That was my example. And it is valid. Production job schedulers are the biggest security whole in a shop. The admins can usually make a job run under any ID they want.
Regardless, that was just an example. The same could apply to real people whose job it could be to receive maintenance, but not apply it. As R.S. wrote, if you don't like it, there is a simple answer, define a single generic resource with UACC(READ). Keep an open mind and use your imagination a little, your point of view isn't the only correct one. Mark -- Mark Zelden - Zelden Consulting Services - z/OS, OS/390 and MVS mailto:[email protected] Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html Systems Programming expert at http://expertanswercenter.techtarget.com/ On Fri, 2 Apr 2010 19:29:10 +0000, Ted MacNEIL <[email protected]> wrote: >>Suppose you want a job run via your automated scheduler. This job is only to do a RECEIVE of maintenance. >>You want to run this job with an ID which has only enough authority to do the RECEIVE. > >It's a production job, so it's controlled. >How many controls do we need for the same function? > >>So the job runs under that id. >>That id is only allowed to do the RECEIVE command in SMP/E, and nothing else. The id must have UPDATE access to the SMP/E datasets, but only WHEN using SMP/E. > >I'm too OCD to be AR! > >- >Too busy driving to stop for gas! > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
