[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: IBM TIVOLI Directory Server - access restriction
From:       Simon Dodge <simon () SICONSULTS ! COM>
Date:       2013-01-23 16:56:53
Message-ID: 51001655.7030709 () siconsults ! com
[Download RAW message or body]

On 1/23/2013 8:47 AM, Mautalen Juan Guillermo wrote:
> Questions:
> What is the best way to restrict the ability to bind to IBM TDS?
> Can the restriction be implemented at user level? (any APPL check?)
> Can the restriction be applied at IP origin level (SERVAUTH?)?
>
Hi Juan
a) See below
b) APPL class yes, you can control access by end users to your server.
APPL name comes from Stepname in JCL, I think. IIRC
c) SERVAUTH.  I have used SERVAUTH to control who can listen on that
port/SAFNAME  (IE which STC's can act as your LDAP server), but not end
user connections

restricting ability:
If you want to control who can authenticate(logon) to your server, use
APPL class
If you want to control RACF administrative capabilities, I have used
FACILITY profiles to define a non special scope.  I did this to allow a
password reset tool to only reset passwords based on certain limbs in
Group tree scope  (a few IRR.PWRESET.OWNER... profiles can nicely
"contain" them, well, the number/ease depends on your tree organization)

Regards,   Simon
[prev in list] [next in list] [prev in thread] [next in thread]