-------------------------------------------<snip>--------------------------------
Does your storage admin have access to COBOL compiler and binder?
Is IDCAMS protected as ADRDSSU? IEBCOPY?
Programs are TOOLS. The holy rule of security says: Protect RESOURCES,
not the tools. Programmer can or cannot use ADRDSSU. I can or cannot use
COBOL (whatever) compiler. Is it dangerous to have the access to the
compiler? ADRDSSU (with ADMIN disabled, which is default)) is no more
powerful than IEBGENER or binder. It doesn't circumvent any security rule.
It can be useful for the person who know how to use it and useless to
others. However this is not the reason to deny access to that.
We discuss DSS, however the same problem is with many other utilities,
for example ftp, OMVS segment at all to mention a few.
IMHO the only problem it could generate is caused by lack of skills in
administration staff. If you cannot configure ftp then denying it is
safe. as well as powering off the machine.
--------------------------------------<unsnip>--------------------------------------
Roland, I PARTLY agree with you. But ANY tool that has the capability of
compromising security or integrity MUST be strictly controlled. While
some tools are "security aware" and will check via SAF before doing
something stupid, far too many tools need to be controlled at the
PROGRAM level. A "happy medium" might be to develop inhouse tools that
allow certain "dangerous" tools to be used in a strictly controlled manner.
And one must satisfy auditors, who can be a serious pain in the
posterior if they aren't well informed and competent in IT technologies.
Can we think "career limiting" ?
(I can't tell you how many times I've had to demonstrate to an auditor
that AMASPZAP couldn't change a dataset if the user didn't have UPDATE
access to it. And our automation had a rule such that attempts to change
a VTOC were automatically denied.)
--
Rick
--
Remember that if you’re not the lead dog, the view never changes.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
