|
|
|
Use the program access to data set support in RACF to protect a user’s load libraries. This is easily accomplished for group libraries because their profiles allow explicit specification of each user ID’s access privileges. However, because RACF automatically permits a user ID full access to files with names that begin with that user ID, it is very difficult to prevent involuntary user ID access to individual user‑owned libraries. However, you can use the RACHECK preprocessing exit (ICHRCX01) to screen library update requests and deny those that do not meet the proper criteria. Successful implementation of this approach depends on locally developed code to allow the exit to recognize the load libraries of individual user IDs.
Alternately, you can rename the high‑level qualifier of each user ID’s load libraries and prevent all access:
RENAME ‘userid.load.lib’ ‘newname.load.lib’
The disadvantage of this method is that it can add many new profiles to the RACF data set. Once this is done, however, you can make Global Access Checking (GAC) entries or write data set profiles to permit each user ID unrestricted read access to its libraries. Update access is then controlled through standard RACF program access support.
You can define an authorized path by naming the linkage editor and IEBCOPY in a conditional access list specified in the general resource DATASET class. Specify your user ID, the utility name, and write access authority in the access list for each of your load libraries. For example, these rules create a profile for a new library name, give read access to the user, and control update access to the new library through a specified program:
ADDSD (‘newname.load.lib’) UACC(NONE) GENERIC
PERMIT(‘newname.load.lib’) ID(userid) ACCESS(READ) GENERIC
PERMIT(‘newname.load.lib’) ID(userid) ACCESS(UPDATE) GENERIC
WHEN(PROGRAM(IEBCOPY IEWL*))
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |