Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Example 1: Disabling commands

&pagelevel(4)&pagelevel

Users of user ID EXAMPLE are to be prevented from loading and starting programs. This is achieved by creating a group syntax file for the user ID EXAMPLE in which the LOAD-PROGRAM and START-PROGRAM commands, as well as the old LOAD and EXECUTE commands, are disabled. The special START commands for certain programs (e.g. START-SDF-A, START-EDT, START-LMS, ...) are then also disabled as these START commands require access to START-PROGRAM or LOAD-PROGRAM.

In BLSSERV V2.3 and higher the functionality of START-PROGRAM and LOAD-PROGRAM are also offered with improved syntax via the new commands START- and LOAD-EXECUTABLE-PROGRAM. In this case the two new commands must also be locked.

/set-logon-parameters tsos,... ——————————————————————————————————  (1)
 ...
/start-sdf-a ————————————————————————————————————————————————————  (2)
% %  BLS0517 MODULE 'SDAMAIN' LOADED
%  SDA0001 'SDF-A' VERSION '04.1E10' STARTED
//open-syntax-file sys.sdf.group.syntax.example,*group,*create ——  (3)
//remove *command((load,exec,load-prog,start-prog,load-exec,start-exec))   (4)
//end

  1. A task is initiated under the privileged user ID TSOS.

  2. SDF-A is loaded and started.

  3. The group syntax file SYS.SDF.GROUP.SYNTAX.EXAMPLE is opened as a new file to be created. By default, the activated system syntax file is assigned as a reference file. The command definitions appearing in the reference file may be modified in the open group syntax file.

  4. The commands LOAD, EXECUTE, LOAD-PROGRAM, START-PROGRAM, LOAD- and START-EXECUTABLE-PROGRAM are disabled.


    /mod-file-attr sys.sdf.group.syntax.example,access=*read,user-acc=*all (5)
    /mod-user example,profile-id=user1 ————————————————————————————————  (6)
    /mod-sdf-parameters scope=*permanent,
             syntax-file-type=*group(sys.sdf.group.syntax.example,user1) (7)
    %  CMD0681 SYNTAX FILE '$.SYS.SDF.GROUP.SYNTAX.EXAMPLE' INSERTED IN
     PARAMETER FILE '$.SYSPAR.SDF'
    %  CMD0718 GROUP SYNTAX FILE '$.SYS.SDF.GROUP.SYNTAX.EXAMPLE' HAS BEEN
     ASSOCIATED WITH 'PROFILE-ID USER1' IN MEMORY TABLES
    /exit-job

  5. File SYS.SDF.GROUP.SYNTAX.EXAMPLE is declared as shareable. Only read access is allowed.
  6. The profile ID USER1 is assigned to user ID EXAMPLE.
  7. Group syntax file SYS.SDF.GROUP.SYNTAX.EXAMPLE is assigned to profile ID USER1. This assignment is permanently stored in the SDF parameter file.


    /set-logon-parameters example ————————————————  (8)
    /show-sdf-options ————————————————————————————  (9)
    %SYNTAX FILES CURRENTLY ACTIVATED :

    %  SYSTEM    : :2OSH:$TSOS.SYSSDF.SDF.045
    %              VERSION : SESD04.5A300
    %  SUBSYSTEM : :2OSH:$TSOS.SYSSDF.ACO.022
    %              VERSION : SESD02.2A00
    %  SUBSYSTEM : :2OSH:$TSOS.SYSSDF.ACS.140
    %              VERSION : SESD14.0B100
     .
     .
    %  SUBSYSTEM : :2OSH:$TSOS.SYSSDF.SDF-A.041
    %              VERSION : SESD04.1E10
    %  SUBSYSTEM : :2OSH:$TSOS.SYSSDF.TASKDATE.140
    %              VERSION : SESD14.0A100
    %  GROUP     : 2OSH:$.SYS.SDF.GROUP.SYNTAX.EXAMPLE
    %              VERSION : UNDEFINED
    %  USER      : *NONE
    %CURRENT SDF OPTIONS :

    %  GUIDANCE           : *EXPERT
    %  LOGGING            : *INPUT-FORM
    %  CONTINUATION       : *NEW-MODE
    %  UTILITY-INTERFACE  : *NEW-MODE
    %  PROCEDURE-DIALOGUE : *NO
    %  MENU-LOGGING       : *NO
    %  MODE               : *EXECUTION
    %     CHECK-PRIVILEGES   : *YES
    %  DEFAULT-PROGRAM-NAME : *NONE
    %  FUNCTION-KEYS      : *STYLE-GUIDE-MODE
    %  INPUT-HISTORY      : *ON

    %     NUMBER-OF-INPUTS   : 20
    %     PASSWORD-PROTECTION: *YES
    /start-prog $edt —————————————————————————————————————————————— (10)
    %  CMD0086 OPERATION NAME 'START-PROG' REMOVED BY USER
    /start-edt ———————————————————————————————————————————————————— (11)

    %  CMD0086 OPERATION NAME 'START-PROGRAM' REMOVED BY USER
    /load-prog $edt
    %  CMD0086 OPERATION NAME 'LOAD-PROG' REMOVED BY USER
    /exec $edt ———————————————————————————————————————————————————— (12)
    %  SDP0222 OPERAND ’CMD’ INVALID IN /EXEC-CMD, ERROR ’SDP0116’.
    IN SYSTEM     MODE: /HELP-MSG SDP0116

    /load $edt
    %  CMD0187 ABBREVIATION OF OPERATION NAME 'LOAD' AMBIGUOUS WITH REGARD

    TO 'LOAD-ALIAS-CATALOG,LOAD-LOCAL-SUBSYSTEM-CATALOG'

    /exit-job
     .
     .

  8. A task is initiated under the user ID EXAMPLE.
  9. The activated syntax files are listed. SYS.SDF.GROUP.SYNTAX.EXAMPLE, the group syntax file prepared beforehand by the privileged user ID TSOS, is activated.
  10. SDF does not accept the START-PROG command.

  11. SDF likewise does not accept the START-EDT command because START-EDT calls a procedure which in turn calls the START-PROGRAM command.

  12. Since the EXEC command was removed, SDF interprets the user input as the SDF-P command EXEC-CMD and rejects it due to the invalid syntax.

Powered by Atlassian Confluence and Scroll Viewport.