On Thu, 25 Oct 2007 09:35:51 -0700 GAVIN Darren * OPS EAS
<[EMAIL PROTECTED]> wrote:
:>TSO runs from an APF Library itself.
True.
:>The TSO command CALL *(PROGRAM) can run an APF service directly as TSO
:>is already an Authorized Product.
It will only be authorized if:
1. The program is define
Dissen
Sent: Thursday, October 25, 2007 9:11 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: tso racf
On Thu, 25 Oct 2007 00:38:17 -0500 Tom Schmidt
<[EMAIL PROTECTED]>
wrote:
:>On Wed, 24 Oct 2007 22:38:03 -0400, Binyamin Dissen wrote:
:>>What PCF did well was protect APF authorized CPs.
:
On Thu, 25 Oct 2007 00:38:17 -0500 Tom Schmidt <[EMAIL PROTECTED]>
wrote:
:>On Wed, 24 Oct 2007 22:38:03 -0400, Binyamin Dissen wrote:
:>>What PCF did well was protect APF authorized CPs.
:>>You could not circumvent PCF unless you had the ability to write into an APF
:>>library, which if you can
On Wed, 24 Oct 2007 22:38:03 -0400, Binyamin Dissen wrote:
>
>What PCF did well was protect APF authorized CPs.
>
>You could not circumvent PCF unless you had the ability to write into an APF
>library, which if you can - you can do whatever you want anyway.
Oh yes I could (and did)! I could ru
> On Tue, 23 Oct 2007 17:04:56 -0700, George Fogg wrote:
>
>>BTW, does the ISPF exits run authorized? I read the manual but not quite
>>sure if they do.
>
> George,
> It doesn't matter (much) whether the exits are authorized or not if all you do
> is issue a WTO to alert your automation package tha
On Tue, 23 Oct 2007 20:11:33 -0500 Tom Schmidt <[EMAIL PROTECTED]>
wrote:
:>I well understood what PCF's goal was, but my point was that it was FAR too
:>easy to circumvent the command 'control' portion. As long as you (or a
friend)
:>had program access to ANY library that you could execute fr
On Tue, 23 Oct 2007 17:04:56 -0700, George Fogg wrote:
>BTW, does the ISPF exits run authorized? I read the manual but not quite
>sure if they do.
George,
It doesn't matter (much) whether the exits are authorized or not if all you do
is issue a WTO to alert your automation package that it is sa
On Wed, 2007-10-24 at 09:55 -0700, Edward Jaffe wrote:
> Perhaps the users targeted for this behavior don't know how to type
> LOGOFF at the READY prompt.
Harumph. MY users generally just click the little 'X' on the top right
corner of the emulator screen and let LOSTERM sort it out. Makes me
n
Ted MacNEIL wrote:
That way you know the user was safely tucked into ISPF.
Why do we care?
What problem are we solving by restricting access to the READY prompt?
I've already asked this question; received no response.
Perhaps the users targeted for this behavior don't know how to type
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ted MacNEIL
Sent: Tuesday, October 23, 2007 5:26 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: tso racf
>That way you know the user was safely tucked into ISPF.
Why do we care?
What problem are
put a 'logoff' command
at the end of the logon clist.
Thank you
Bill Carroll
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of McKown, John
Sent: Wednesday, October 24, 2007 9:05 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Ted MacNEIL
> Sent: Tuesday, October 23, 2007 5:26 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: tso racf
>
>
> >That way you know the user was safely tucked
George Fogg wrote:
>BTW, does the ISPF exits run authorized? I read the manual but not quite
sure if they do.
No. AC=00 by default.
These exits must be re-usable, preferably reentrant, because they are loaded
once during logon. AMODE=31, RMODE=ANY.
HTH!
Groete / Greetings
Elardus Engelbrecht
On Oct 23, 2007, at 8:11 PM, Tom Schmidt wrote:
Ed,
I well understood what PCF's goal was, but my point was that it was
FAR too
easy to circumvent the command 'control' portion. As long as you
(or a friend)
had program access to ANY library that you could execute from
(without using
TSO
On Tue, 23 Oct 2007 17:53:05 -0500, Ed Gould wrote:
>On Oct 23, 2007, at 3:17 PM, Tom Schmidt wrote:
>>PCF was a joke as far as 'TSO security' was concerned.
>>
>> As long as you understood how TSO's command processors work and a
>> quick understanding of PCF's working storage it can be a matter o
>Ted Macneil said:
>Why do we care?
>Edward Jaffe said:
>What's wrong with giving users access to the READY prompt?
Ted and Ed.
In my case, I'm just curious if it can be done--not that I would suggest
that we do this in our shop.
BTW, does the ISPF exits run authorized? I read the manual but not
On Oct 23, 2007, at 3:17 PM, Tom Schmidt wrote:
PCF was a joke as far as 'TSO security' was concerned.
As long as you understood how TSO's command processors work and a
quick
understanding of PCF's working storage it can be a matter of
minutes before
you can build a working prototype to b
> On Tue, 23 Oct 2007 14:58:23 -0700, George Fogg wrote:
>
>>> I worked with a shop some years ago that had a similar requirement. For a
>>> certain class of user, management wanted this:
>>>
>>> 1. LOGON
>>> 2. Be placed immediately into ISPF
>>> 3. Exit ISPF
>>> 4. LOGOFF
>>>
>>> In other words,
>That way you know the user was safely tucked into ISPF.
Why do we care?
What problem are we solving by restricting access to the READY prompt?
I've already asked this question; received no response.
-
Too busy driving to stop for gas!
On Tue, 23 Oct 2007 14:58:23 -0700, George Fogg wrote:
>> I worked with a shop some years ago that had a similar requirement. For a
>> certain class of user, management wanted this:
>>
>> 1. LOGON
>> 2. Be placed immediately into ISPF
>> 3. Exit ISPF
>> 4. LOGOFF
>>
>> In other words, these users
Carroll, William wrote:
... my management wants to know if i can block the command prompt for
non-system programmer folks. so when they exit ispf, they get logged off
of tso as well.
What's wrong with giving users access to the READY prompt?
--
Edward E Jaffe
Phoenix Software International,
> I worked with a shop some years ago that had a similar requirement. For a
> certain class of user, management wanted this:
>
> 1. LOGON
> 2. Be placed immediately into ISPF
> 3. Exit ISPF
> 4. LOGOFF
>
> In other words, these users were not allowed to sit at Ready. Don't
> remember why. Doesn't m
I worked with a shop some years ago that had a similar requirement. For a
certain class of user, management wanted this:
1. LOGON
2. Be placed immediately into ISPF
3. Exit ISPF
4. LOGOFF
In other words, these users were not allowed to sit at Ready. Don't
remember why. Doesn't matter.
There turn
On Tue, 23 Oct 2007 14:40:40 -0400, Imbriale, Donald wrote:
>The parm that you are passing could be a CLIST, constructed along these
>lines:
>
>PROC 0
>do some allocates and stuff
>start ISPF
>LOGOFF
>
>As soon as the user leaves ISPF it should log them off
If you are an applications programme
On Tue, 23 Oct 2007 14:20:10 -0500, Ed Gould wrote:
>I do not know if IBM still sells it but at one time there was a
>product called PCF. It was cheap IIRC and it worked quite well. I was
>responsible for it for over 20 years and I never had an issue with
>it. Just to give you an idea there is a t
We have a CLIST that is invoked by putting the following at the
front of any CLIST/EXEC that needs protecting. It checks an ISPF table, by
userid, for authorization.
EdP
* Top of Data
**
PROC 0
/*
McKown, John wrote:
This doesn't do anything for disabling ISPF option 6, or keep the person
from doing a "TSO somecmd" on almost any screen to invoke "somecmd"
while in ISPF. So, the general answer is still NO.
I think ISPF Exit 5 (its TSO Command Exit) can restrict that, though.
--
John Ee
>TSO Ready Prompt is too
>useful of a tool for any programmer (systems or application) to put up
>with that sort of foolish and uninformed decision.
I agree with you, especially since you can do almost everything under ISPF that
you can do with the READY prompt.
TSOEXEC makes that possible.
Not
On Tue, 23 Oct 2007 12:30:34 -0700, GAVIN Darren * OPS EAS
<[EMAIL PROTECTED]> wrote:
>Being an applications programmer, I can say that doing such a thing
>would prevent me from doing certain aspects of my job.
>
>Which includes setting up or modifying personal command tables, non ISPF
>Clist's, R
Koehler
Sent: Tuesday, October 23, 2007 3:22 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: tso racf
Don,
Could I create a CLIST/REXX called LOGOFF that would bypass this process
so long as my CLIST/REXX called LOGOFF is at the top of the
concatenation of the SYSPROC or EXEC DD Statement?
Lizette
>
&
Being an applications programmer, I can say that doing such a thing
would prevent me from doing certain aspects of my job.
Which includes setting up or modifying personal command tables, non ISPF
Clist's, REXX utilities, mainframe FTP, receiving notices issued by send
commands, unpacking XMIT'd PD
Don,
Could I create a CLIST/REXX called LOGOFF that would bypass this process so
long as my CLIST/REXX called LOGOFF is at the top of the concatenation of the
SYSPROC or EXEC DD Statement?
Lizette
>
>The parm that you are passing could be a CLIST, constructed along these
>lines:
>
>PROC 0
>do
On Oct 23, 2007, at 1:28 PM, Carroll, William wrote:
is there anyway to block or ignore or stop somebody from entering a
command
on the command prompt through RACF, or any other method. i know i
can put a
command on the 'proc' execute, passing it as a parm, during the logon
process. my man
>yes they can, that is why i need to go after it another way.
Since people can enter almost all TSO commands under ISPF, I am trying to
figure out your need.
What problem are you trying to solve?
-
Too busy driving to stop for gas!
--
Subject: Re: tso racf
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Richbourg, Claude
> Sent: Tuesday, October 23, 2007 1:42 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: tso racf
>
>
> Hi William.
>
&g
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Richbourg, Claude
> Sent: Tuesday, October 23, 2007 1:42 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: tso racf
>
>
> Hi William.
>
> On the last questio
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Carroll, William
Sent: Tuesday, October 23, 2007 1:28 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: tso racf
is there anyway to block or ignore or stop somebody from entering a
command on the command promp
Hi William.
On the last question you could easily do it this way.
Just add the command 'LOGOFF' within thier TSO segment of RACF.
Works every time.
HTH
Claude Richbourg
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Carroll, William
Sent: T
The parm that you are passing could be a CLIST, constructed along these
lines:
PROC 0
do some allocates and stuff
start ISPF
LOGOFF
As soon as the user leaves ISPF it should log them off
Don Imbriale
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Beh
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Carroll, William
> Sent: Tuesday, October 23, 2007 1:28 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: tso racf
>
>
> is there anyway to block or ignore or stop somebody from
> entering a comma
On Tue, 23 Oct 2007 13:20:59 -0400, Carroll, William wrote:
>is there anyway to block or ignore or stop somebody from entering
>a command on the command prompt through RACF, or anyother
>method.
This sounds more like a management problem than a technical problem.
While you can sometimes addres
> -Original Message-
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Carroll, William
> Sent: Tuesday, October 23, 2007 12:21 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: tso racf
>
>
> is there anyway to block or ignore or stop somebody from entering
> a comma
42 matches
Mail list logo