On Tue, 5 Jun 2007 18:55:46 -0500, Joel C. Ewing wrote: > >The default RACF behavior allows only a RACF SPECIAL user to issue the >ALU command to update a user profile. It is possible for ane >installation to explicitly grant users the authority to update specific > fields in their own user profile, but since the TSO logon panel >already provides (under normal circumstances) a route for the ordinary >user to update his logon proc, account number, and logon command in the >RACF USER TSO segment, it would be unlikely for an installation to >enable update of these fields via the ALU commend. > The case in point, and need to recover, demonstrates why such authority for all users should be the default.
Alternatively, the system's error recovery procedure for terminal output errors on the login screen should be to retry with an empty login screen, such as the one displayed when the user enters an invalid ID and let the user fill in anew. Hmmm. I entered LOGON FUBAR at the READY prompt and got such a blank screen with "IKJ56420I Userid FUBAR not authorized to use TSO." So far, so bad. I overtyped the Userid; entered my password, and entered TIME as the command. It allowed me to logon, but executed the previously stored (possibly invalid) COMMAND, not the "TIME" I had just entered. Ouch. Pretty much an error, IMO. Or is there some security concern I'm overlooking? Of course, if the user is so rash as to enter "LOGOFF" as the COMMAND, he can recover on the next logon attempt. (I'm so rash. It works.) -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
