Steps for creating a sanction list

Before you begin: You need to know what directories and what programs are to be set into this file. You can partially construct this file and add path names and program names as you go along. A partially complete file can be activated and when additional entries are known, this file can be updated. A background task will automatically check this file every 15 minutes for updates and then incorporate them.

You also need to be aware that only one sanction list check is done for each program invocation. Although links in directories are supported, sanction list processing only performs one check. This check uses the path name or program name that was specified by the user.

Tip: The installation can construct the sanction lists with link path names or actual path names, or both. The decision depends on how the site would like the users to invoke the programs. For example, if the actual directory is in the sanction list instead of the directory that contains the link, and the associated program is invoked via the link, the program would not be executed. The program is only executed if the directory where the link was defined or resides is specified in the sanction list and the associated program is invoked via the link. Alternatively, both the actual directory and directory where the link resides could be placed in the sanction list. This method gives users the option of invoking the program either way. Likewise, if only the actual directory was placed in the sanction list, the user would be forced to use actual path names and not links.

Perform the following steps to create a sanction list.

Create a sanction list, following the rules listed in Formatting rules for sanction lists. You can cut and paste the following sample.

 /****************************************************************/   
/*                                                               */   
/*   Name: Sample authorized program list                        */   
/*                                                               */   
/*   Description:  Contains lists of approved directories and    */   
/*                 program names from which privileged programs  */   
/*                 may be invoked                                */   
/*                                                               */   
/*****************************************************************/   
/*****************************************************************/   
/* Authorized program directories                                */   
/*****************************************************************/   
:authprogram_path                                                     
/bin/test                                                             
/bin/test/beta                                                        

/*****************************************************************/  
/* Program control directories                                   */   
/*****************************************************************/   
:programcontrol_path
/in/test/specials
                 
/*****************************************************************/ 
/* APF authorized programs                                       */  
/*****************************************************************/  
:apfprogram_name
PAYOUT

_______________________________________________________________

Give the sanction list a name.
Guideline: The path name of the sanction file should be /etc/authfile, in keeping with IBM's strategy to place all customized data in the /etc directory.

_______________________________________________________________

When you are done, you have created a sanction list and named it. To activate it, see Steps for activating the sanction list.

Only users with superuser authority should be given update access to sanction lists.