But the whole point it seems to me is that with batch TSO we are talking
about what can be done by someone who already has the ability to submit
a batch job. If you have batch job capability you don't have to execute
batch TMP to be able to allocate datasets, as that can already be done
via JCL DD statements or internally in various utilities. One can
directly invoke utilities as a job step to examine dataset attributes,
list members or contents of members of PDSs, invoke APF authorized
programs, or invoke IDCAMS functions, etc., etc. You can even simulate
dynamic dataset allocation by using a program implemented in REXX or
some other language to dynamically generate and submit another job to an
Internal Reader.
I would contend that batch TMP (and batch ISPF) doesn't really give the
batch user any fundamental power to do good or ill that is not already
there in other forms in the batch environment, it just adds some
convenient, and in some cases more efficient, additional ways to do things.
Paul Gilmartin wrote:
On Sat, 17 Nov 2007 00:15:03 -0600, Joel C. Ewing wrote:
I can't conceive of any rational reason why a sysadmin or auditor would
want to restrict batch TMP usage. It buys you no power or data access
that could not be derived by other means, except perhaps for the
somewhat dubious ability to execute CLISTs - but everything a CLIST can
do can be better done by REXX.
Under TMP, but not otherwise in Rexx, you get:
o ALLOCATE (yes, BPXWDYN is a near equivalent, but lacks some keywords.)
o ISPF
o LISTDSI (other TSO functions?)
o IDCAMS commands (RENAME, ...)
o CALL APF authorized programs.
But I'm being devil's advocate. Restricting users' access to
TMP is as irrational as restricting their access to Unix System
Services. But some auditors feel such an irrational desire to
exclude access to any facility a user doesn't need to perform
his job. The Totalitarian view: "Everything is prohibited
unless it's compulsory."
-- gil
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
