On 3/23/2006 3:12 PM, Gil, Victor x28091 wrote:
We'd like to be able to prevent certain "confidential" fields in production
files from being revealed to "unauthorized" users while still allowing
access to the rest of the record. From the users prospective these files are
read-only and are accessed through TSO, batch or CICS for testing or
comparison purposes.
Do your users access these files through specific applications? If so,
you could establish security rules that would allow the users to access
the data only when running those specific programs, and not when running
other programs of their own choosing.
With RACF, for example, we call that processing Program Access to Data
Sets, and you set it up with a PERMIT command of the form
PERMIT 'data set profile name' ID(user or group) WHEN(PROGRAM(program
name)) ACCESS(READ)
You'll have some additional work to do in setting up the program
controls, but this is the usual approach to problems like you describe,
other than using a DBMS-based solution.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
