On 1/20/2006 9:51 AM, R.S. wrote:
Simple answer is PErmit, not profile:
PE * CLA(PROGRAM) ID(SSCSWS) ACC(READ)
Usually CL(PROGRAM) * is UACC(READ), so there is no big issue to give
restricted user such permit.
However * profile should be checked: While it is good idea to put whole
LNKLST to the profile *, there are programs on linklist which shouldn't
be open for everyone. The exceptions I know are ICHDSM00 and IRRDPTAB.
True, but PROGRAM * basically needs to have UACC(READ), and PERMITting
the RESTRICTED users explicitly with READ will not hurt.
If they do not have PROGRAM IRRDPI00 and PROGRAM ICHDSM00 specifically
defined that is a different exposure, not related to the introduction of
RESTRICTED users into the access list of PROGRAM *.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
