Traceroute

The Traceroute function is used to verify the network path to a given destination and identify each intermediate system. It sends UDP datagrams to the destination with increasing hop count values, and listens for ICMP TIME EXCEEDED INTRANSIT and PORT UNREACHABLE responses. Normal Network Access Control limits a user's ability to send and receive these datagrams. On a restricted stack, all users are limited to sending datagrams to destinations in network security zones with security labels equivalent to the stack, and receiving datagrams from intermediate systems in equivalent security zones. On an unrestricted stack, users are limited to destinations equivalent to their own security label. Users with a SYSMULTI security label on an unrestricted stack are limited to those security zones with which they are authorized to communicate.

You can permit SYSMULTI users to trace the route to addresses in security zones that are not equivalent to that stack by PERMITing them with UPDATE access to the STACKACCESS profile for that stack. This PERMIT can be limited to apply only when using certain programs, such as Traceroute, by using the WHEN(PROGRAM(tracerte,otracert)) clause on the PERMIT.