On Wed, 3 Jun 2009 13:22:26 -0500, Mark Baron <[email protected]> wrote: >Does anyone know if there is a way, using CLASS(PROGRAM) in RACF (z/OS V1R8 >and higher) to define all accesses to a given program?? > >That is: > >RDEF PROGRAM(PGMNAME) UACC(NONE) ADDMEM(LIBNAME/VOLUME/NOPADCHK) > >will deny access to LIBNAME(PGMNAME) but only if LIBNAME is on VOLUME. >Similarly, omitting VOLUME from the ADDMEM specification will protect >PGMNAME in any occurrence of LIBNAME. Is there any RACF construct to do >ADDMEM for any dataset on any volume??
As it is basically meaningless to think about protecting a given program name, without also knowing the library it's in, no, RACF doesn't let you do that. As others have mentioned: (a) The same-named program in a different library may in fact be a totally different program, doing entirely different functions, as there is no control over who can create programs of a given name. (b) A differently-named program in the same, or a different library, may in fact be the same program with the same functions (again, as there is no control over who can create programs with a given name or with a given functional content). I agree with the others that you really need to explore what your auditors are intending to accomplish, and provide some education to them. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
