On Thu, 14 Jul 2011 11:55:07 -0700 Tom Sims <[email protected]> wrote:
:>Yesterday we entertained a group of vendor representatives who presented :>their assessment of our implementation of ACF2. Among their key :>findings and recommendations was a high-criticality suggestion to remove :>the ACF2 "alter SVC," which was characterized as a dangerous back door :>around access control, the removal of which would substantially reduce :>our exposure to its malicious use. :>I have been through the Installation, Auditor, Administrator, Systems :>Programmer _and_ Best Practices manuals for our current release, as well :>as the next, and I can find no indication that defining this SVC to the :>product is in any way optional. Nor is there any documentation in the :>online vendor bookshelves that either supports this assessment or :>details alternatives. :>Any ACF2 gurus out there with ideas? They are appreciated in advance! It is NOT at all optional. The alter-svc is used to alter the acf2 database, i.e., insert, delete and change user ids, resources, etc. acf2 IS your access control. Who were these vendor representatives? What are their motivations? What are they trying to sell you? -- Binyamin Dissen <[email protected]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
