On Mon, 5 Apr 2010 13:51:27 -0500, Pommier, Rex R. wrote: > >How's this for a near-real-time scenario. > > ... >They are authorized to put stuff into the SMPPTS but they cannot run >REJECT commands (because they might grab something that is in the >process of being installed. So they need access to the RECEIVE command >but nothing else. Just protecting the datasets won't give us that >granularity. > OTOH, consider a relatively small shop where one systems programmer (or a few) do all the maintenance: RECEIVE, REJECT, APPLY, RESTORE, UCLIN. Only they have write access to the SMP/E CSI and associated data sets. Everyone has read access in order to do LIST commands and browse. The security administrator is satisfied with this protection of the data sets. Is it then satisfactory to permit UACC(READ) on all the SMP/E facilities? If not, why not? What else must the security administrator consider? I'd still like to see an answer from an IBM representative.
I'm still extremely puzzled that this facility, which appears to be an enhancement, is issued as a HIPER integrity APAR. It seems that there's something IBM isn't telling us. But, then, Jim and Walt have already told us that they're not telling us. Repeating, the operant question is, what, besides the protection of the data sets must the security administrator consider? -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
