FEJOS Tamas wrote:
Hi!
Each program has its own userid (due to security and local storage
management reasons) with ftp access.
Each program has its own HFS mounted under /usr/lpp/, eg.
/usr/lpp/fejlsws/
It works well, but due to unix file access rights (eg. others: r-x)
and RACF UACC read, users can read much more files than they should.
So I want to restrict each user to access contents under it's home
directory only. eg. /usr/lpp/fejlsws/.
Not more, no access to / or other directories just under
/usr/lpp/fejlsws/.
As R.S. pointed out, if you can make the user IDs RESTRICTED in RACF
then UACC(READ), GLOBAL, and (if you set some additional options)
permissions for "other" will not apply to those users. They can only
access data you have specifically given them access to.
It sounds good.
I have tried it. Restriction works. :)
ICH408I USER(SSCSWS ) GROUP(SSCSUPP ) NAME(SSC SAPIENS WORKST ) 801
FTPDNS CL(PROGRAM )
INSUFFICIENT ACCESS AUTHORITY
FROM * (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
CSV025I PROGRAM CONTROLLED MODULE FTPDNS NOT ACCESSED, USER UNAUTHORIZ
ED
Which profile should I create to eliminate this.
Simple answer is PErmit, not profile:
PE * CLA(PROGRAM) ID(SSCSWS) ACC(READ)
Usually CL(PROGRAM) * is UACC(READ), so there is no big issue to give
restricted user such permit.
However * profile should be checked: While it is good idea to put whole
LNKLST to the profile *, there are programs on linklist which shouldn't
be open for everyone. The exceptions I know are ICHDSM00 and IRRDPTAB.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
