--------------------------------------<snip>----------------------------------------
Yesterday we entertained a group of vendor representatives who presented
their assessment of our implementation of ACF2. Among their key findings
and recommendations was a high-criticality suggestion to remove the ACF2
"alter SVC," which was characterized as a dangerous back door around access
control, the removal of which would substantially reduce our exposure to its
malicious use.
Oh my... Did they also suggest restricting use of AMASPZAP because
it's a dangerous and powerful utility that allows (shock, horror)
updating datasets?
------------------------------------<unsnip>-------------------------------------------
My management was so upset about this particular issue that I had to
run a class, for management, to explain how RACF dataset controls
worked. Never mind the chance of updating a VTOC via AMASPZAP.
Why is it that management is so gullible for outsiders and so skeptical
of their own staff?
Why are so many managers promoted BEYOND their level of incompetance?
----------------------------------<snip>-------------------------------------------
I have been through the Installation, Auditor, Administrator, Systems
Programmer _and_ Best Practices manuals for our current release, as well as
the next, and I can find no indication that defining this SVC to the product
is in any way optional. Nor is there any documentation in the online vendor
bookshelves that either supports this assessment or details alternatives.
If the ACF2 SVC allowed just anyone to run a program update the ACF2
database, there would be a problem. But pretty obviously it has access
controls, just as the RACF SVC and callable services have access
controls.
If these advisors believe there is a problem, ask them to spell it out
in detail, giving at least one scenario showing malicious use.
Oh by the way, a number of vendor products would stop working if you
managed to remove the SVC. To say nothing of the ACF command.
---------------------------------------<unsnip>----------------------------------------
I suspect that many of these so-called "advisors" have little to no
training or practical experience. They read a magazine article somewhere
and decided to set themselves up as "experts" with no real
qualifications at all, other than 1/2 hours' reading and an exhorbitant
fee schedule. GRRRRRRRR.
When will a set of standards be devised, and enforced, for "consultants"??
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
