There are also "newer" JCL checkers on the market that allow remote
checking of JCL on production from the users on the test side. Similar
to the description outlined by Walt Farrell.
Brian
Walt Farrell wrote:
On Mon, 25 Feb 2008 13:08:53 -0600, Dave Kopischke
<[EMAIL PROTECTED]> wrote:
On Sat, 23 Feb 2008 10:07:24 -0600, Walt Farrell wrote:
One could argue that letting you determine your access to resources without
actually trying to use them (and thus without causing audit records) is a
form of hacking. You're looking around trying to figure out what you can
do, rather than simply doing your job.
We have a JCL checker application that verifies dataset access for a JOB.
Through routine use of this product, we end up with thousands of access
warnings on our daily RACF reports. This is not a hacking attempt. If there
were hacking attempts occuring, it would be tough to see them through the
noise though.
I'm going to try to see if I can have this product changed to use a non-logged
access check.
That makes sense. Perhaps what you need, though, is a method allowing your
application developers to run the JCL checking procedure against the proper
user ID. You could let them put the JCL into a library with a known name,
for example, and then have them run a program that either:
(a) issued a command to run an STC to do the check, with the STC running
under a more appropriate user ID; or
(b) switched identity to the proper production ID and then submitted the JCL
Check job.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
