On Tue, 26 Feb 2008 19:53:42 -0600, David Eisenberg <[EMAIL PROTECTED]> wrote:
>Not in this case, IMO. > >The violations are occurring as a result of a text string scan across all >members of a production source code library in CA's Panvalet format. The >library contains hundreds of members, but a handful of them have >UACC=NONE. Here's how: Panvalet supports *member-level* security. We >create RACF "pseudo-profiles" that contain the member name as the last >qualifier, and if we wish to read-protect a member, we set that profile to have >UACC=NONE. A Panvalet security exit constructs the pseudo-profile name, and >invokes RACROUTE to see if read access to the member is permitted or not. I would agree that's a reasonable case for using LOG=NONE. It will, however, require you to run APF-authorized, and I think it's appropriate to require APF in this case. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
