On Dec 26, 2005, at 7:50 PM, Robert A. Rosenberg wrote:
At 13:30 -0600 on 12/23/2005, Ed Gould wrote about Re: controlling
user who can mount tape.:
On Dec 23, 2005, at 3:12 AM, caleb ong wrote:
Hello,
Is there a way to restrict users from being able to submit job
that requires a tape mount in os/390 ?
The objective is to enable only our operations group to submit
jobs that requires tape mounting. Applications group will be
prohibited in submitting jobs that will require tape mounting.
We have RACF as our security sw.
I have looked at the racf and tso uads. it seems that you can
control tso mount thru the mount attribute in the uads or the
racf tso segment (tsoauth, mount attribute). But for jobs
submitted by the users , i coudn't find anyway to control this ?
Can anyone provide any suggestion to do this.
You can only do it (I am pretty sure) if you look for a MOUNT
message in the wto exit. Then you get to decide if you want to
cancel the user or not. This helps only if you have good job
naming standards . There *MIGHT* be away if you can get the info
from RACFUID
This solution is not that viable since it kicks in AS the job step
that requires the tape mount starts to execute. Thus you might have
had a number of steps run before you run into trouble. You want a
solution that will prevent the job from being initiated in the
first place (such as my suggestion to have JES2 parse the converted
JCL to spot any tape requests and trigger a JCL error at that point).
True,
But in order to do it ahead of time (well most of the time) you have
to muck around in the converter text. I have tried it a few time and
it is not simple.
Plus this not do anything for dynamically allocated files. You would
still have the possibility of missing tape mounts. The exit I talked
about originally is the (one minor exception) will catch 99.9 percent
of tape requests. It is easy to code and (IIRC) no chasing of OCO
control blocks.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
