Rick Fochtman wrote:
--------------------------<snip>--------------------
RACF people don't like to grant generic READ permission to all users.
Why not? What's the harm?
-------------------------<unsnip>------------------------------
I agree. Some datasets should be granted generic READ access, or even
GLOBAL READ access. The various ISPF datasets, like panels and
skeletons, come to mind as excellent examples. Sometimes efficient
operation is more important than having a tight lock on security,
especially if it's affecting a large community of users.
And you'll find that judicious use of the GLOBAL DATASET profile can
considerably reduce the I/O activity on the RACF database and also
reduce some of the huge volume of SMF data that's created in a
medium-to-large shop.
I don't want to vote what's good for this case (tcpip configuration
files), however I see big difference between ISPF stuff, help, books and
any configuration files. The first provides virtually no information
about your system, while the second provides some information.
The matter of discussion is whether such piece of configuration should
remain secret or not. Sometimes yes, sometimes not. It depends. YMMV.
Recently we had question about VTAMLST access (it was locked), some time
ago question about PARMLIB was asked, etc. etc.
From one hand people say security by obscurity is no security. From the
other hand, it is easier to find some hole, when you know details about
the system.
Regards
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
