It sounded like there was very little shared dasd from what Skip said, so I don't think the security risk would be that high. Yes, if all dasd was shared, I can see that that would be a problem.
This leads me to the last contract job that I had. The datacenter was contracted out to another company. In talking to one of their systems programmers, they ran everything in one huge sysplex. I think they had 30 to 40 different z/OS machines in their datacenter. I'm sure each system had its own RACF database. I know I could see all the machines in the sysplex with some of the tools I found, but I couldn't do anything with them. Eric ---- Walt Farrell <[EMAIL PROTECTED]> wrote: > On Mon, 24 Nov 2008 21:38:45 -0800, Skip Robinson > > I won't deny that it can be done, Skip. But it's risky, because it can > leave you with security exposures you don't realize you have when the > security databases are different but the DASD is shared. > > And it can leave you with problems if you misconfigure a sysplex-aware > application to share work across multiple instances of itself and they > someday end up running with different security databases. Nothing in the > system can save you from such misconfiguration, and so it means you have a > lot more work to do making sure that doesn't happen. > > -- > Walt Farrell, CISSP > IBM STSM, z/OS Security Design -- Eric Bielefeld Systems Programmer Washington University St Louis, Missouri 314-935-3418 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
