At 13:30 -0600 on 12/23/2005, Ed Gould wrote about Re: controlling
user who can mount tape.:
On Dec 23, 2005, at 3:12 AM, caleb ong wrote:
Hello,
Is there a way to restrict users from being able to submit job that
requires a tape mount in os/390 ?
The objective is to enable only our operations group to submit jobs
that requires tape mounting. Applications group will be prohibited
in submitting jobs that will require tape mounting.
We have RACF as our security sw.
I have looked at the racf and tso uads. it seems that you can
control tso mount thru the mount attribute in the uads or the racf
tso segment (tsoauth, mount attribute). But for jobs submitted by
the users , i coudn't find anyway to control this ?
Can anyone provide any suggestion to do this.
You can only do it (I am pretty sure) if you look for a MOUNT
message in the wto exit. Then you get to decide if you want to
cancel the user or not. This helps only if you have good job naming
standards . There *MIGHT* be away if you can get the info from
RACFUID
This solution is not that viable since it kicks in AS the job step
that requires the tape mount starts to execute. Thus you might have
had a number of steps run before you run into trouble. You want a
solution that will prevent the job from being initiated in the first
place (such as my suggestion to have JES2 parse the converted JCL to
spot any tape requests and trigger a JCL error at that point).
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
