Re: Access control and accountability

8 Apr 87 13:34 EST

The UCLA ACP and its derivatives are very concerned about access control, and
less concerned about accounting. The public domain code has a pseudo-service
called PACCESS which is invoked at choice places in the package to inquire as
to the efficacy of an end user's requests. Unless the installer does some
coding, the barn door is wide open for using TCP, UDP, TELNET, etc., and
whatever security system installed on MVS controls file access. UCLA has an
interface to ACF2 which is based upon a local interface SVC, and their version
of PACCESS can be conditionally assembled. However, the interface involves some
pretty trick UCLA MVS mods and would require substantial systems programming
expertise and time to massage into another environment.

DDN/MVS features a modified version of PACCESS which uses a table of user-ids,
passwords, and user attributes to control user access. Customers code macros
for each user, reassemble the table, and link it into the commutator. This
controls VTAM accesses to the internet, use of some privileged TELNET services,
authorizations to receive SMTP mail on a mailbox basis, and FTP file accesses
on a high-level DSNAME qualifier basis.

For accounting, the public domain version sports logic which accumulates CPU
time used by pseudo-tasks or counts ptask dispatches (the default). However,
no provision is made for reporting this information to an accounting system.
Here again, it is expected that an experienced systems programmer is installing
the ACP into a sophisticated MVS shop. The FTP logic has a place (FTPWACR -
Write ACcounting Record) where an SMF record could be cut, but only generates
an internal WTO-type messaage describing the FTP request. DDN/MVS currently
provides no enhancements to the accounting support.

Dave Craig
Network Solutions, Inc.

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:38:07 GMT