>>You would need VERIFY, not VERIFYX. D'oh - that'll teach me to assune that an "X" suffix on the end of an IBM macro is the "AR mode" version...:-)
Apologies Rob Scott Developer Rocket Software 275 Grove Street * Newton, MA 02466-2272 * USA Tel: +1.617.614.2305 Email: [email protected] Web: www.rocketsoftware.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Walt Farrell Sent: 16 April 2010 15:50 To: [email protected] Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE On Fri, 16 Apr 2010 09:29:30 -0500, McKown, John <[email protected]> wrote: >> -----Original Message----- >> From: IBM Mainframe Discussion List >> [mailto:[email protected]] On Behalf Of Rob Scott >> Sent: Friday, April 16, 2010 8:59 AM >> To: [email protected] >> Subject: Re: Internal (program) start of an STC - MGCRE vs. ASCRE >> >> John >> >> Yeah RACROUTE VERIFY(X) is the fella - see the RACROUTE manual for >> more info - not exactly a "for dummies" book though :-) >> >> Obviously with a multi-user address space you would need to wrap >> somnething like a task-level RESMGR around each TCB that is created >> for the user "signon". If there is no z/OS-supplied cleanup of ACEE, >> then your RESMGR could perform the VERIFYX ENVIR=DELETE - in fact >> this is probably a good idea anyway. >> Another job for the RESMGR could be to cut a "sign-off" SMF record >> (and you could cut a "sign-on" when you perform the VERIFYX >> ENVIR=CREATE). > >Really getting complicated! > You would need VERIFY, not VERIFYX. And you can ask VERIFY to do the auditing (LOG=ALL). I doubt you'd need a RESMGR, though you would need some kind of exit (ESTAI?) to handle abnormal termination of the subtasks and delete the ACEE. If you're going multi-user in a single address space then it really only works if you have complete control over the code that's running, of course. If the users can supply any of the code you have nothing that can prevent one user from assuming another's identity. And if they can supply any of the code you also have the problem of ATTACH not propagating ACEEs. It really is easier for you to simply go the UNIX route. By the way, your code does not need to be in a UNIX file system. It could be in a PDS or PDSE, though you might need an external link in the file system in order for UNIX to find it. And don't forget that the users will need UNIX identities (OMVS segments with UIDs) if you go with anything UNIX related. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
