On 09/06/2016 06:19 AM, Elardus Engelbrecht wrote:
> Jorge Garcia wrote:
>
>> We have the following enviroment: two lpar (prod & dev) in sysplex sharing
>> RACF database, spool, mastercat and resident volume. We want to reject the
>> Access to Enterprise cobol dataset (IGY.*) and the execution of compilations
>> Jobs in prod system.
> Use RACF. Limit access to IGY.* datasets and give access to the lucky few.
>
> Also in PROGRAM class, a profile like IGY* with UACC=NONE will help you
> certainly.
>
> Something like this:
>
> permit IGY* class(PROGRAM) id(*) access(READ) when(SYSID(<blah 1>))
>
> Your programmers may take a while to learn to do the things on the right
> LPARs... ;-)
>
> Groete / Greetings
> Elardus Engelbrecht
>
I believe he said the RACF database was shared. How does this not also
disable compiler access on the development LPAR? You want all
development people to have access on dev system but not on prod. There
are probably better solutions, but you could put those data sets on an
isolated volume that is only on-line to the dev system. Is the
compiler a product that has to be explicitly enabled in PARMLIB? If so,
perhaps systems could use different members with it disabled on prod.
There may also be simpler, less technical solutions. Have installation
standards that require canned JCL and fixed job classes for compiles
with initiators for those job classes only on the dev system and modify
ISPF panels to be system-name sensitive and disallow compile dialogs on
prod. These obstacles can of course be circumvented but it makes
violations a deliberate act instead of an accident. Either dismiss
those that violate the standards or send them that month's bill for the
MSU license charge for using the compiler on the prod LPAR.
Joel C. Ewing
--
Joel C. Ewing, Bentonville, AR [email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
