Ok. We have been playing around with program control. If PROG1 (a COBOL
program incidentally) is to be allowed exclusively to update file MY.FILE,
then we:
1. introduced PROG1 into the list of programs in AUTHPGM in member IKJEFT00
2. Executed command RDEFINE for the file (and additionally for the LE
runtime libraries - not sure if necessary) and PERMIT 'MY.FILE'
WHEN(PROGRAM(PROG1)).
The results were:
1. Executing PGM=PROG1 in batch -> good results
2. Executing a REXX procedure under PGM=IKJEFT01 in batch -> good results
(when invoked either by CALL 'lib(PROG1)' or SELECT PGM(PROG1)
3. Executing a REXX procedure in TSO foreground invoking program with
CALL 'lib(PROG1)' -> receives the following error:
ISPS118L Service not invoked. A valid ISPF environment does not exist.
4. Executing a REXX procedure in TSO foreground invoking program with
SELECT PGM(PROG1) -> receives the following error:
IKJEFTSR interface error
Authorized program 'PROG1'. Return code=20 Reason code=40.
Current dialog statement:
SELECT PGM(PROG1)
We gather that we are running into the "dirty bit" problem that has been
documented in various forums. What can we do to get around this (we need
the program control feature under TSO foreground as well)?
Thanks in advance,
Steff Gladstone
On Thu, 7 Feb 2019 at 18:06, Seymour J Metz <sme...@gmu.edu> wrote:
> Program control, but pay close attention to the restrictions.
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
> ________________________________________
> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf
> of Steff Gladstone <steff.gladst...@gmail.com>
> Sent: Thursday, February 7, 2019 6:37 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: RACF: Limiting update-authorization of a file to a particular
> application
>
> Greetings,
>
>
>
> We have an TSO application for end-users that allows them to update certain
> VSAM and PDS files. In order for them to update these files we of course
> have to give their users update-authorization under RACF for those files.
>
>
>
> We want to limit their ability to update the files only via the particular
> TSO application (or via a particular I/O routine used by the application)
> and not via any other application program or IBM utility (e.g., IEBCOPY,
> ISPF on-line edit or utilities, etc.).
>
>
>
> How can we define the RACF authorizations in such a way as to limit the
> end-users' update capabilities to the application (or to a particular I/O
> routine) alone? Would the same (or similar) definitions work for a site
> using Top Secret instead of RACF?
>
>
>
> Thank you in advance,
> Steff Gladstone
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
