On Fri, 8 May 2009 16:26:02 +0200, R.S. <r.skoru...@bremultibank.com.pl> wrote:
>Eric Bielefeld pisze: >> I had a problem once with an APF library not being RACF protected. I >> set up a library for something, I can't even remember what, and put it >> in the APF list. Unfortuneatly, it was the only APF library that had >> RACF protection allowing update by anyone. We had an audit about 2 >> years or so before the datacenter closed for good, and the audit tool >> that was used pointed out that problem. Of course, it was fixed within >> minutes of finding it. I can't remember the name of the tool, but I >> know it was very good, and expensive, although we finally bought it only >> after my boss negotiated a really good deal. > >DSMON. >*Free* (part of z/OS with RACF). >Shows several reports including protection of "important" datasets. > > Hopefully DSMON (ICHDSM00) is program protected since it does show security related information. I'm not even allowed to run it in some of our environments. > >BTW: DSMON and possibly other tools only shows partial security >information about datasets. >In case of DSMON you will know whether dataset is RACF protected (*) and >what is UACC of the profile. >THAT'S NOT ENOUGH! >I remember I found an APF library with UACC(NONE), but on the access >list there was a group "everyone" with ACCESS(ALTER). >In other words you have to assess whether the protection is right - what >teams (groups) have access to it. IMHO no tool can do it. > Health Checker RACF_SENSITIVE_RESOURCES check helps. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:mark.zel...@zurichna.com z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html