Restriction: You cannot use symbolic links (for example,
$SYSNAME) in sanction lists. They will not work.
You have to follow certain formatting rules when creating sanction
lists.
- Only use absolute path names.
- Path names cannot start with /*.
- Each list element must be on a line by itself, with no comments.
Lines are terminated with the newline character, as is consistent
with the stepliblist and useridaliastable files. Leading blanks can
be on the list element line and are ignored. Use the newline character
to delimit a path name. Trailing blanks are ignored. Other white space
is considered part of the path name.
- Follow standard z/OS UNIX path naming
conventions.
- You must follow standard MVS™ program
naming conventions.
- Encode the sanction list file in the IBM-1047 code page.
- You can include comment lines in the list. Each comment line must
start with /* and end with */. They cannot be on the
same line with any other type of line.
- Do not enclose the path names or program names in quotation marks.
The tags
:authprogram_path,
:programcontrol_path,
and
:apfprogram_name must be used to delineate between the
different types of sanction lists.
- If there are no tags in the file, then all data in the file is
ignored and you will get a parsing error. If a tag is missing, then
the subsequent processing of hfsload/dlload, exec or spawn will not
change, based on the tag that was missing. The effect of different
sanction lists is not cumulative. Once a sanction list is parsed
and accepted, the contents provide the only active lists of path names
and program names for hfsloads, execs, and spawns.
- List elements (path names or program names) before a tag are ignored.
- Lines after the last valid entry line (such as a path name or
a program name) are ignored.
- If an :authprogram_path tag is present, then all lines
following it and up to the next tag are considered to be approved
path names from which authorized programs can be invoked.
- If a :programcontrol_path tag is present, then all lines
following it and up to the next tag are considered to be approved
path names from which program controlled programs can be invoked.
- If an :apfprogram_name tag is present, then all lines following
it and up to the next tag are considered to be approved program names
that can get control APF-authorized.
- If specified, the tag must start in column 1.
- The tag names are not case-sensitive.
- The list element names (for example, the path names and program
names) are case-sensitive.
If the file does not follow these formatting rules, the sanction
lists might not be recognized properly and various functions relating
to the attempted use of the lists might fail.