On Thu, 13 May 2010 09:36:23 -0500, Patrick Lyon <ptl...@midamerican.com> wrote:
>On Wed, 14 Apr 2010 09:46:01 -0500, Walt Farrell <wfarr...@us.ibm.com> >wrote: > >>What is important is that you understand that you are at risk if you do not >>carefully control who can run those SMP/E functions, and that your users >who >>can run those functions must be very trusted users. And that's why we have >>the new APAR IO12263. >> > >I might point out for those who have not applied this enhancement, that the >examples within APAR IO12263 are not complete. Below is what they indicate >are protected in the APAR: > ><quote> >These functions, and the corresponding SAF FACILITY class >resources that SMP/E checks, are as follows: > > Function: Resource name: > RECEIVE command GIM.CMD.RECEIVE > APPLY command GIM.CMD.APPLY > ACCEPT command GIM.CMD.ACCEPT > RESTORE command GIM.CMD.RESTORE > REJECT command GIM.CMD.REJECT > LINK command GIM.CMD.LINK > CLEANUP command GIM.CMD.CLEANUP > Program GIMZIP GIM.PGM.GIMZIP > Program GIMUNZIP GIM.PGM.GIMUNZIP > Program GIMIAP GIM.PGM.GIMIAP ></quote> > >SET and REPORT also need command profiles, even though they were >indicated earlier in the APAR. I am sure there are others that I have not >found yet. From earlier in the APAR: > ><quote> >The functions being controlled are all the SMP/E commands processed by >program GIMSMP (for example, SET, RECEIVE, APPLY, ACCEPT >UCLIN, LIST, REPORT, etc.), the GIMZIP and GIMUNZIP >service routines, and the GIMIAP copy utility invocation >program. ></quote> > >Just a heads up that those planning on applying this enhancement, that more >will be needed. > Not if you define only 1 profile as GIM.*. I suspect that will suffice for at least 95% of the shops out there. We've already discussed the unlikelihood of shops desiring to do something more granular like giving a certain set of users RECEIVE only (even though it could be done). Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:mzel...@flash.net Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
