December 1998
Newsletter

IOFTech    Maintenance   Release8G       Newsletters    Doc    FAQ    Contacts    Home    Webmaster

Using the ALLOW Dialog to Simplify Building ALLOW and LIMIT Macros

Topics

Introduction

ALLOW and LIMIT macros in the B23ALLOW Option provide a powerful, efficient and simple method of controlling IOF functions and resources. Even clients that use the installation security system (RACF, ACF2, TSS) to control IOF access can often benefit from the additional use of ALLOW and/or LIMIT macros to control commonly used resources.

LIMIT macros are used to absolutely prevent access to an IOF resource. When a LIMIT macro specifies no access, then access is denied under all conditions.

ALLOW macros permit specific access to IOF resources unless a LIMIT macro specifically prevents the access.

The ALLOW dialog is a useful tool to assist the IOF installer in building ALLOW and LIMIT macros. This newsletter is an actual "hands on" example that will be best understood if you execute this exact dialog on your system.

Starting the ALLOW Dialog

Enter "ALLOW" on the IOF Option Menu to initiate the dialog. The dialog introduction screen shown below will be displayed.

-------------------- IOF B23ALLOW Generation - Introduction ------------------
COMMAND ===>                                                                  
                                                                              
   The ALLOW and LIMIT macros in the B23ALLOW member of the IOF OPTIONS       
   library provide the basic method of controlling access to IOF resources.   
   The purpose of this dialog is to assist in building some of the            
   most common ALLOW and LIMIT macros.                                        
                                                                              
   Your current B23ALLOW option is first copied into a work file. New         
   ALLOW and LIMIT macros are then added to the end of the work file          
   based on the responses to dialog prompts.                                  
                                                                              
   When you terminate the dialog you will have the opportunity to save        
   the work file or to replace your current B23ALLOW option member.           
   Your IOF options library will not be changed unless you explicitly         
   request it.                                                                
                                                                              
   You can terminate this dialog at any time by entering the RETURN command.  
                                                                              
                                                                              
   Press ENTER to continue.                                                   

When you press ENTER to continue your existing B23ALLOW option member will be read into a temporary word data set and the dialog primary options panel shown below is displayed. This newsletter will demonstrate the use of option 2 (ALLOW) and option 3 (LIMIT). These options will create new ALLOW and LIMIT macros appended to the end of the work data set. On exit from the dialog you can choose to save or discard the work data set.

 ------------------ IOF B23ALLOW Generation - Primary Options -----------------
 OPTION ===>                                                                   
                                                                               
       Select a primary option from the list below:                            
                                                                               
  1    SESSION Permit access based on a TSO session attribute                  
               matching the same attribute of a job.                           
                                                                               
  2    ALLOW   Generate ALLOW macros to permit access to IOF resources.        
  3    LIMIT   Generate LIMIT macros to restrict access to IOF resources.      
                                                                               
                                                                               
  4    EXIT    Exit and specify the disposition of the work file.              
                                                                               
       IOF access control macros are generated into a temporary work file.     
       Control is returned to this primary option panel after each macro is    
       generated so that additional options can be selected.                   
                                                                               
                                                                               
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               

ALLOW Macro Example

Requirement:
Permit production control personnel access to all manufacturing jobs. Manufacturing jobs have jobnames beginning "MF" and "CD". Production control personnel have userids beginning "SPR" and "MPR".

Select option "2" on the Primary Options menu shown above. The Select Resource Type panel shown below will be displayed. Select option "1" as shown to permit access to JOBS.

 ---------------- IOF B23ALLOW Generation - Select Resource Type --------------
 OPTION ===> 1                                                                 
                                                                               
       Select the type of IOF resource you want to control                     
                                                                               
  1    JOBS      Control access to jobs                                        
  2    GROUPS    Control access to output groups                               
  3    SYSOUTS   Additional control of sysout data sets                        
  4    DEVICES   Control JES2 devices and initiators                           
  5    COMMANDS  Control use of JES2 and MVS commands                          
                                                                               
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               

The Select Job Attribute panel will be displayed. Our requirement is to permit access to jobs based on jobname, so we select option "2".

 ---------------- IOF B23ALLOW Generation - Select Job Attribute --------------
 OPTION ===> 2                                                                 
                                                                               
       How do you want to Permit access to jobs?                               
                                                                               
  1    JOBCOMBO  Based on combined attribute of owner and jobname              
                                                                               
  2    JOBNAME   Based on name of the job                                      
  3    OWNER     Based on userid of the owner (usually the submitter)          
  4    NOTIFY    Based on notify userid of the job                             
  5    CLASS     Based on input class of the job                               
                                                                               
  6    ALL       All jobs                                                      
                                                                               
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               

The Attribute Name Selection panel is displayed. Enter "MF*" and "CD*" as shown below. The "*" makes the two specified jobnames generic.

Note that there is room on the panel to specify 20 job names. Also note that "+" can be used as a one character wild card.

 ------ IOF B23ALLOW ALLOW Generation, Attribute Name Selection ----------------
 COMMAND ===>                                                                   
                                                                                
    Specify the values of JOBNAME for which access will be permitted            
                                                                                
   ===> MF*         ===>             ===>             ===>                      
   ===> CD*         ===>             ===>             ===>                      
   ===>             ===>             ===>             ===>                      
   ===>             ===>             ===>             ===>                      
   ===>             ===>             ===>             ===>                      
                                                                                
   The ALLOW macro being generated will apply to all JOBS with a                
   JOBNAME specified above. Specify  "*"  to have the ALLOW macro               
   apply to all JOBNAME attributes of JOBS  You can also use the                
   "+" wild card to indicate any value in a character position.                 
                                                                                
                                                                                
   Press ENTER to continue.                                                     

Now, we specify the level of access to be permitted. For non- systems personnel the maximum access granted to jobs is usually level 2 display and level 2 update access. Note that level 2 update access does not permit holding or releasing a job, or changing input class and priority.

---------------- IOF B23ALLOW Generation - Select Access Levels --------------
COMMAND ===>                                                                  
                                                                              
   Specify the maximum level of DISPLAY and UPDATE access                     
   to Permit for JOBS based on the JOBNAME attribute.                         
                                                                              
 DISPLAY LEVEL ===> 3                                                
   0  - No display access granted                                             
   1  - Display jobs and data sets on menu                                    
   2  - Select job; browse log, jcl and messages data sets                    
   3  - Browse all data sets of job                                           
   4  - Dump job control blocks                                               
                                                                              
 UPDATE LEVEL  ===> 2                                                        
   0  - No update access, can not change anything                             
   1  - None defined                                                          
   2  - Cancel, route, release held ds, chg sysid, dest, forms, etc.          
   3  - Hold, release, chg input class and prty                               
   4  - Set independent mode, chg performance group                           
                                                                              
  Specify both a display and update level above and press ENTER.              

The Select ID or Group Type menu below is where you specify which users or IOF groups are being granted access to manufacturing jobs. In this case access will be permitted based on userid, so we select option "2".

-------------- IOF B23ALLOW Generation - Select ID or Group Type ------------- 
OPTION ===> 2                                                                  
                                                                               
      Permit access to:                                                        
                                                                               
 1    ALL         all users and groups                                         
 2    ID          specific or generic userids                                  
 3    GROUP       specific or generic IOF group names                          
 4    ACCT        specific or generic account numbers                          
 5    ACFGP       RACF logon groups                                            
 6    ACFLG       RACF connect groups                                          
                                                                               
      or Permit access to all except:                                          
                                                                               
 7    XID         specific or generic userids to be excluded                   
 8    XGROUP      specific or generic IOF groups to be excluded                
 9    XACCT       specific or gen acct numbers to be excluded                  
 10   XACFGP      RACF logon groups to be excluded                             
 11   XACFLG      RACF connect groups to be excluded                           
                                                                               
                                                                               
  Select an option and press ENTER to continue.                                

The only thing remaining to be done is to specify the generic userids permitted access by this ALLOW macro.

-------------------- IOF B23ALLOW Generation - Select Users ------------------
COMMAND ===>                                                                  
                                                                              
  Access is being permitted by ID.                                            
                                                                              
  Specify one or more generic  names in the spaces below                      
                                                                              
  ===> SPR*        ===>             ===>             ===>                     
  ===> MPR*        ===>             ===>             ===>                     
  ===>             ===>             ===>             ===>                     
  ===>             ===>             ===>             ===>                     
  ===>             ===>             ===>             ===>                     
                                                                              
  The "+" wild card character and the "*" wild card terminator can be         
  used.  For example, specifying "++SY*" means all ID names                   
  that have "SY" in positions 3 and 4.  "*" means all IDs.                    
                                                                              

The ALLOW macro has been generated. Select option "2" to return to the Primary Options menu.

------------- IOF B23ALLOW Generation - More JOBS JOBNAME Question -----------
OPTION ===> 2                                                               
                                                                              
      One ALLOW macro for JOBS with JOBNAME attributes has been generated.    
                                                                              
      Do you want to generate additional ALLOW macros for JOBS with JOBNAME   
      attributes?  You can use different JOBNAME values, or different levels  
      of access, or a different access list.                                  
                                                                              
 1    YES   Generate more ALLOW macros for JOBS JOBNAME                       
 2    NO    Return to the primary option menu for more options.               
                                                                              
                                                                              
  Select an option and press ENTER to continue.                               

LIMIT Macro Example

Requirement:
Absolutely prevent access to payroll jobs unless the user is connected to the HRSRCS RACF group. Jobs can be displayed on the Job List Menu but no other access is allowed. Payroll jobs are submitted by the HRCTLR and HRMSTR userids, and have jobnames beginning "PAY", "BONUS", "TAX", and "COMM".

Dialog panels to generate a LIMIT macro to accomplish this requirement will be shown without comment. Read the text of the panels for a full explanation.

------------------ IOF B23ALLOW Generation - Primary Options -----------------
OPTION ===> 3                                      
                                                                              
      Select a primary option from the list below:                            
                                                                              
 1    SESSION Permit access based on a TSO session attribute                  
              matching the same attribute of a job.                           
                                                                              
 2    ALLOW   Generate ALLOW macros to permit access to IOF resources.        
 3    LIMIT   Generate LIMIT macros to restrict access to IOF resources.      
                                                                              
                                                                              
 4    EXIT    Exit and specify the disposition of the work file.              
                                                                              
      IOF access control macros are generated into a temporary work file.     
      Control is returned to this primary option panel after each macro is    
      generated so that additional options can be selected.                   
                                                                              
  Select an option and press ENTER to continue.                               

 ---------------- IOF B23ALLOW Generation - Select Resource Type --------------
 OPTION ===> 1                                                              
                                                                               
       Select the type of IOF resource you want to control                     
                                                                               
  1    JOBS      Control access to jobs                                        
  2    GROUPS    Control access to output groups                               
  3    SYSOUTS   Additional control of sysout data sets                        
  4    DEVICES   Control JES2 devices and initiators                           
  5    COMMANDS  Control use of JES2 and MVS commands                          
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               
                                                                               

---------------- IOF B23ALLOW Generation - Select Job Attribute ---------------
OPTION ===> 1                                                            
                                                                              
      How do you want to Restrict access to jobs?                             
                                                                              
 1    JOBCOMBO  Based on combined attribute of owner and jobname              
                                                                              
 2    JOBNAME   Based on name of the job                                      
 3    OWNER     Based on userid of the owner (usually the submitter)          
 4    NOTIFY    Based on notify userid of the job                             
 5    CLASS     Based on input class of the job                               
                                                                              
 6    ALL       All jobs                                                      
                                                                              
  Select an option and press ENTER to continue.                               
                                                                              

----------- IOF B23ALLOW Generation, Compound Attribute Selection -------------
COMMAND ===>                                                    
                                                
   Specify one or more OWNER and/or JOBNAME values.                  
                                                                  
      OWNER     JOBNAME                      OWNER       JOBNAME         
 ===> HRCTLR  > PAY*                    ===> HRMSTR   > PAY*
 ===> HRCTLR  > BONUS*                  ===> HRMSTR   > BONUS* 
 ===> HRCTLR  > TAX*                    ===> HRMSTR   > TAX*
 ===> HRCTLR  > COMM*                   ===> HRMSTR   > COMM*
 ===>          >                         ===>           >        
                                                        
  The LIMIT macro being generated will apply any JOBS that matches  
  both the OWNER and JOBNAME in one of the pairs above.  If a value is
  entered for only one of the paired attributes, then the LIMIT macro 
  will apply to all values of the other attribute.  The "+" wild card  
  character and "*" wild card terminator character can be used.  
                                                       
                                                        
  Press ENTER to continue.                          
                                                  

 ---------------- IOF B23ALLOW Generation - Select Access Levels -------------- 
 COMMAND ===>                                                                   
                                                                                
    Specify the level of DISPLAY and UPDATE access that will be the limit for   
    JOBS based on JOBCOMBO.  All higher levels will be restricted.              
                                                                                
  DISPLAY LEVEL ===> 1                                            
    0  - No display access granted                                              
    1  - Display jobs and data sets on menu                                     
    2  - Select job; browse log, jcl and messages data sets                     
    3  - Browse all data sets of job                                            
    4  - Dump job control blocks                                                
                                                                                
  UPDATE LEVEL  ===> 0                                             
    0  - No update access, can not change anything                              
    1  - None defined                                                           
    2  - Cancel, route, release held ds, chg sysid, dest, forms, etc.           
    3  - Hold, release, chg input class and prty                                
    4  - Set independent mode, chg performance group                            
                                                                                
   Specify both a display and update level above and press ENTER.               
                                           
 

 -------------- IOF B23ALLOW Generation - Select ID or Group Type -------------
 OPTION ===> 10                                                    
                                                                               
       Restrict access to:                                                     
                                                                               
  1    ALL         all users and groups                                        
  2    ID          specific or generic userids                                 
  3    GROUP       specific or generic IOF group names                         
  4    ACCT        specific or generic account numbers                         
  5    ACFGP       RACF logon groups                                           
  6    ACFLG       RACF connect groups                                         
                                                                               
       or Restrict access to all except:                                       
                                                                               
  7    XID         specific or generic userids to be excluded                  
  8    XGROUP      specific or generic IOF groups to be excluded               
  9    XACCT       specific or gen acct numbers to be excluded                 
  10   XACFGP      RACF logon groups to be excluded                            
  11   XACFLG      RACF connect groups to be excluded                          
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               

-------------------- IOF B23ALLOW Generation - Select Users -------------------
COMMAND ===>                                                                   
                                                                               
  Access is being restricted by XACFGP.                                        
                                                                               
  Specify one or more generic  names in the spaces below                       
                                                                               
  ===> HRSRCS      ===>             ===>             ===> 
  ===>             ===>             ===>             ===>                      
  ===>             ===>             ===>             ===>                      
  ===>             ===>             ===>             ===>                      
  ===>             ===>             ===>             ===>                      
                                                                               
  The "+" wild card character and the "*" wild card terminator can be          
  used.  For example, specifying "++SY*" means all XACFGP names                
  that have "SY" in positions 3 and 4.  "*" means all XACFGPs.                 
                                                                               

 ------------ IOF B23ALLOW Generation - More JOBS JOBCOMBO Question -----------
 OPTION ===> 2                                                  
                                                                               
       One LIMIT macro for JOBS with JOBCOMBO attributes has been generated.   
                                                                               
       Do you want to generate additional LIMIT macros for JOBS with JOBCOMBO  
       attributes?  You can use different JOBCOMBO values, or different        
       levels of access, or a different access list.                           
                                                                               
  1    YES   Generate more LIMIT macros for JOBS JOBCOMBO                      
  2    NO    Return to the primary option menu for more options.               
                                                                               
                                                                               
                                                                               
   Select an option and press ENTER to continue.                               

Terminating the Dialog

After returning to the Primary Options menu, select option "4" to exit the dialog and dispose of the temporary options data set that has been built.

------------------ IOF B23ALLOW Generation - Primary Options -----------------
OPTION ===> 4                                                     
                                                                              
      Select a primary option from the list below:                            
                                                                              
 1    SESSION Permit access based on a TSO session attribute                  
              matching the same attribute of a job.                           
                                                                              
 2    ALLOW   Generate ALLOW macros to permit access to IOF resources.        
 3    LIMIT   Generate LIMIT macros to restrict access to IOF resources.      
                                                                              
                                                                              
 4    EXIT    Exit and specify the disposition of the work file.              
                                                                              
      IOF access control macros are generated into a temporary work file.     
      Control is returned to this primary option panel after each macro is    
      generated so that additional options can be selected.                   
                                                                              
  Select an option and press ENTER to continue.                               

One of your options is to EDIT the temporary data set. For demonstration purposes, select option "1" to enter the ISPF editor to show the macros that were generated by the dialog above.

--------- IOF B23ALLOW Generation - Specify Work Data Set Disposition --------
OPTION ===> 1                                   
                                                                              
      Specify the disposition of the work file.                               
                                                                              
 1    EDIT     Edit the work file with the ISPF editor                
 2    SAVE     Save the work file in the IOF Options data set                 
 3    DELETE   Delete the work file                                           
                                                                              
                                                                              
  Select an option and press ENTER to continue.                               

The first new generated line is displayed at the top of the screen. You can scroll up to see your existing B23ALLOW options.

The first thing added is a comment box that tells who made the change and when it was made. This is followed by comment blocks for each ALLOW and LIMIT macro that was generated, followed by the actual macro. The dialog automatically generates proper assembler statements.

-------------------------------------------------------------------------------
EDIT       SYS98343.T092717.RA000.IOFTECH.R0103368         Columns 00001 00072 
Command ===>                                                  Scroll ===> PAGE 
000474 *********************************************************************** 
000475 *              Generated by IOFTECH on 12/09/98 09:27:21              * 
000476 *********************************************************************** 
000477          SPACE 1                                                        
000478 *********************************************************************** 
000479 *   Permit access to JOBS based on the JOBNAME attribute              * 
000480 *********************************************************************** 
000481          SPACE 1                                                        
000482          ALLOW 3,2,JOBS,JOBNAME,(MF*,CD*),ID=(SPR*,MPR*)                
000483          SPACE 1                                                        
000484 *********************************************************************** 
000485 *   Restrict access to JOBS based on the JOBCOMBO attribute           * 
000486 *********************************************************************** 
000487          SPACE 1                                                        
000488          LIMIT 1,0,JOBS,JOBCOMBO,                                      +
000489                ('HRCTLR.PAY*','HRMSTR.PAY*','HRCTLR.BONUS*',           +
000490                'HRMSTR.BONUS*','HRCTLR.TAX*','HRMSTR.TAX*',            +
000491                'HRCTLR.COMM*','HRMSTR.COMM*'),XACFGP=HRSRCS             
000492          SPACE 1                                                        
****** **************************** Bottom of Data ****************************

Pressing "END" (PFK 3) returns to the Specify Work Data Set Disposition panel. If you have been running this demonstration dialog, you probably want to select the DELETE option to discard the temporary data set and exit the dialog. For this example we will demonstrate the SAVE option.

--------- IOF B23ALLOW Generation - Specify Work Data Set Disposition --------
OPTION ===> 2                                   
                                                                              
      Specify the disposition of the work file.                               
                                                                              
 1    EDIT     Edit the work file with the ISPF editor                
 2    SAVE     Save the work file in the IOF Options data set                 
 3    DELETE   Delete the work file                                           
                                                                              
                                                                              
  Select an option and press ENTER to continue.                               

As suggested on the panel below, specify "B23NEW" as the new member name to be saved. It probably is a good idea not to replace the active B23ALLOW member at this point. If you should select any member name that currently exists, you will be prompted to confirm that you actually want to overlay the existing member.

When you press ENTER on this panel, the ALLOW dialog terminates.

-------------- IOF B23ALLOW Generation - Specify Save Member Name ------------ 
                                                                               
   MEMBER     ===> B23NEW                                              
                                                                               
   Enter the OPTIONS library MEMBER name.                                      
                                                                               
   You have requested that the work file will be saved into your IOF           
   OPTIONS library:  'SYS3.IOFT7D0.OPTIONS'                                     
                                                                               
   The normal options library member name for ALLOW and LIMIT macros is        
   B23ALLOW.  You can specify B23ALLOW above to replace your current           
   member. You can also specify a new name such as B23NEW. The new name        
   must be renamed to B23ALLOW before running your IOF generation jobs.        
                                                                               
                                                                               

Generating the Updated Option

After terminating the dialog successfully, rename the newly generated B23NEW option member to B23ALLOW. Then you are ready to run the IOF abbreviated generation required to activate the new macros.

There are two choices of generation jobs which reside in the IOF Install library:

After running one of the jobs above, refresh LLA. If you choose to run M17TRYOP, then turn to page 12 of the Installation Guide for detailed information about how to run the test module that was generated. You must use the $ALTMOD(U #) parm on the IOF command to run the test version as shown in the example below.

------------------------------------------------------------------------------ 
                           ISPF Primary Option Menu                            
Option ===> I.$ALTMOD(U #)                         

0  Settings      Terminal and user parameters            
1  View          Display source data or listings         
2  Edit          Create or change source data            
3  Utilities     Perform utility functions               
4  Foreground    Interactive language processing         
5  Batch         Submit job for language processing      
6  Command       Enter TSO or Workstation commands       
7  Dialog Test   Perform dialog testing                  
8  LM Facility   Library administrator functions         
9  IBM Products  IBM program development products        
10 SCLM          SW Configuration Library Manager        
11 Workplace     ISPF Object/Action Workplace                                  
M  More          Additional IBM Products                                       
I  IOF           Interactive Output Facility                                   
                                                                               
Enter X to Terminate using log/list defaults                                   

Once in IOF, enter the "VERSION" command to show the current version. Once the version is displayed, press PFK1 (HELP) to display the timestamp of the last abbreviated IOF generation. This is your confirmation that you are running the new version.

 ------------------------------- IOF Option Menu --------------<   VER7D.0    >-
 COMMAND ===>                                                                   
 Product level: 7D.0  Date: 12/07/98  Time: 16.48 
 elect an option.  To get a detailed option menu, follow the option with "?".   
                                                                                
 blank - Your jobs         G   - Output Groups        M    - System Monitor     
   I   - Input jobs        H   - Held Groups          INIT - Initiators         
   R   - Running jobs      L   - System Log           APPC - APPC tasks/output  
   O   - Output jobs       PR  - Printers             MAS  - MAS system display 
   J   - All jobs menu     D   - Device Options       CMDS - Global Commands    
   P   - IOF Profile       NEW - What's New in IOF    QT   - Quick Trainer      
                                                                                
 JOBNAMES ===>                                                                  
                           Enter 1 to 8 generic jobnames above                  
                                                                                
 SCOPE    ===>             ALL, ME or another user's USERID                     
                           Enter HELP to see all valid SCOPE values             
                                                                                
 DEST     ===>                                                                  
                           Enter 1 to 8 destinations above                      
                                                                                
 SORT     ===> INVNULL     Enter HELP to see all valid SORT values              

After you have completed your testing, run the M18NEWOP job to install the new abbreviated generation into production.



PO Box 12752, Research Triangle Park, NC 27709
Email
IOFTech@Triangle-Systems.Com

[an error occurred while processing this directive]