Thanks for all the comments and suggestions. I've suggested to the developers they use pthread_security_*applid*_np() so they can pass userid/password or certificate and get the thread to run as the userid. I think this will eliminate the need to have id(0). The applid is important so they can restrict users by ensuring the userid had read access to the applid. (The default appl is OMVSAPPL). I think for anything else they might need id(0) for, there is a BPX.* profile which should be used instead. Colin
On Wed, 12 Apr 2023 at 12:25, Robert S. Hansel (RSH) < [email protected]> wrote: > Hi Colin, > > What is the product? If you share this, perhaps someone who is familiar > with the product and may have already addressed this issue can respond. > > Ask the vendor if access to FACILITY BPX or UNIXPRIV resources could be > used in lieu of Superuser authority. > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** > 617-969-8211 > www.linkedin.com/in/roberthansel > www.rshconsulting.com > > -----Original Message----- > Date: Tue, 11 Apr 2023 20:06:02 +0100 > From: Colin Paice <[email protected]> > Subject: eliminate use of id(0) > > I've been reviewing someone's (ftp like) product documentation, and they > say that the userid that runs their product needs id(0) to be able to run. > This feels like giving too much authority to the userid. Is there a better > way of defining the userid and its access to resources to be able to > eliminate the need for id(0)? > Colin > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
