Provide security product access to Netstat command

Controlling access to Netstat command can be added by using security product resources defined in the following table. You can define the following new security product resource names in the SERVAUTH class to control users' access to the TSO NETSTAT or UNIX shell netstat command options. See the sample EZARACF member for examples of the security product commands used to create the resource names. If the SERVAUTH class is not active or if security product resource name is not defined, access to the Netstat command will not be restricted.

Note: Take care with applications that might be invoking Netstat under the covers. If the Netstat security resource names are defined, the user IDs associated with applications invoking Netstat under the covers need to be permitted for READ access to the resource names.

Resource names in SERVAUTH class	Netstat options
EZB.NETSTAT.mvsname.tcpprocname.*	All Netstat options
EZB.NETSTAT.mvsname.tcpprocname.ALL	ALL / -A
EZB.NETSTAT.mvsname.tcpprocname.ALLCONN	ALLCONN / -a
EZB.NETSTAT.mvsname.tcpprocname.ARP	ARP / -R
EZB.NETSTAT.mvsname.tcpprocname.BYTEINFO	BYTEINFO / -b
EZB.NETSTAT.mvsname.tcpprocname.CACHINFO	CACHINFO / -C
EZB.NETSTAT.mvsname.tcpprocname.CLIENTS	CLIENTS / -e
EZB.NETSTAT.mvsname.tcpprocname.CONFIG	CONFIG / -f
EZB.NETSTAT.mvsname.tcpprocname.COnn	CONN / -c
EZB.NETSTAT.mvsname.tcpprocname.DEFADDRT	DEFADDRT/-l
EZB.NETSTAT.mvsname.tcpprocname.DEVLINKS	DEVLINKS / -d
EZB.NETSTAT.mvsname.tcpprocname.GATE	GATE / -g
EZB.NETSTAT.mvsname.tcpprocname.HOME	HOME / -h
EZB.NETSTAT.mvsname.tcpprocname.IDS	IDS / -k
EZB.NETSTAT.mvsname.tcpprocname.ND	ND / -n
EZB.NETSTAT.mvsname.tcpprocname.PORTLIST	PORTLIST / -o
EZB.NETSTAT.mvsname.tcpprocname.RESCACHE	RESCACHE / -q
EZB.NETSTAT.mvsname.tcpprocname.ROUTE	ROUTE / -r
EZB.NETSTAT.mvsname.tcpprocname.SLAP	SLAP / -j
EZB.NETSTAT.mvsname.tcpprocname.SOCKETS	SOCKETS / -s
EZB.NETSTAT.mvsname.tcpprocname.SRCIP	SRCIP / -J
EZB.NETSTAT.mvsname.tcpprocname.STATS	STATS / -S
EZB.NETSTAT.mvsname.tcpprocname.TELNET	TELNET / -t
EZB.NETSTAT.mvsname.tcpprocname.TTLS	TTLS / -x
EZB.NETSTAT.mvsname.tcpprocname.UP	Up / -u
EZB.NETSTAT.mvsname.tcpprocname.VCRT	VCRT / -V
EZB.NETSTAT.mvsname.tcpprocname.VDPT	VDPT / -O
EZB.NETSTAT.mvsname.tcpprocname.VIPADCFG	VIPADCFG / -F
EZB.NETSTAT.mvsname.tcpprocname.VIPADYN	VIPADYN / -v

You can use the control statements in the sample JCL job provided in SEZAINST(EZARACF) to define these authorizations.

If this is the first SERVAUTH class profile that your installation is using, activate the SERVAUTH class using the following commands:
```
   SETROPTS CLASSACT(SERVAUTH)
   SETROPTS RACLIST(SERVAUTH)   
```
Example 1: If you wanted to permit USER2 access to the Netstat CONN/-c option for TCP/IP stack TCP1 on system MVSA you could use the following definitions:
```
   RDEFINE SERVAUTH (EZB.NETSTAT.MVSA.TCP1.CONN) UACC(NONE)
   PERMIT (EZB.NETSTAT.MVSA.TCP1.CONN) ACCESS(READ) CLASS(SERVAUTH) ID(USER2)  
```

Example 2: If you wanted to permit USER4 to have access to all of Netstat options you could use the following definitions:

   SETROPTS GENERIC(SERVAUTH)
   RDEFINE SERVAUTH (EZB.NETSTAT.MVSA.TCP1.*) UACC(NONE)
   PERMIT (EZB.NETSTAT.MVSA.TCP1.*) ACCESS(READ) CLASS(SERVAUTH) ID(USER4)
   SETROPTS GENERIC(SERVAUTH) REFRESH

Refresh RACLIST
```
    SETROPTS RACLIST(SERVAUTH) REFRESH
```