On 1/20/2006 9:20 AM, FEJOS Tamas wrote:
Hi!
Each program has its own userid (due to security and local storage
management reasons) with ftp access.
Each program has its own HFS mounted under /usr/lpp/, eg.
/usr/lpp/fejlsws/
It works well, but due to unix file access rights (eg. others: r-x)
and RACF UACC read, users can read much more files than they should.
So I want to restrict each user to access contents under it's home
directory only. eg. /usr/lpp/fejlsws/.
Not more, no access to / or other directories just under
/usr/lpp/fejlsws/.
As R.S. pointed out, if you can make the user IDs RESTRICTED in RACF
then UACC(READ), GLOBAL, and (if you set some additional options)
permissions for "other" will not apply to those users. They can only
access data you have specifically given them access to.
It sounds good.
I have tried it. Restriction works. :)
ICH408I USER(SSCSWS ) GROUP(SSCSUPP ) NAME(SSC SAPIENS WORKST ) 801
FTPDNS CL(PROGRAM )
INSUFFICIENT ACCESS AUTHORITY
FROM * (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
CSV025I PROGRAM CONTROLLED MODULE FTPDNS NOT ACCESSED, USER UNAUTHORIZ
ED
Which profile should I create to eliminate this.
You do not need to create any profiles. You should PERMIT either user
SSCWS or group SSCSUPP to PROGRAM * with READ access.
You might want to consider creating a group specifically for your
RESTRICTED users (in case you have other such users in the future) and
PERMIT that group to PROGRAM * with READ authority. Then in the future
you can simply CONNECT your other RESTRICTED users to that group.
By the way, we generally recommend using PROGRAM ** rather than PROGRAM
* as it makes use of RLIST simpler.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
