On 3/9/2006 12:42 AM, Bruce Hewson wrote:
To Shane, Walt and Chris,
Because it is the combination of
AUDITOR + RACF + ACCESS(ALTER) = many questions
We are asking BMC for more explanation.
My reading of the manual supplied to me did not give any indication that
ACCESS levels other than ALTER were being used.
We are required to document any ACCESS requirement other than READ.
Documenting it should be easy: Required by vendor in order for function
to work. See BMC manual number (insert manual number here).
Again, beyond that, the auditors should not have a problem with what you
have done, and in your position I would tell them that (and, again,
that is a personal thought, not an official one from IBM).
Your auditors (or whomever created that documentation policy need to
realize (among other things) that no rule like that (must document ...)
can work in all cases. Neither can rules like "you must not use
UACC(READ) under any circumstances." Each circumstance must be
understood individually and analyzed on its own.
In this particular case, your analysis would be "this is a vendor
product, doing its own checking, and they document that ALTER is needed.
Therefore we granted it." Done, end of work.
Walt
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
