[email protected] wrote:
On Sat, 23 Feb 2008 10:07:24 -0600, Walt Farrell wrote:
One could argue that letting you determine your access to resources without
actually trying to use them (and thus without causing audit records) is a
form of hacking. You're looking around trying to figure out what you can
do, rather than simply doing your job.
I'm not sure why RACF allowed STATUS=ACCESS without APF authorization, but
in hindsight I consider it to have been a mistake. However, changing it at
this point would break an unpredictable number of applications.
That may be the price of increased security awareness. Perhaps YA
PARMLIB option to control it or enable logging negative responses?
Should similar concerns apply to LISTDSD, mentioned elsewhere in
this thread?
Do sites similarly log, audit, and investigate storage protection
exceptions?
OTOH, I can readily imagine a utility that attempts an access but
on failure proceeds with restricted function. As an example for
Shmuel, see message GIM69158I, or perhaps IEB1099I.
--gil
And YA email address, eh, Paul? Is this another
manifestation of the merger finally taking place?
Kind regards,
-Steve Comstock
The Trainer's Friend, Inc.
303-393-8716
http://www.trainersfriend.com
z/OS Application development made easier
* Our classes include
+ How things work
+ Programming examples with realistic applications
+ Starter / skeleton code
+ Complete working programs
+ Useful utilities and subroutines
+ Tips and techniques
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
