On Tue, 12 Feb 2008 22:20:09 -0800, George Fogg <[EMAIL PROTECTED]> wrote:
>Here's how MCS/SMCS console command authority works for the "V >CN(SMCS6001),LOGON=OPTIONAL)" command were talking about. > >1.) I can issue this VARY from any MCS or SMCS console that I *didn't* logon >to (LOGON=OPTIONAL) if AUTH=MASTER is defined in the CONSOLxx parmlib member >for the console(s) because the OPERCMDS class check is bypassed, even if >the OPERCMDS class is active. >RULE: If I'm not logged on to a MCS/SMCS console then basically,no OPERCMDS >class checking. If you're worried about that exposure, though, why would you have any consoles defined with LOGON(OPTIONAL)? I would expect you to use LOGON(AUTOMATIC), and make sure that the auto-logged on ID (the console name) does not have authority to issue that VARY command. Thanks for providing the explanations, by the way. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
