You can create a SAF resource profile to control access to a TCP/IP stack. There are no new TCP definitions required. The resource profile controls whether users or groups of users have access to the TCP/IP stack by controlling their ability to open an AF_INET or AF_INET6 socket and to obtain the host ID or host name. Create the EZB.STACKACCESS.sysname.tcpname resource profile in the SERVAUTH class for the TCP/IP stack to be protected. After you define this resource profile, permit users to the profile and grant them READ access to the resource. If a user does not have READ access to the resource for a stack, the user cannot access the stack. If you do not define a resource profile for a stack, all users have access to that stack.
Guideline: Some security products do
not distinguish between a resource profile that is not defined and
a user that is not permitted to that resource profile. If your product
does not make this distinction, you must define the stack access resource
profile and permit users to it whenever the SERVAUTH class is active.
Figure 1 provides
an overview of stack access control. sysname refers
to the MVS™ system variable sysname. tcpname refers
to the TCP/IP job name. User Tom has permission to access both Stack1
and Stack2, Joe does not have permission to access any stack, and
Bob has permission to access Stack2 but not Stack1.
Figure 1. Stack access control overview