On 4/4/2007 3:33 PM, Steven Conway wrote:
CA Top Secret supports member level security in a PDS or PDSE, allowing a
variance of access authority to users of the dataset versus an individual
member. We have that plugged in. A few months ago, there was a problem
that led me to open an issue with Top Secret to verify what they do, and
with another vendor to determine why their program hung on failed access
at the member level.
The other vendor runs RACF, and today told me his RACF Admin says RACF
does not support member level protection. Not being a RACF guy, I went to
the books. Neither the Admin Guide or User's Guide yielded anything to
searches on 'member protection' or 'member level protection'.
I would have sworn all three major security packages supported this
function, but I can't find anything to verify that.
Will someone who knows the true scoop hook me up with either "No, RACF
doesn't do that" or "Hey, dope. Look at <reference here>".
It is more appropriate to say that z/OS does not support member level
protection. As the resource manager for data sets, it would be up to
DFP or DFSMS to call the security product to make security checks for
members, and DFP/DFSMS does not do so.
Any security product that provides such protection has therefore had to
modify z/OS in some way in order to do so. RACF does not make such
modifications to other components of z/OS.
If you would like member level protection supported natively in z/OS,
please submit a requirement via SHARE or directly via someone on your
IBM account team, and ask DFSMS for that support.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
