Paul Gilmartin wrote: >>PS: I'm not sure whether you can authenticate yourself to OMVS with say, >>certificates or something else which can identify yourself. >ssh credentials work for that. Might need administrative assistance to set >them up.
Ah yes, thanks, Paul, for refreshing my decaying and rusty memory. I now remember SSH credentials and friends. >This sounds like a variant of the question (recently less frequently asked): > How do I prevent my users' (whom I must give OMVS segments so they can use > FTP) using UNIX services? Hmmm, interesting. How do you do that? By giving in RACF, the user an invalid PROGRAM folder (as per Peter Hunkeler) in the OMVS segment? Or something else which I certainly overlooked? AFAIK - BPX.UNIQUE.USER is supposed to give you OMVS automagically if you don't have OMVS segment, thus you are getting access to UNIX services. You can use the PROGRAM trick to stop this. On the other side - many of my RESTRICTED users can FTP datasets without having access to UNIX services. >I can imagine the complementary question: How can I allow users to use OMVS >but not TSO. batch, etc. Not too difficult. Give the id OMVS segment and RESTRICTED attribute in RACF without TSO segment, throw away keys to JESINPUT/JESSPOOL, etc. Of course for all of this, you still need id/psw to use UNIX services for "out of the box" setup as per John Chase suggestion. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
