Perhaps RACF's program control feature could be used. Top Secret and ACF2 have similar features. The objective would be to only allow the "Endevor" programs to be able to update your target libraries. This does not prevent a user from executing a compiler (or other program); however his compiler can't update your target libraries. Of course, this type of control is difficult to setup, administer, etc.
Don > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Charles Mills > Sent: Monday, February 11, 2013 5:33 PM > To: [email protected] > Subject: How do people lock down the compilers "inside" CA Endevor? > > This is a theoretical question. I am *not* an Endevor user. I am trying > to > solve a *similar* problem and this is the best way to explain it. > > Here's the question: at shops that use Endevor for all compiles, how do > you > "lock down" the compilers so that programmers can only run the > compilers > under Endevor, not with plain old JCL? What about programmers who might > have > "private copies" of the compiler load libraries? > > (More generically, if X is a load module, is it possible to set things > up > such that program Y can run X, but PGM=X will never work? How? I have > thought about engineering a rename to a name that JCL will not accept > (but > LINK will) but I would just as soon not get that weird; rather do > things in > a more supported way.) > > Thanks, > > Charles > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
