IBM Z Hardware and Operating Systems Ideas Portal
This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Hi... just a quick reminder to clarify the specific policy agent-based technology you are referring to here. Also interested in your thoughts regarding the points I mentioned in my June 25 update. Thanks!
Thanks for submitting this requirement. When you mention pagent, we are assuming that you are talking about IP packet filtering (part of the IPSecurity policy) - is this correct? If not, please clarify which technology you mean.
If so, it isn't possible to do what you are asking based purely on IP packet filtering technology. The problem is that the filtering is based on the network and transport layer attributes of each IP packet (IP addresses, IP protocol, TCP ports, etc.). Numerous IP packets will flow before and during a TCP connection before any z/OS user credentials (including the user ID) would ever flow. Because of this, several packets in your scenaroi will have already been denied based on their IP addresses before RACF would ever get a chance to recognize a z/OS user ID.
Note that some applications and middleware support the concept of ports of entry based on the IP address -- in this case, the origin address is considered as part of the overall user authorization process that is driven through RACF. Would this be a possible solution in your case? Since it would require pre-knowledge of the origin addresses, I suspect you would still be facing the same issue. Is there any way to predict the address range or subnet from which a given user might come from when logging in over a VPN? If so, you could pre-populate filter rules based on those ranges or subnets as long as that is acceptable within your company's security policy.