Edward E. Jaffe wrote:
Steve Grimes wrote:
I apologize in advance for not knowing the best list to send this
question to. (Perhaps ISPF-L? But I'm not a subscriber there.) I'm
proposing to our systems folks that we allow a "user" to use TSO to
get to the Zeke Work Center function. I'm being told that there is no
way for us to limit what the user can do if we let them intoTSO.
Sounds like bullshirt to me. Any user with ATTRIBUTES=RESTRICTED will
require that _every function_ they need be explicitly authorized,
regardless of any existing UACC settings.
One of the things to keep in mind, simply restricting what menus they
see in ISPF by restricting the logon PROC, even if you do auto logoff
when they exit ISPF, doesn't really restrict what they can do in
TSO/ISPF as long as they have access to an ISPF command line from which
any TSO command or program in LINKLST can be potentially invoked; and
many ISPF panels support a command line or have menu pulldowns that may
lead to such panels.
You would want to guarantee through appropriate RACF security (like
RESTRICTED with minimal explicit RACF permits mentioned by Edward) that
they have no access to any datasets they don't need and that they can't
access any programs other than the ones they need for their intended
function. It ought to be possible, but to give them the minimal
required access will no doubt require a tedious repetitive process to
gradually add all the needed permits to DATASET and PROGRAM profiles
until they can do what is required without being blocked at some point
by RACF access failure messages. Depending on the ISPF application, you
could run into situations where granting access to some program or
dataset required by the ISPF dialog might also open up avenues for abuse
from the ISPF command line.
In order to run ISPF they will have to have UPDATE access to a user ISPF
PROFILE PDS (or PDSE) dataset. If they have any way to introduce their
own member into that dataset (batch, TSO EDIT, ISPF EDIT, etc.), they
could potentially use a REXX program to display many parts of COMMON
storage, probably not a serious breach in most installations, but a
potential unintended capability.
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
