Using the ALLOW Dialog to Simplify Building ALLOW and LIMIT Macros

Introduction

LIMIT macros are used to absolutely prevent access to an IOF resource. When a LIMIT macro specifies no access, then access is denied under all conditions.

ALLOW macros permit specific access to IOF resources unless a LIMIT macro specifically prevents the access.

The ALLOW dialog is a useful tool to assist the IOF installer in building ALLOW and LIMIT macros. This newsletter is an actual "hands on" example that will be best understood if you execute this exact dialog on your system.

-------------------- IOF B23ALLOW Generation - Introduction ------------------ COMMAND ===> The ALLOW and LIMIT macros in the B23ALLOW member of the IOF OPTIONS library provide the basic method of controlling access to IOF resources. The purpose of this dialog is to assist in building some of the most common ALLOW and LIMIT macros. Your current B23ALLOW option is first copied into a work file. New ALLOW and LIMIT macros are then added to the end of the work file based on the responses to dialog prompts. When you terminate the dialog you will have the opportunity to save the work file or to replace your current B23ALLOW option member. Your IOF options library will not be changed unless you explicitly request it. You can terminate this dialog at any time by entering the RETURN command. Press ENTER to continue.

When you press ENTER to continue your existing B23ALLOW option member will be read into a temporary word data set and the dialog primary options panel shown below is displayed. This newsletter will demonstrate the use of option 2 (ALLOW) and option 3 (LIMIT). These options will create new ALLOW and LIMIT macros appended to the end of the work data set. On exit from the dialog you can choose to save or discard the work data set.

------------------ IOF B23ALLOW Generation - Primary Options ----------------- OPTION ===> Select a primary option from the list below: 1 SESSION Permit access based on a TSO session attribute matching the same attribute of a job. 2 ALLOW Generate ALLOW macros to permit access to IOF resources. 3 LIMIT Generate LIMIT macros to restrict access to IOF resources. 4 EXIT Exit and specify the disposition of the work file. IOF access control macros are generated into a temporary work file. Control is returned to this primary option panel after each macro is generated so that additional options can be selected. Select an option and press ENTER to continue.

Permit production control personnel access to all manufacturing jobs. Manufacturing jobs have jobnames beginning "MF" and "CD". Production control personnel have userids beginning "SPR" and "MPR".

Select option "2" on the Primary Options menu shown above. The Select Resource Type panel shown below will be displayed. Select option "1" as shown to permit access to JOBS.

---------------- IOF B23ALLOW Generation - Select Resource Type -------------- OPTION ===> 1 Select the type of IOF resource you want to control 1 JOBS Control access to jobs 2 GROUPS Control access to output groups 3 SYSOUTS Additional control of sysout data sets 4 DEVICES Control JES2 devices and initiators 5 COMMANDS Control use of JES2 and MVS commands Select an option and press ENTER to continue.

The Select Job Attribute panel will be displayed. Our requirement is to permit access to jobs based on jobname, so we select option "2".

---------------- IOF B23ALLOW Generation - Select Job Attribute -------------- OPTION ===> 2 How do you want to Permit access to jobs? 1 JOBCOMBO Based on combined attribute of owner and jobname 2 JOBNAME Based on name of the job 3 OWNER Based on userid of the owner (usually the submitter) 4 NOTIFY Based on notify userid of the job 5 CLASS Based on input class of the job 6 ALL All jobs Select an option and press ENTER to continue.

The Attribute Name Selection panel is displayed. Enter "MF*" and "CD*" as shown below. The "*" makes the two specified jobnames generic.

Note that there is room on the panel to specify 20 job names. Also note that "+" can be used as a one character wild card.

------ IOF B23ALLOW ALLOW Generation, Attribute Name Selection ---------------- COMMAND ===> Specify the values of JOBNAME for which access will be permitted ===> MF* ===> ===> ===> ===> CD* ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> The ALLOW macro being generated will apply to all JOBS with a JOBNAME specified above. Specify "*" to have the ALLOW macro apply to all JOBNAME attributes of JOBS You can also use the "+" wild card to indicate any value in a character position. Press ENTER to continue.

Now, we specify the level of access to be permitted. For non- systems personnel the maximum access granted to jobs is usually level 2 display and level 2 update access. Note that level 2 update access does not permit holding or releasing a job, or changing input class and priority.

---------------- IOF B23ALLOW Generation - Select Access Levels -------------- COMMAND ===> Specify the maximum level of DISPLAY and UPDATE access to Permit for JOBS based on the JOBNAME attribute. DISPLAY LEVEL ===> 3 0 - No display access granted 1 - Display jobs and data sets on menu 2 - Select job; browse log, jcl and messages data sets 3 - Browse all data sets of job 4 - Dump job control blocks UPDATE LEVEL ===> 2 0 - No update access, can not change anything 1 - None defined 2 - Cancel, route, release held ds, chg sysid, dest, forms, etc. 3 - Hold, release, chg input class and prty 4 - Set independent mode, chg performance group Specify both a display and update level above and press ENTER.

The Select ID or Group Type menu below is where you specify which users or IOF groups are being granted access to manufacturing jobs. In this case access will be permitted based on userid, so we select option "2".

-------------- IOF B23ALLOW Generation - Select ID or Group Type ------------- OPTION ===> 2 Permit access to: 1 ALL all users and groups 2 ID specific or generic userids 3 GROUP specific or generic IOF group names 4 ACCT specific or generic account numbers 5 ACFGP RACF logon groups 6 ACFLG RACF connect groups or Permit access to all except: 7 XID specific or generic userids to be excluded 8 XGROUP specific or generic IOF groups to be excluded 9 XACCT specific or gen acct numbers to be excluded 10 XACFGP RACF logon groups to be excluded 11 XACFLG RACF connect groups to be excluded Select an option and press ENTER to continue.

The only thing remaining to be done is to specify the generic userids permitted access by this ALLOW macro.

-------------------- IOF B23ALLOW Generation - Select Users ------------------ COMMAND ===> Access is being permitted by ID. Specify one or more generic names in the spaces below ===> SPR* ===> ===> ===> ===> MPR* ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> The "+" wild card character and the "*" wild card terminator can be used. For example, specifying "++SY*" means all ID names that have "SY" in positions 3 and 4. "*" means all IDs.

The ALLOW macro has been generated. Select option "2" to return to the Primary Options menu.

------------- IOF B23ALLOW Generation - More JOBS JOBNAME Question ----------- OPTION ===> 2 One ALLOW macro for JOBS with JOBNAME attributes has been generated. Do you want to generate additional ALLOW macros for JOBS with JOBNAME attributes? You can use different JOBNAME values, or different levels of access, or a different access list. 1 YES Generate more ALLOW macros for JOBS JOBNAME 2 NO Return to the primary option menu for more options. Select an option and press ENTER to continue.

Dialog panels to generate a LIMIT macro to accomplish this requirement will be shown without comment. Read the text of the panels for a full explanation.

------------------ IOF B23ALLOW Generation - Primary Options ----------------- OPTION ===> 3 Select a primary option from the list below: 1 SESSION Permit access based on a TSO session attribute matching the same attribute of a job. 2 ALLOW Generate ALLOW macros to permit access to IOF resources. 3 LIMIT Generate LIMIT macros to restrict access to IOF resources. 4 EXIT Exit and specify the disposition of the work file. IOF access control macros are generated into a temporary work file. Control is returned to this primary option panel after each macro is generated so that additional options can be selected. Select an option and press ENTER to continue.

---------------- IOF B23ALLOW Generation - Select Resource Type -------------- OPTION ===> 1 Select the type of IOF resource you want to control 1 JOBS Control access to jobs 2 GROUPS Control access to output groups 3 SYSOUTS Additional control of sysout data sets 4 DEVICES Control JES2 devices and initiators 5 COMMANDS Control use of JES2 and MVS commands Select an option and press ENTER to continue.

---------------- IOF B23ALLOW Generation - Select Job Attribute --------------- OPTION ===> 1 How do you want to Restrict access to jobs? 1 JOBCOMBO Based on combined attribute of owner and jobname 2 JOBNAME Based on name of the job 3 OWNER Based on userid of the owner (usually the submitter) 4 NOTIFY Based on notify userid of the job 5 CLASS Based on input class of the job 6 ALL All jobs Select an option and press ENTER to continue.

----------- IOF B23ALLOW Generation, Compound Attribute Selection ------------- COMMAND ===> Specify one or more OWNER and/or JOBNAME values. OWNER JOBNAME OWNER JOBNAME ===> HRCTLR > PAY* ===> HRMSTR > PAY* ===> HRCTLR > BONUS* ===> HRMSTR > BONUS* ===> HRCTLR > TAX* ===> HRMSTR > TAX* ===> HRCTLR > COMM* ===> HRMSTR > COMM* ===> > ===> > The LIMIT macro being generated will apply any JOBS that matches both the OWNER and JOBNAME in one of the pairs above. If a value is entered for only one of the paired attributes, then the LIMIT macro will apply to all values of the other attribute. The "+" wild card character and "*" wild card terminator character can be used. Press ENTER to continue.

---------------- IOF B23ALLOW Generation - Select Access Levels -------------- COMMAND ===> Specify the level of DISPLAY and UPDATE access that will be the limit for JOBS based on JOBCOMBO. All higher levels will be restricted. DISPLAY LEVEL ===> 1 0 - No display access granted 1 - Display jobs and data sets on menu 2 - Select job; browse log, jcl and messages data sets 3 - Browse all data sets of job 4 - Dump job control blocks UPDATE LEVEL ===> 0 0 - No update access, can not change anything 1 - None defined 2 - Cancel, route, release held ds, chg sysid, dest, forms, etc. 3 - Hold, release, chg input class and prty 4 - Set independent mode, chg performance group Specify both a display and update level above and press ENTER.

-------------- IOF B23ALLOW Generation - Select ID or Group Type ------------- OPTION ===> 10 Restrict access to: 1 ALL all users and groups 2 ID specific or generic userids 3 GROUP specific or generic IOF group names 4 ACCT specific or generic account numbers 5 ACFGP RACF logon groups 6 ACFLG RACF connect groups or Restrict access to all except: 7 XID specific or generic userids to be excluded 8 XGROUP specific or generic IOF groups to be excluded 9 XACCT specific or gen acct numbers to be excluded 10 XACFGP RACF logon groups to be excluded 11 XACFLG RACF connect groups to be excluded Select an option and press ENTER to continue.

-------------------- IOF B23ALLOW Generation - Select Users ------------------- COMMAND ===> Access is being restricted by XACFGP. Specify one or more generic names in the spaces below ===> HRSRCS ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> ===> The "+" wild card character and the "*" wild card terminator can be used. For example, specifying "++SY*" means all XACFGP names that have "SY" in positions 3 and 4. "*" means all XACFGPs.

------------ IOF B23ALLOW Generation - More JOBS JOBCOMBO Question ----------- OPTION ===> 2 One LIMIT macro for JOBS with JOBCOMBO attributes has been generated. Do you want to generate additional LIMIT macros for JOBS with JOBCOMBO attributes? You can use different JOBCOMBO values, or different levels of access, or a different access list. 1 YES Generate more LIMIT macros for JOBS JOBCOMBO 2 NO Return to the primary option menu for more options. Select an option and press ENTER to continue.

------------------ IOF B23ALLOW Generation - Primary Options ----------------- OPTION ===> 4 Select a primary option from the list below: 1 SESSION Permit access based on a TSO session attribute matching the same attribute of a job. 2 ALLOW Generate ALLOW macros to permit access to IOF resources. 3 LIMIT Generate LIMIT macros to restrict access to IOF resources. 4 EXIT Exit and specify the disposition of the work file. IOF access control macros are generated into a temporary work file. Control is returned to this primary option panel after each macro is generated so that additional options can be selected. Select an option and press ENTER to continue.

One of your options is to EDIT the temporary data set. For demonstration purposes, select option "1" to enter the ISPF editor to show the macros that were generated by the dialog above.

--------- IOF B23ALLOW Generation - Specify Work Data Set Disposition -------- OPTION ===> 1 Specify the disposition of the work file. 1 EDIT Edit the work file with the ISPF editor 2 SAVE Save the work file in the IOF Options data set 3 DELETE Delete the work file Select an option and press ENTER to continue.

The first new generated line is displayed at the top of the screen. You can scroll up to see your existing B23ALLOW options.

The first thing added is a comment box that tells who made the change and when it was made. This is followed by comment blocks for each ALLOW and LIMIT macro that was generated, followed by the actual macro. The dialog automatically generates proper assembler statements.

------------------------------------------------------------------------------- EDIT SYS98343.T092717.RA000.IOFTECH.R0103368 Columns 00001 00072 Command ===> Scroll ===> PAGE 000474 *********************************************************************** 000475 * Generated by IOFTECH on 12/09/98 09:27:21 * 000476 *********************************************************************** 000477 SPACE 1 000478 *********************************************************************** 000479 * Permit access to JOBS based on the JOBNAME attribute * 000480 *********************************************************************** 000481 SPACE 1 000482 ALLOW 3,2,JOBS,JOBNAME,(MF*,CD*),ID=(SPR*,MPR*) 000483 SPACE 1 000484 *********************************************************************** 000485 * Restrict access to JOBS based on the JOBCOMBO attribute * 000486 *********************************************************************** 000487 SPACE 1 000488 LIMIT 1,0,JOBS,JOBCOMBO, + 000489 ('HRCTLR.PAY*','HRMSTR.PAY*','HRCTLR.BONUS*', + 000490 'HRMSTR.BONUS*','HRCTLR.TAX*','HRMSTR.TAX*', + 000491 'HRCTLR.COMM*','HRMSTR.COMM*'),XACFGP=HRSRCS 000492 SPACE 1 ****** **************************** Bottom of Data ****************************

Pressing "END" (PFK 3) returns to the Specify Work Data Set Disposition panel. If you have been running this demonstration dialog, you probably want to select the DELETE option to discard the temporary data set and exit the dialog. For this example we will demonstrate the SAVE option.

--------- IOF B23ALLOW Generation - Specify Work Data Set Disposition -------- OPTION ===> 2 Specify the disposition of the work file. 1 EDIT Edit the work file with the ISPF editor 2 SAVE Save the work file in the IOF Options data set 3 DELETE Delete the work file Select an option and press ENTER to continue.

As suggested on the panel below, specify "B23NEW" as the new member name to be saved. It probably is a good idea not to replace the active B23ALLOW member at this point. If you should select any member name that currently exists, you will be prompted to confirm that you actually want to overlay the existing member.

When you press ENTER on this panel, the ALLOW dialog terminates.

-------------- IOF B23ALLOW Generation - Specify Save Member Name ------------ MEMBER ===> B23NEW Enter the OPTIONS library MEMBER name. You have requested that the work file will be saved into your IOF OPTIONS library: 'SYS3.IOFT7D0.OPTIONS' The normal options library member name for ALLOW and LIMIT macros is B23ALLOW. You can specify B23ALLOW above to replace your current member. You can also specify a new name such as B23NEW. The new name must be renamed to B23ALLOW before running your IOF generation jobs.

After terminating the dialog successfully, rename the newly generated B23NEW option member to B23ALLOW. Then you are ready to run the IOF abbreviated generation required to activate the new macros.

There are two choices of generation jobs which reside in the IOF Install library:

• M17TRYOP builds a test user options module.

• M18NEWOP replaces the production user options module.

------------------------------------------------------------------------------ ISPF Primary Option Menu Option ===> I.$ALTMOD(U #) 0 Settings Terminal and user parameters 1 View Display source data or listings 2 Edit Create or change source data 3 Utilities Perform utility functions 4 Foreground Interactive language processing 5 Batch Submit job for language processing 6 Command Enter TSO or Workstation commands 7 Dialog Test Perform dialog testing 8 LM Facility Library administrator functions 9 IBM Products IBM program development products 10 SCLM SW Configuration Library Manager 11 Workplace ISPF Object/Action Workplace M More Additional IBM Products I IOF Interactive Output Facility Enter X to Terminate using log/list defaults

Once in IOF, enter the "VERSION" command to show the current version. Once the version is displayed, press PFK1 (HELP) to display the timestamp of the last abbreviated IOF generation. This is your confirmation that you are running the new version.

------------------------------- IOF Option Menu --------------< VER7D.0 >- COMMAND ===> Product level: 7D.0 Date: 12/07/98 Time: 16.48 elect an option. To get a detailed option menu, follow the option with "?". blank - Your jobs G - Output Groups M - System Monitor I - Input jobs H - Held Groups INIT - Initiators R - Running jobs L - System Log APPC - APPC tasks/output O - Output jobs PR - Printers MAS - MAS system display J - All jobs menu D - Device Options CMDS - Global Commands P - IOF Profile NEW - What's New in IOF QT - Quick Trainer JOBNAMES ===> Enter 1 to 8 generic jobnames above SCOPE ===> ALL, ME or another user's USERID Enter HELP to see all valid SCOPE values DEST ===> Enter 1 to 8 destinations above SORT ===> INVNULL Enter HELP to see all valid SORT values

After you have completed your testing, run the M18NEWOP job to install the new abbreviated generation into production.