Chris, When IBM suggests UACC(NONE) for a system dataset, this is usually an indicator the dataset contains security control information that should be kept secret. In this particular case, it may have to do with options such as the ability to specify clear text passwords with PRTCT= on VTAM APPL definitions. Whereas the RACF team at IBM may not always provide detailed information about why they made a particular suggestion, I have always found them to be very thoughtful and never arbitrary.
Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com --------------------------------------------------------------------- 2012 RACF Training - Audit for Results - Boston - APR 24-26 - Intro & Basic Admin - Boston - MAY 8-10 --------------------------------------------------------------------- -----Original Message----- Date: Fri, 9 Mar 2012 12:03:03 -0600 From: Chris Mason <[email protected]> Subject: Re: VTAMLST - Who needs to read it Juan > IBM suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix > D- Security for system datasets). Why should the RACF developers be the arbiters of what is the correct access policy for VTAMLST? I would say that they were as likely to get such a proposal correct as any other development shop commenting on the products of another development shop. In other words, they are very, very likely to get it quite wrong - a phenomenon I have observed time and again! Indeed, I have sometimes been very pleasantly surprised when a manual written by one development shop happened to come up with a clear explanation of how to use products from another development shop. Actually the only case I can remember over many years is GDDM talking about the 3270 data stream. > (RACF Security Administrator Guide, apendix D- Security for system datasets) Please - and this applies to all posters - provide an URL when referring to something state in a manual. I suggest you post this query on the RACF-L list and challenge the gurus I notice there are not backward in coming forward and see if any of them can provide a reasoned argument why the following recommendation - which I dug out! - is present: <quote> D.0 Appendix D. Security for system data sets Table 48. UACC values for system data sets Data set/UACC/Comments ... SYS1.VTAMLST/NONE/ ... </quote> http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza7c0/D.0 Note that the people responsible for this table couldn't even imagine any justifying comment to add. I suspect they had wet fingers in the air! If the RACF-L gurus cannot provide a reasoned argument, I suggest you treat this recommendation with the pinch of salt which in my opinion it deserves. Remember "There is no substitute for understanding what you are doing.", a maxim that isn't necessarily ingrained on the conscience of IBM developers! - Anyhow the "users" who need to access VTAMLST are obviously the user of the VTAM/NET address space and any system programmer's TSO address space where the system programmer is responsible for maintaining the VTAMLST partitioned data set. I cannot see any reason why a user of the VTAM API would require access to VTAMLST for the reason that he/she was using the VTAM API. - Incidentally, while you are challenging the RACF-L gurus over access to VTAMLST, you might care equally to challenge them over the recommendation to specify universal access of READ for the VTAMLIB partitioned data set where, again, the comment field is completely absent in the now famous table. Again, I suspect a wet finger! - Moreover, take a look at the comments where the authors bothered to add comments and note whether there appear to have been any guidance other than common sense and - it must be said - note the considerable equivocation! - Chris Mason On Fri, 9 Mar 2012 09:00:34 -0800, Juan Mautalen <[email protected]> wrote: >Hi: > >We currently have our VTAMLST libraries protected with UACC(READ). IBM >suggests UACC(NONE) for them (RACF Security Administrator Guide, apendix D- >Security for system datasets) . I want to make the change, but of course i >know i must be extremely carefull with this change. I need to detect all users >needing read access to VTAMLST. Human users are not my problem, my worry is >about non-human ones (users of system tasks, started tasks, etc.). > >What users need read access of VTAMLST? >Does any userid associated with a VTAM application need to read VTAMLST? > >Thanks in advance for your help, > >Juan Mautalen ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
