On Wed, 25 Mar 2009 22:16:22 -0500, Len Rugen <[email protected]> wrote:
>Not arguing with those that will probably propose something like >FACILITY profiles, my answer is "it depends". > >To me, RACF is OK for fairly static information but maybe not so things >that would change from minute to minute. > >Basically, if you need a database, you need a database, forcing RACF, >HFS or in the old days VSAM to do something it shouldn't can bite you later. RACF can also be OK for things that change frequently, but you make some good points, Len. For another considerations I don't think anyone has mentioned: if some application is going to be storing information and retrieving it, what kind of application is it? Using RACF in that case typically requires authorization (APF, supervisor state, or system key) but merely accessing a file or a database does not have those requirements. Something else no one has mentioned: if you do need a database, z/OS provides the IBM Tivoli Directory Server which implements LDAP, giving you a low cost (no added charge) database solution that comes free with the system if you can use its LDBM configuration. And one that provides access control if he needs that, too. Many applications can access an LDAP directory, and they can even run on machines elsewhere in your network. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
