On Thu, 5 Apr 2007 10:50:12 -0300, Shmuel Metz (Seymour J.)
<[EMAIL PROTECTED]> wrote:
>In <[EMAIL PROTECTED]>, on 04/04/2007
> at 10:03 PM, "R.S." <[EMAIL PROTECTED]> said:
>
>>RACF does not support member-level protection. It was widely
>>discussed several times on RACF-L. IBM claims such protection can be
>>circumvented (which I agree), however it's not easy
>
>Nonsense! It would be trivial to circumvent it, at least for PDS.
I can envision implementations that would make circumvention non-trivial,
Shmuel.
However, they would involve changes in EXCP processing for all channel
programs addressed to any member-protected PDS. The change would examine
all CCWs to make sure the channel program was going to process a member the
user was allowed to use.
I can also see that approach as having some (large?) performance impact.
But I don't see a simple way to circumvent it.
Walt Farrell, CISSP
z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
