If there are installations that have this problem, I can't help but feel
this must be due to some inappropriate data set naming conventions. We
got started on MVS late enough (1985) that we were able to create data
set naming conventions with RACF in mind and enforce data set naming
conventions with RACF. Naming conventions clearly distinguish which
datasets are system datasets (IBM, 3rd-party vendor, or installation
customization datasets), application data sets, and user datasets.
The only data sets that non Technical Services people have UPDATE access
to are application-related and user data sets, not system data sets -
period. Only system data sets are allowed to be APF authorized, in link
list, or in the LPA - period. Because of naming conventions, a trivial
eyeball inspection of appropriate PARMLIB members can easily verify no
violation of that policy. I established the procedures and guidelines
used for routine RACF security changes, and periodically (say every six
months), double check that the security administrators haven't done
anything stupid. Because of naming conventions, they recognize data sets
that aren't owned by applications areas or users, and know enough to ask
questions of Technical Services before changing permissions on such data
sets, so it would be unusual to find RACF "strangeness" with system data
sets. Daily logs of RACF changes are also reviewed by our Director of
Technical Services and by one other manager for earlier detection of
potential problems or "unusual" changes.
I have upon occasion found RACF permissions that were inappropriate, but
I cannot remember any case in the last 20 years where one of those
involved inappropriate UPDATE access to an APF library.
Gil Peleg wrote:
No shop would really admit it... but is it really that rare to find users
with access to APF authorized libraries when they should not have this
access (at all, or any more...) ?
I find it hard to believe that large shops with 20-25 years of legacy and
with thousands of users dont have at least one of the problems i mentioned.
And new shops who only started 5 years ago are usually so stressed to make
the project deadlines that they tend to ignore some "minor" security issues
--
Joel C. Ewing, Fort Smith, AR [EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
