How To
Summary
DDLIST is a powerful tool, so some organizations want to limit who has access to this tool. An external security manager (ESM) is the best way to prevent users from running DDLIST. However, you can use ISPF to limit access, as well.
Steps
To allow only authorized users access to DDLIST, you can use an external security manager, such as RACF.
The RACF program control facility is activated by your installation by using the SETROPTS WHEN(PROGRAM) command. The DDLIST command starts program ISRDDN from the SISPLOAD library, usually named ISP.SISPLOAD. Your installation might use a different high-level qualifier, such as SYS1.
Here is an example of how you might use RACF to restrict access to DDLIST. You might want to add keywords such as AUDIT or OWNER, based on your installation requirements.
RDEFINE PROGRAM ISRDDN UACC(NONE) DATA('PROGRAM PROTECTION FOR ISPF PROGRAM ISRDDN')
RALTER PROGRAM ISRDDN ADDMEM('ISP.SISPLOAD'//NOPADCHK)
PERMIT ISRDDN CLASS(PROGRAM) ID(yourid) ACCESS(READ)
SETROPTS WHEN(PROGRAM) REFRESH
You can use ISPF to make it difficult, but not impossible, for someone to use ISRDDN. For example, you can create an ISPF exit (Exit 3, the Select start service exit) to limit programs or commands started with the SELECT service. However, coding an exit is not a truly secure technique since a knowledgeable ISPF user might bypass the exit by using ISPLLIB to load a different ISPEXITS on entry to ISPF. The exit technique only works for programs started with the SELECT CMD or SELECT PGM service. It would not stop someone that uses the CALL command from starting a program from a CLIST or REXX exec.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"","label":""},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSBLLD","label":"ISPF for z\/OS"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
12 January 2024
UID
ibm17103571