You can use the read verification feature of EDIF to see whether unauthorized programs are reading data sets and to prevent unauthorized read operations from occurring by specifying OPTION=ACCESSCHECK on a DSORG, PREFIX, SUFFIX, PATTERN, or DATASET statement. During read verification, EDIF compares the name of the program that tries to read the data set to a list of programs authorized to read that data set. If that program is not on the list, then EDIF considers the request to be a read violation.
To identify programs authorized to read a data set, use the ACCESSLIST parameter. For example, authorize programs ISREDIT and ISRUDA to read SYS1.LINKLIB by specifying ACCESSLIST(PROGRAMS(ISREDIT,ISRUDA)) on that processing statement.
If you have listed authorized programs on a UTILITY statement, then you can specify the name of that UTILITY statement instead of listing the programs individually. For example, suppose that you assigned the name ISPF to a UTILITY statement for these programs. You could authorize these programs by specifying ACCESSLIST(UTILITY(ISPF)) on that processing statement.
To detect read violations for testing purposes, We recommend that you specify OPTION=(ACCESSCHECK,SMF,SUPPRESSMESSAGES). This lets you identify data sets that are victims of unauthorized read operations, without sending notification messages to TSO users and operators. You then can decide which programs to abend and which programs to authorize.
For example, to detect read violations for the SYS1.LINKLIB data set and record violations in an SMF record, you would specify the following statement in the EDIPARMS member:
DATASET NAME=SYS1.LINKLIB OPTION=(ACCESSCHECK,SMF,SUPPRESSMESSAGES)
To prevent unauthorized read operations, specify OPTION=(ACCESSCHECK,ABEND). When you do this, EDIF abends programs that attempt to read a data set without authorization. Use caution when specifying OPTION=(ACCESSCHECK,ABEND) on any statement that affects a large number of data sets. We recommend that you do not specify the SUPPRESSMESSAGES option to suppress notification messages when the ABEND option is in effect.
If EDIF detects an unauthorized read operation, then EDIF issues message MIM4069 to notify you about the read violation and message MIM4070 to notify you that the program has been abended.
For example, to prevent unauthorized read operations for the SYS1.LINKLIB data set and record read violations in an SMF record, specify the following statement in the EDIPARMS member:
DATASET NAME=SYS1.LINKLIB OPTION=(ACCESSCHECK,ABEND,SMF)
By default, EDIF uses abend code U913 when abending a program. To use a different abend code, specify a new code through the ABENDCODE parameter on the EDIINIT statement.
Example: Preventing Unauthorized Read Operations
Suppose that you want EDIF to perform the following tasks for data sets that have the suffix .PAYROLL:
To do this, specify the following statement in the EDIPARMS member:
SUFFIX NAME=.PAYROLL OPTION=(ACCESSCHECK,ABEND,SMF),
ACCESSLIST=(PROGRAMS=(SYS1PAY,SYS2PAY))
|
Copyright © 2014 CA.
All rights reserved.
|
|