Re: NETRC and security -- am I missing something?

Thu, 05 Jan 2006 05:50:37 -0800 

> -----Original Message-----
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Charles Mills
> Sent: Wednesday, January 04, 2006 4:34 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: NETRC and security -- am I missing something?
> 
> 
> > a site-wide one that is pointed to by the proc(s).  RACF 
> program control /
> conditional access is used for this.  Our mainframe .netrc 
> files are only
> accessable to programs like FTP
> 
> I'm not the biggest RACF expert. It's possible to do this? To 
> have a file
> that FTP running for user XYZ can read, but user XYZ cannot 
> read him/herself
> (say with ISPF browse)? Is FTP AFP-authorized? Is that how 
> this works? Is
> there going to be an issue if FTP is loaded by a non-authorized batch
> program?
> 
> Charles

Yes, this is possible. It is called PADS (Program Access to Data Sets).
It uses somthing called the "Conditional Access List" in RACF also. You
can basically say something like: "Allow user xyz to have ... access to
dataset ... if they are running program ..." An example:

ADDSD 'HLQ.MLQ.LLQ' UACC(NONE) OWNER(HLQ) GENERIC

PERMIT 'HLQ.MLQ.LLQ' ID(group) ACCESS(READ) WHEN(PROGRAM(FTP))

However, this does require that the program in question, FTP, be
"program controlled" by having an entry for it in the PROGRAM class,
similar to:

RADD PROGRAM FTP UACC(NONE) ADDMEM('dsn.containing.program'//PADCHK)

PERMIT FTP CLASS(PROGRAM) ID(group) ACCESS(READ)

Note that the above is very simplified and using PADS can become quite
complicated by things such as determining exactly which program is doing
the OPEN and which library it is coming from.

--
John McKown
Senior Systems Programmer
UICI Insurance Center
Information Technology

This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and its
content is protected by law.  If you are not the intended recipient, you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this transmission, or taking any action
based on it, is strictly prohibited.
 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to