On Sat, 9 May 2009 18:54:21 -0700, Ed Gould <[email protected]> wrote:
> Also if they do have access to amaspzap they can get around almost anything, so I would still > restrict that access (along with its alias's). That's not true, Ed. Access to AMASPZAP only allows you to read or write data that you already have access to by other means, *except* for the one case of zapping a VTOC. And for that, DASDVOL protection and/or operator prompts supply the security. But for the other cases, if you have UPDATE to a data set then you can zap it, but of course if you have UPDATE to the data set you can write to it with anything else, too. That's why we're saying you need to protect the resources, not the utilities that operate on them. Someone can always find another utility, or write their own (and it doesn't take much programming experience to write a REXX exec, shell script, PERL script, PYTHON script, etc. to do it). -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
