invoke SMP/E functions and will require eventual
definition in the profiles' access list. After sufficient analysis
and after the access list has been updated, then profiles should be
changed to NOWARNING.
Note: The preceding sample commands to define
a FACILITY class profile and to define a user ID in the access list
of that profile assume the use of RACF as
the security manager. If you use a security manager other than RACF, see the appropriate documentation
for equivalent commands.
|
Copyright IBM Corporation 1990, 2014
|