|
|
|
You can protect load libraries by disassociating the load libraries from the user’s ID. This removes the user’s implicit ownership of these libraries. To do this, you create a departmental rule set and rename the high‑level qualifier of each logonid’s load libraries to place them in it.
Alternatively, you can specify RULEVLD for each logonid, which invokes CA ACF2 rule checking even for owned data sets. You can then add access rules to each user’s existing rule set granting him access.
Using either technique, grant each logonid unrestricted read and execute access to its own load libraries. However, restrict write access to the linkage editor (IEWL) and IEBCOPY programs through CA ACF2 program pathing. Use the LIB option to specify that these programs must come from a secured system library. For example, add these rules to control updates to your own program load libraries:
$KEY(logonid) my.lib UID(******logonid) READ(A) EXEC(A) my.lib UID(******logonid) WRITE(A) PGM(IEWL) LIB(‘SYS1.LINKLIB’) my.lib UID(******logonid) WRITE(A) PGM(IEBCOPY) LIB(‘SYS1.LINKLIB’)
Then, add a rule granting complete access to everything else:
$KEY(logonid) ‑ UID(******logonid) READ(A) WRITE(A) ALLOC(A) EXEC(A)
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |