On 12/6/2006 11:03 AM, Randy Harris wrote:
I agree completely with your method of control. I see many cases on a
daily basis which should handled in that manner. But then, I have no control.
Anyway, restricting IEBUPDTE was just a thought and may not be feaseable
or effective as Sam mentioned. I will continue to restrict access the
proper way. Thank you all for your comments.
If you want to stop people from using IEBUPDTE (or any other program
except those in LPA) then PROGRAM profiles in RACF should do it.
Without seeing exactly how you set it up I can not comment on why that
did not work for you.
However, as others have noted, restricting the program is often the
wrong answer.
In this case, what problem are you trying to solve that makes
restricting IEBUPDTE the answer? IEBUPDTE can only update data sets to
which the user has update access, and if the user has update access
there are many programs he could use to perform an update. So what
makes IEBUPDTE special and worthy of control in this case? (That is,
what makes use of IEBUPDTE problematic when use of other programs is OK?)
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
