On 8/27/07, David Boyes <[EMAIL PROTECTED]> wrote: > > Most CP commands right now only allow the ESM to audit, not to control > > access. If the ESM gets granular access control, we need a a lot of > > new error messages to reflect that. > > Or just one: > > HCPnnnnE Command option not permitted by security profile. RC=1234
> Exactly what isn't permitted isn't the end user's business (to prevent > gaming the system and determining what options are permitted by trial > and error), but should be recorded in the ESM log. Beg to differ. My experience is that this is not helpful. My all time favorite is the console log full of "Command complete for user" messages. You want the requester and owner of the resource (the one who can grant access) to be able to sort this out, so it should be clear to either one of them which profile was preventing or not allowing access. Hiding the why does not make it more secure. There are more effective ways to detect systematic attacks and friends. > > An easy API for > > RACROUTE might be nice to avoid yet-another-list of powerful users > > (especially since some weasels want that all disks with lists of > > powerful users are protected against reading). > > Takes us back to either a universal *RPI service provider built into CP > that we can connect to with pipes and do our own ESM, or supplying a > default ESM that's more granular than the classic CP model, doesn't it? You're making wind and causing confusion. *RPI is what CP uses to connect to the RACFVM's. CMS Pipelines can connect to *RPI but that's the reverse of what we want. What I am asking for is an "application resource profile" that is not used by CP but by applications to control access to services (e.g. APPL.TCPIP.LINK.ABC could allow query or start/stop of link ABC based on access to that profile). It would also require extra support in the ESM to have granular access control for those 3rd party checks (ICHCONN is global). One could imagine a new/changed diagnose to ask CP to ask the ESM, but we have no easy way to use such a diagnose. A new system IUCV service looks cool but also lacks the tools to use it. So maybe a new CP command is the easiest way. Rob
