On Tue, 19 Jun 2012 08:51:18 -0500, Darth Keller wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >When last I read the manual, I was dismayed to discover that >reloading an ADRDSSU archive with the RENAME option requires >that the programmer have at least READ authority to the >original data set name(s). Stupid restriction. It should suffice >that the programmer have READ authority to the unloaded >archive and WRITE authority to the renamed reloaded data >set(s. > >>>>>>>>>>>>>>>>>>>> > >I disagree. If you don't have the authority to at least read the >production dataset that was source for the ADRDSSU archive, >I don't believe you should be able to dump it to a dataset that you do >have authority to read.
Fully agreed. But with that restriction in place, your next two sentences are non sequitur. >This would give you access to >data that the company has already decided you shouldn't have access to. >And that's exactly what would happen in your scenario. > Would any responsible administrator unload a data set to an archive and grant read access to that archive to any user not having read access to the original data set? That's as stupid as misusing IEBGENER or IEBCOPY to create an unrestricted copy of a restricted data set. Perhaps ADRDSSU should check for this and prohibit the operation or at least warn of it and require confirmation. If I have READ access to an ADRDSSU-unloaded archive of a restricted data set, and I know the data format (is it documented, or is it security-by-obscurity?) or can infer it, can I not filter it to a copy, changing the original data set names to my TSO prefix, reload it, and gain unauthorized access to data? >Now if your sending the archive to another shop, I can understand your >frustration. But you need to consider what ability/authority >you're giving everyone if you were to apply your rule. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
