Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Not under consideration
Workspace z/OS
Created by Guest
Created on Aug 7, 2015

Enable RACF-DELEGATED (Nested ACEE) Support for SERVAUTH EZB.PORTACCESS SAF calls

Need SERVAUTH PORT access checks to support RACF-DELEGATED feature so that access to TCP port 20 (FTP's active data port) can be limited to only the FTP daemon's user ID using the SAF keyword on the PORT statement in the TCPIP profile. This support would also allow any other port to leverage RACF-DELEGATED support as long as the application that owns the port is using nested ACEEs and RACROUTE REQUEST=FASTAUTH.

Idea priority Urgent
  • Guest
    Reply
    |
    Jul 9, 2024
    This Idea is unlikely to be given high enough priority to be placed into product plan. However, there is an alternative solution:

    Access to bind to the FTP active data port (TCP port 20) can be controlled using SAF program control on the SAF profile that protects port 20. Specifically, the program names ?FTPD? and ?FTPDNS? must be listed on the WHEN PROGRAM clause for the SERVAUTH class EZB.PORTACCESS.<sysname>.<stackname>.<port_safame> profile that protects TCP port 20. This will limit access to the z/OS FTP server program.

    To protect access to z/OS FTP server passive data ports, use the AUTHPORT parameter of the PORTRANGE statement for the FTP server?s PASSIVEDATAPORTS range to ensure that only the z/OS FTP program can access those ports.
  • Guest
    Reply
    |
    Nov 19, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS Communications Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Enterprise Networking
    Product - z/OS Communications Server