Re: ADRDSSU protection [was:RE: Using FTP to send loadlib]

Wed, 06 May 2009 09:19:50 -0700 

Radoslaw,

I meant "you" in the general sense.  Your points are well taken, but I would
still have a hard time distributing DSS.  Just some nagging feeling in the
back of my head tells me that, eventually, something "not good" would come
of that.  Can't come up with any examples and I could be very wrong (sure
wouldn't be the first time!).  But, I can't shake that feeling.  I guess
we'll just have to agree to disagree.

All the best,
Scott T. Harder

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]]on Behalf
Of R.S.
Sent: Wednesday, May 06, 2009 10:07 AM
To: [email protected]
Subject: Re: ADRDSSU protection [was:RE: Using FTP to send loadlib]

Scott T. Harder pisze:
> I can see where IF you have ALL the appropriate security profiles set up
> properly, then I suppose I see your point.

Yes, I do have all the appropriate profiles set up. It's really easy.
More: it's enough not to create any of them. As I said previously, all
"powerful" functions are disabled by defualt (require explicit
authorization).

IMHO it is very (yes VERY) bad approach - to disable the tool because
someone does not know how to protect it or "just by default".


> For me, though, I would rather
> cut off access completely.  I would ask "Why do they need it?"  If your
SMS
> constructs and ACS routines, and your backups, are all set up properly,
why
> do they need to be moving data around or backing it up with DSS???

It's enough for me to know they *could* want it. However the tool allows
i.e. to copy HLQ1.DEV.** to HLQ2.TEST.** with many other options. Of
course the programmer has ALTER to both dataset profiles. In your shop
he has to do it one-by-one dataset, in my shop he codes single JCL step.

BTW: there is a list of IBM-supplied programs which should be restricted
by default. This is very short list: IEHINITT, IRRDPI00, ICHDSM00 (it's
information-only tool, it doesn't change anything).

Hammer for everyone! We should protect fingers, not hammers. <vbg>

Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w
caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj
warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z
dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r.,
moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym
kapitale zakadowym BRE Banku SA bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

____________________________________________________________
Get the best Criminal Lawyer. Click Here
http://thirdpartyoffers.netzero.net/TGL2241/fc/BLSrjpYbd6xqMCWsduaF7zR56Al7s7VQGTKKpfJpsppgT26rHn45VL1Xcru/

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to