Another possibility would be to use the MAXSPOOL value as an indicator. You could have different values for the different groups. Since this is set by the SPOOLFILE entry in the user's directory, it would be tough for an ordinary user to subvert. Class G users can query their own; Class D, any user's.
It would be easy to turn usermax into an index. If the system default were n, then the index would be n + 1 - usermax. This would allow for a fairly large number of different index numbers before anyone would feel pain because their spool limit was too low. The problem with using defined devices is that the user can log on with NOIPL, muck around with the device configuration, and then ipl. Methods that rely on values that the user cannot change (such as maxspool or directory class) prevent that. Account number is less attractive because the user may have alternate numbers and there is no form of QUERY ACCOUNT that allows a privileged user to determine another user's account number. However, it would be possible to use the default account number as a group id and use QUERY LOGMSG ACCOUNT acctnbr (yuck) to determine the privilege level of a user. Since the query only returns the default number, this would work even with those who use the SET ACCOUNT command. Regards, Richard Schuh -----Original Message----- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Mark Wheeler Sent: Tuesday, January 23, 2007 11:43 AM To: [email protected] Subject: Re: A z/VM idea. Building on the idea, ANY virtual device would do. Could be a SPECIAL device, virtual printer, reader, etc. Use "CP Q V vdev" instead of the "CP LINK * vdev". Mark Wheeler, 3M Company Rob van der Heij <[EMAIL PROTECTED] m> To Sent by: The IBM [email protected] z/VM Operating cc System <[EMAIL PROTECTED] Subject ARK.EDU> Re: A z/VM idea. 01/23/2007 01:26 PM Please respond to The IBM z/VM Operating System <[EMAIL PROTECTED] ARK.EDU> On 1/23/07, Phil Smith III <[EMAIL PROTECTED]> wrote: > You could also use dummy deferred LINKs, I suspect: However, your security administrator may not like it. When you have an ESM and audit invalid link attempts, your users may not know what they're accused of. If you're not suspicious yet, read on.. ;-) Someone I know thought to be smart and reversed the meaning of it - the disk had UACC(READ) but the &deity user was on the access list to deny access. It turned out the program did not check return codes very well. So having a tape unit attached on a nearby address would also make the link fail (because of the non-shared control unit thing - not sure that still would work) and fool the program in thinking I was authorized . Rob
