On Sat, 23 Feb 2008 10:07:24 -0600, Walt Farrell wrote: > >One could argue that letting you determine your access to resources without >actually trying to use them (and thus without causing audit records) is a >form of hacking. You're looking around trying to figure out what you can >do, rather than simply doing your job. > >I'm not sure why RACF allowed STATUS=ACCESS without APF authorization, but >in hindsight I consider it to have been a mistake. However, changing it at >this point would break an unpredictable number of applications. > That may be the price of increased security awareness. Perhaps YA PARMLIB option to control it or enable logging negative responses?
Should similar concerns apply to LISTDSD, mentioned elsewhere in this thread? Do sites similarly log, audit, and investigate storage protection exceptions? OTOH, I can readily imagine a utility that attempts an access but on failure proceeds with restricted function. As an example for Shmuel, see message GIM69158I, or perhaps IEB1099I. --gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
