Denis Gäbler wrote:
Hi,
there is a COBOL application which is supposed to do TCP/IP calls
nowadays. When starting the application (TCPIPAPP) it requests READ
access to the following datasets:
SYS1.TCPIP.HOSTS.SITEINFO
SYS1.TCPPARMS
The application is started with the callers Userid.
RACF people don't like to grant generic READ permission to all users.
Is there any other solution?
Could something like that be used to only allow that specific program
access to TCP/IP?
PERMIT 'SYS1.TCPPARMS' CLASS(DATASET) ID(*) ACCESS(READ)
WHEN(PROGRAM(TCPIPAPP))
Are there better solutions, ideas for that?
IMHO there are two choices:
1. Follow Rob's advice and narrow down the scope of persons able to READ
those datasets. You can still try PADS (when program), however PADS
could be difficult to set up, unless you run the program in batch.
Anyhow some users will need access to "tcpip" datasets.
2. I'm not expert, however I suspect the application can be redesigned
so it won't require access to any tcpip dataset. Those datasets are
probably required to read current tcpip configuration which can be
obtained through command or API. IMHO reading configuration from files
is error-prone - there is always possibility to read wrong (i.e.
obsolete) one.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
