>But, of course, from a security perspective restricting >IPCS ACTIVE does nothing helpful.
That's of course true, as long as IPCS does what it documents that it does. So if the concern is that the system does not do what it documents that it does, I was grasping at a straw. Of course if restricting is provided, then the next concern in the chain would be that the system does not restrict IPCS ACTIVE even when you've done what you're supposed to do to restrict it. That seems like a never-ending spiral that can only be addressed by some level of trust (since no amount of testing can prove that there is no hole; it proves only that you cannot find a hole). Peter Relson z/OS Core Technology Design
