On 9/13/2006 5:38 PM, Charles Mills wrote:
Walt, no one's beating you up! RACF and MVS are wonderful products.
I would support Gil's contention that TSO does "it" - "it" being notifying
the user of the state of his account. Yes, yes, it gets the information from
RACF (or some other SAF-compliant sub-system, no?). But whatever - the
TSO-RACF partnership does it, okay?
No, TSO does not "get the info from RACF". RACF has the info, RACF
knows it's a TSO logon, and RACF issues the TPUT that gets it to the
user's terminal. All RACF, all the way.
(gil) mentioned automated applications that can't respond to an expired
password properly. It is not obvious that they would be able to respond
to a password warning, either.
True, but the user might. The user might at least have a prayer of seeing a
message that said "your password will expire in nn days" and doing something
about it before jobs started failing - perhaps critical (to the user, at
least) jobs failing after the user had gone home for the day.
True, if the user is watching the messages, and assuming the application
lets them display, the user could take some action.
Again, no one is beating RACF up. MVS evolved the way it did. I understand
that every decision made sense at the time it was made.
Thanks.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
