z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Program access to SERVAUTH resources in BASIC or ENHANCED mode

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can allow users to access IP addresses only when executing certain programs when you protect the names of network security zones (containing IP addresses) using SERVAUTH class resources. For example, when you control access to network security zones, you can permit network administrators to access certain zones only when using the ping and traceroute commands. For more information about using SERVAUTH resources to control access to network security zones, see z/OS Communications Server: IP Configuration Guide.

To set up program control for a SERVAUTH resource (representing a network security zone), create a profile in the SERVAUTH class specifying UACC(NONE), or specify ID(*) ACCESS(NONE) to ensure no access by general users. Then, permit certain users using WHEN(PROGRAM(program-name)) with the ID and ACCESS operands on the PERMIT command:

Example:
RDEFINE SERVAUTH resource-name UACC(NONE) 
PERMIT resource-name CLASS(SERVAUTH) ID(user or group or *) ACCESS(READ) 
   WHEN(PROGRAM(program-name))
This example permits the specified users or groups to access network security zones protected by SERVAUTH resources only when executing the specified program or command.
Program access to SERVAUTH resources in ENHANCED program security mode operates much the same as it does in BASIC program security mode, with one exception. RACF® allows program access to SERVAUTH resources to operate in ENHANCED program security mode only when one of the following is true:
  • The program that established the current program environment has the MAIN attribute
  • The current program or the first program executed in the current or a parent MVS™ task has the BASIC attribute
Note: For checking MAIN programs, the environment is considered established by the initial program executed in the job step, or the initial program executed by TSOEXEC or the IKJEFTSR service, or the initial UNIX program exec()ed or spawn()ed (non-local case only).

As with program access to data sets, you must maintain a clean environment to control program access to SERVAUTH resources. (For details, see Maintaining a clean environment in BASIC or ENHANCED mode.) Unlike program access to data sets, the PADCHK/NOPADCHK operands have no meaning and are ignored.

Parent topic: Protecting programs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014