[prev in list] [next in list] [prev in thread] [next in thread]
List: racf-l
Subject: Re: IBM TIVOLI Directory Server - access restriction
From: Simon Dodge <simon () SICONSULTS ! COM>
Date: 2013-01-23 16:56:53
Message-ID: 51001655.7030709 () siconsults ! com
[Download RAW message or body]
On 1/23/2013 8:47 AM, Mautalen Juan Guillermo wrote:
> Questions:
> What is the best way to restrict the ability to bind to IBM TDS?
> Can the restriction be implemented at user level? (any APPL check?)
> Can the restriction be applied at IP origin level (SERVAUTH?)?
>
Hi Juan
a) See below
b) APPL class yes, you can control access by end users to your server.
APPL name comes from Stepname in JCL, I think. IIRC
c) SERVAUTH. I have used SERVAUTH to control who can listen on that
port/SAFNAME (IE which STC's can act as your LDAP server), but not end
user connections
restricting ability:
If you want to control who can authenticate(logon) to your server, use
APPL class
If you want to control RACF administrative capabilities, I have used
FACILITY profiles to define a non special scope. I did this to allow a
password reset tool to only reset passwords based on certain limbs in
Group tree scope (a few IRR.PWRESET.OWNER... profiles can nicely
"contain" them, well, the number/ease depends on your tree organization)
Regards, Simon
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic