Limiting Access to Specific Programs

Protecting Access to Datasets Through Specific Programs

A user’s access to a dataset can be protected by a security product. However, in MVS, the security products do not control a user’s access to part of a dataset. When a user is granted access to a dataset, the access applies to the entire dataset.

When a dataset contains information that pertains to several users, it may be necessary to permit access to part of the data and deny access to the remaining data in the datase

When it is necessary to authorize a user limited access to part of a dataset, the security administrator may need to rely on the application program to verify that the specific authorization applies only to the data that the user requires.

To effectively use this type of protection, user access to the dataset must be restricted so that the user can access the dataset only when using the trusted application program. The security products used in MVS allow the security administrator to specify that a dataset can be accessed by a user only when using a specific program or programs.

Whenever a dataset is protected with a conditional access rule such as "User U is allowed to access dataset D only through program P," dataset D is known as a Program-Accessed dataset (PADS) that is protected using a method called Program Pathing.

Program pathing is a feature that is available in all security products. However, it is implemented differently in each environment. To use program pathing in IOA, the security administrator must be familiar with the program pathing method as it is implemented by the security product used at the site.

RACF Security

BMC recommends that you do not use RACF program pathing when working under ISPF

A program-accessed dataset is a dataset that is protected by a dataset profile. The profile contains a conditional access list that specifies the user ID or group ID that allows access to a dataset only when a specific program is used.

A controlled program is a module that is protected by a discrete or generic profile in the PROGRAM class. The controlled program definition may include either the PADCHK or the NOPADCHK attribute.

When attribute PADCHK is specified during controlled program fetch from the LOADLIB by MVS, the program must appear in the conditional access list of any open program-accessed datasets.

When attribute NOPADCHK is specified, the security product does not perform the program-accessed data check for the program. Therefore, any controlled program with attribute NOPADCHK that is loaded can access any currently open program-accessed dataset.

Whenever a dataset is protected by a conditional access list and the user ID accessing the dataset is not authorized to access the dataset through the regular access list, the security product verifies the following:

The program name exists in the conditional access list of the dataset profile with at least the requested level of authority. In addition, all programs in the active RBchain exist in the conditional access list.

The user ID or group ID associated with the program name appears in the conditional access list.

The current task must not be previously loaded using a non-controlled program. Any other tasks in the address space that are previously loaded in a non-controlled program must not be dispatchable.

Therefore, after a non-controlled program is loaded by the task, no program- accessed dataset can be accessed by the task.

Generally, LOAD libraries from IBM and third party vendors can be treated as controlled libraries.

To allow program pathing to work correctly within the IOA environment, the IOA LOAD library must be defined as a controlled library using the following command:

Copy
RDEFINE PROGRAM ** ADDMEM(‘ioa.loadlib’/volser/NOPADCHK)

For more information, refer to the IBM Resource Access Control Facility Security Administrator’s Guide.

Top Secret Security

A program-accessed dataset is a dataset that is protected by a dataset profile, with a conditional access list, specifying the user ID or group ID allowed to access a dataset only when using a specific program (that is, parameter PRIVPGM of the PERMIT command in TopSecret).

In TopSecret, the program associated with the CurrentTCBTopPRB appears in the PRIVPGM parameter (specifically, or using a pattern), and the access level specified in the ACCESS parameter of the PERMIT command is sufficient.

In addition, the LIBRARY parameter of the PERMIT command allows the security interface to specify a LOAD library from which the program must originate. If the LIB parameter is not specified, the program must originate from the LNKLST libraries concatenation.

It is highly recommended that the TopSecret PERMIT command be used because this command allows specification of the program prefix in parameter PRIVPGM. For example, to allow a user to access the Control-M Resources file only through INCONTROL products, use the following command

Copy
TSS PERMIT(USERID) DATASET (IOA.V600.RES) ACC(UPDATE) 
PRIVPGM(IOA(G), CTM(G), CTW(G)) LIBRARY(IOA.V600.LOAD)

ACF2/SAF Security

A program-accessed dataset is a dataset that is protected by a dataset profile. A conditional access list specifies user IDs or group IDs that are allowed to access a dataset only when using a specific program.

The program associated with the Current-TCB Top-PRB appears in the PGM parameter (specifically or using a pattern) of the access rule and the requested access level allowed by the access rule.

To define a program path protected dataset under CAACF2, the security administrator must code a condition access rule containing the program name and the library through which the access is granted. The following sample command creates a rule to allow a user to access the IOA Conditions file using INCONTROL products:

Copy
$KEY (IOA)
V600.RES UID(user) LIBRARY(IOA.V600.LOAD) PGM(IOA-) READ(A) WRITE(A)