Do I understand correctly that TSOEXEC CALL creates a new subtask environment which is "insulated" from the goings-on in the mother task? Would specifying TASKLIB further ensure that only those modules loaded/linked/attached from the TASKLIB library need be RACF-authorized?
Or is there something I am missing? On Mon, 18 Feb 2019 at 16:48, Walt Farrell <walt.farr...@gmail.com> wrote: > On Sun, 17 Feb 2019 18:05:59 +0200, Steff Gladstone < > steff.gladst...@gmail.com> wrote: > > >Ok. We have been playing around with program control. If PROG1 (a COBOL > >program incidentally) is to be allowed exclusively to update file MY.FILE, > >then we: > > > >1. introduced PROG1 into the list of programs in AUTHPGM in member > IKJEFT00 > > Unless the program is linkedited with AC(1) and needs to run authorized > (most COBOL programs don't) I don't see a reason to put it in AUTHPGM. > > You will likely run into problems in a TSO environment with the > environment being marked dirty, as you noted. > > Your best hope to avoid that is to make sure you've followed the > instructions in the RACF Security Administrators Guide about defining the > PROGRAM ** profie and all the libraries that you should specify for its > ADDMEM operand. Make sure you use the specified UACC value, too. > > If that doesn't work, then your next approach would be to try TSOEXEC CALL > ... to invoke the program. > > Really, all of this is explained in the Security Administrators Guide in > the sections on Program Control and Program Access to Data (PADS), along > with some examples and recommendations. As getting this working under TSO > is very difficult, my best recommendation is to read those sections and > follow the instructions exactly. > > -- > Walt > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
