> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Charles Mills > Sent: Wednesday, January 04, 2006 4:34 PM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: NETRC and security -- am I missing something? > > > > a site-wide one that is pointed to by the proc(s). RACF > program control / > conditional access is used for this. Our mainframe .netrc > files are only > accessable to programs like FTP > > I'm not the biggest RACF expert. It's possible to do this? To > have a file > that FTP running for user XYZ can read, but user XYZ cannot > read him/herself > (say with ISPF browse)? Is FTP AFP-authorized? Is that how > this works? Is > there going to be an issue if FTP is loaded by a non-authorized batch > program? > > Charles
Yes, this is possible. It is called PADS (Program Access to Data Sets). It uses somthing called the "Conditional Access List" in RACF also. You can basically say something like: "Allow user xyz to have ... access to dataset ... if they are running program ..." An example: ADDSD 'HLQ.MLQ.LLQ' UACC(NONE) OWNER(HLQ) GENERIC PERMIT 'HLQ.MLQ.LLQ' ID(group) ACCESS(READ) WHEN(PROGRAM(FTP)) However, this does require that the program in question, FTP, be "program controlled" by having an entry for it in the PROGRAM class, similar to: RADD PROGRAM FTP UACC(NONE) ADDMEM('dsn.containing.program'//PADCHK) PERMIT FTP CLASS(PROGRAM) ID(group) ACCESS(READ) Note that the above is very simplified and using PADS can become quite complicated by things such as determining exactly which program is doing the OPEN and which library it is coming from. -- John McKown Senior Systems Programmer UICI Insurance Center Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html