Ted MacNEIL pisze:
At the risk of flogging a dead horse, I truly believe in the minimum access to
do the job, and separation of duties.
If you have a storage administrator, they should be the only ones with access
to the storage administration tools.
Not a sysprog, and definitely not application types.
Does your storage admin have access to COBOL compiler and binder?
Is IDCAMS protected as ADRDSSU? IEBCOPY?
Programs are TOOLS. The holy rule of security says: Protect RESOURCES,
not the tools.
Programmer can or cannot use ADRDSSU. I can or cannot use COBOL
(whatever) compiler. Is it dangerous to have the access to the compiler?
ADRDSSU (with ADMIN disabled, which is default)) is no more powerful
than IEBGENER or binder. It doesn't circumvent any security rule.
It can be useful for the person who know how to use it and useless to
others. However this is not the reason to deny access to that.
We discuss DSS, however the same problem is with many other utilities,
for example ftp, OMVS segment at all to mention a few.
IMHO the only problem it could generate is caused by lack of skills in
administration staff. If you cannot configure ftp then denying it is
safe. as well as powering off the machine.
--
Radoslaw Skorupka
Lodz, Poland
--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl
Sąd Rejonowy dla m. st. Warszawy
XII Wydział Gospodarczy Krajowego Rejestru Sądowego,
nr rejestru przedsiębiorców KRS 0000025237
NIP: 526-021-50-88
Według stanu na dzień 01.01.2009 r. kapitał zakładowy BRE Banku SA (w całości
wpłacony) wynosi 118.763.528 złotych. W związku z realizacją warunkowego
podwyższenia kapitału zakładowego, na podstawie uchwały XXI WZ z dnia 16 marca
2008r., oraz uchwały XVI NWZ z dnia 27 października 2008r., może ulec
podwyższeniu do kwoty 123.763.528 zł. Akcje w podwyższonym kapitale zakładowym
BRE Banku SA będą w całości opłacone.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
