On 2/15/2006 5:32 PM, Jerry Vernon wrote:
We are trying to restrict the execution of certain programs by LPAR so we
can just license them by processor. The one in particular we are looking
at is COBOL. By limiting COBOL compiles to one Development LPAR. Does
anyone know of any software that can be used to do this?
You can do this with the program control features of RACF. Define the
main COBOL compiler module to RACF in the PROGRAM class, with a
universal access (UACC) of NONE, and then do a conditional permission
based on the system ID.
Example:
RDEFINE PROGRAM program-name ADDMEM('load-library-name'//NOPADCHK)
UACC(NONE)
PERMIT program-name CLASS(PROGRAM) ID(*) ACCESS(READ)
WHEN(SYSID(allowed-smf-id))
If you're concerned about programmers making their own copy of the
compiler modules via IEBCOPY, then you can also protect the library
containing the compiler.
ADDSD 'load-library-name' GENERIC UACC(EXECUTE)
The use of EXECUTE here will prevent users from opening the library to
copy programs from it. This approach will work best if the compiler
library is in the system link list, but can also be made to work if your
users need to access the library via a STEPLIB in batch.
It will be harder to make it work if you allow your users to run COBOL
compiles in a TSO session.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
