Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watnot!watmath!clyde!cbatt!ucbvax!DDN3.ARPA!NS-DDN From: NS-DDN@DDN3.ARPA.UUCP Newsgroups: mod.protocols.tcp-ip Subject: Re: Access control and accountability Message-ID: <8704081757.AA03566@ucbvax.Berkeley.EDU> Date: Wed, 8-Apr-87 13:34:00 EST Article-I.D.: ucbvax.8704081757.AA03566 Posted: Wed Apr 8 13:34:00 1987 Date-Received: Sat, 11-Apr-87 09:26:07 EST Sender: daemon@ucbvax.BERKELEY.EDU Distribution: world Organization: The ARPA Internet Lines: 32 Approved: tcp-ip@sri-nic.arpa The UCLA ACP and its derivatives are very concerned about access control, and less concerned about accounting. The public domain code has a pseudo-service called PACCESS which is invoked at choice places in the package to inquire as to the efficacy of an end user's requests. Unless the installer does some coding, the barn door is wide open for using TCP, UDP, TELNET, etc., and whatever security system installed on MVS controls file access. UCLA has an interface to ACF2 which is based upon a local interface SVC, and their version of PACCESS can be conditionally assembled. However, the interface involves some pretty trick UCLA MVS mods and would require substantial systems programming expertise and time to massage into another environment. DDN/MVS features a modified version of PACCESS which uses a table of user-ids, passwords, and user attributes to control user access. Customers code macros for each user, reassemble the table, and link it into the commutator. This controls VTAM accesses to the internet, use of some privileged TELNET services, authorizations to receive SMTP mail on a mailbox basis, and FTP file accesses on a high-level DSNAME qualifier basis. For accounting, the public domain version sports logic which accumulates CPU time used by pseudo-tasks or counts ptask dispatches (the default). However, no provision is made for reporting this information to an accounting system. Here again, it is expected that an experienced systems programmer is installing the ACP into a sophisticated MVS shop. The FTP logic has a place (FTPWACR - Write ACcounting Record) where an SMF record could be cut, but only generates an internal WTO-type messaage describing the FTP request. DDN/MVS currently provides no enhancements to the accounting support. Dave Craig Network Solutions, Inc.