IBM OS/390 Time Clock User Manual


 
ICCF provides another level of security by defining ICCF libraries within DTSFILE
as either PUBLIC, PRIVATE, or COMMON. All ICCF users have read access to
data stored in the single COMMON library supported by ICCF. However, only
ICCF users with a System Administrator level profile have write access to this
library. Multiple PUBLIC ICCF libraries are supported in DTSFILE and are
normally used to store data that can be read by any ICCF user, but updated only
by the originator. ICCF PRIVATE libraries are normally used to store data that
can be accessed by users authorized for access to that library.
With RACF you can specify system options (via the SETROPTS command) which
tell RACF how to protect data sets, and in particular whether to allow access to
unprotected data sets or not. If you choose to require protection for all data sets
(SETROPTS PROTECTALL) then you will have to define DATASET profiles before
anyone can access data sets. (Obviously you would want to create such profiles
before you specify PROTECTALL.) If you dont enforce protection of all data sets,
then you can identify those data sets which do require protection and define
DATASET profiles just to protect them. The
RACF Security Administrator
s Guide
has information on protecting resources, both data sets and other kinds, using
the ADDSD, RDEFINE, and PERMIT commands.
In the TSO/E environment, you can use RACF to restrict or allow access to a
PDS to simulate the library access defined above. The TSO/E equivalent of the
ICCF COMMON library is a PDS with a universal access level of READ and an
access list with only a few users having UPDATE authority. Since TSO/E
command lists (CLISTs) and REXX execs, equivalent to ICCF procedures, are
stored in a PDS, you might define a single CLIST PDS for storing all common
CLISTs available to any TSO/E user. This PDS is similar in use to the ICCF
PUBLIC library. The TSO/E equivalent of an ICCF PUBLIC library is a PDS with,
again, a universal access of READ and an access list with a limited number of
users with UPDATE authority. For an ICCF PRIVATE library equivalent PDS under
TSO/E, you specify a universal access level of NONE and then permit the
necessary users with either READ or UPDATE authority, as appropriate, via the
access list of a DATASET profile.
Since protection is at the data set level in TSO/E, it is not possible to do member
level protection.
7.1.5 Summary
Although you can begin using TSO/E with a minimum amount of knowledge in
the areas of User Profiles and LOGON Procedures, there are many options
available in preparing TSO/E for your interactive users. You should review
TSO/E
Customization
for details on these subjects. Security is a very important aspect
of your new MVS system and should be reviewed at the system level not just for
your TSO/E system. For information on the OS/390 Security Server (RACF) you
can begin with the
RACF General Information
manual, though administrators will
also need to study the
RACF Security Administrator
s Guide
.
7.2 Using the System
Once a TSO/E user has access to his new interactive system, he will need to
know how he can accomplish what he used to do with ICCF. In this section we
will explain how to implement ICCF functions in a TSO/E environment.
158 VSE to OS/390 Migration Workbook