On 5 Jan 2008 14:44:21 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Aman Naqvi) wrote:
We have two security operations teams who are defined in
RACF with the group-Special attribute and hold CLAUTH on a
class to define profiles.
The issue is that we need to cut down their access.
The task is to only provide these teams access through
Panels/REXX and to cut off their group-Special attribute
and Class authority. My problem is that if the REXX
executes online it is executing under the authority of the
user (who's access im trying to cut down)
Any ideas how I can achieve this without going to batch?
Whatever the solution is, batch isn't going to make
things any better. Either the batch job executes with the
userid of the submitter (same problem as online), or it
executes with a userid which it's harder to audit because
it's more difficult to determine on whose behalf the RACF
updates were done. Plus, if they'll be able (via batch) to
issue the same commands, what difference does it make if
they keep their current attributes?
I think the crux is "we need to cut down their
access." That sounds like an auditor's requirement. If
so, ask the auditor how to get the company's work done
while adhering to their cookie-cutter requirements.
My general feeling is to give people all of the
access they need, but to audit everything done. And make
sure they know in advance that everything will be audited.
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html