Ed Gould wrote:
On Feb 16, 2006, at 7:40 AM, Walt Farrell wrote:
On 2/15/2006 5:32 PM, Jerry Vernon wrote:
We are trying to restrict the execution of certain programs by LPAR
so we
can just license them by processor. The one in particular we are
looking
at is COBOL. By limiting COBOL compiles to one Development LPAR. Does
anyone know of any software that can be used to do this?
You can do this with the program control features of RACF. Define the
main COBOL compiler module to RACF in the PROGRAM class, with a
universal access (UACC) of NONE, and then do a conditional permission
based on the system ID.
Example:
RDEFINE PROGRAM program-name ADDMEM('load-library-name'//NOPADCHK)
UACC(NONE)
PERMIT program-name CLASS(PROGRAM) ID(*) ACCESS(READ)
WHEN(SYSID(allowed-smf-id))
If you're concerned about programmers making their own copy of the
compiler modules via IEBCOPY, then you can also protect the library
containing the compiler.
Walt,
BTDT... didn't work.. You have to allow read/exec to the steplib. Once
you have given that out its wide open.
Ed
...
I haven't seen anyone mention only allowing RACF "EXECUTE" permission to
the COBOL compiler loadlib and disallowing READ access. That rules out
casual IEBCOPY duplication of the library and renaming the compiler. I
think that should then insure that the SYSID-specific PROGRAM access is
effective.
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
