On Sat, 23 Dec 2017, at 18:40, Jon Perryman wrote: > I only wanted to know why dynalloc is no longer considered an exposure. > When these people did the risk analysis for dynalloc on MVS, what made > them decide why it's not an exposure and does not need to be a > controlled resource?
Maybe it's because, in general, allocation of a dataset isn't an issue? Anyone could try to create (ie allocate) a dataset of any name in JCL, but security software would prevent it from actually being created except by those users allowed to do so. Anyone could reference any existing dataset in JCL, but security software will prevent unauthorised users from reading or writing its contents. Maybe your experience is of a site without proper security controls set up? -- Jeremy Nicoll - my opinions are my own.
