Maybe I need a make-up class at Saturday morning vocab class. Then again maybe it's a distinction without a difference. Here's why you do *not* want to over-grant update access to the master catalog.
-- For the average user, there should be some user catalog pointed to by an alias in mcat. There is no need for access to mcat. All ucats need to be managed and subjected to regular housekeeping. -- For someone who genuinely needs update or greater access to the master catalog, failure to create a ucat alias causes *all* data sets created by the user to go into mcat. This insidious result can go unnoticed for a long period. Getting the mcat cleaned up can be arduous, time consuming, and disruptive. As for whether gratuitous update access to mcat is a 'security' or an 'integrity' problem, extensive damage is possible. Simply deleting ucat aliases from mcat can bring a system to its knees. This is without touching a single customer data set. Don't let it happen. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Lennie Bradshaw Sent: Thursday, September 17, 2020 4:05 PM To: [email protected] Subject: (External):Re: EXTERNAL EMAIL: How get a user to use his own catalog rather than master? CAUTION EXTERNAL EMAIL I did not intend to start a storm of messages here. I was simply using the IBM definition of system integrity which they document here, https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity Yes, maybe it is semantics. But many working in IBM mainframe security community would distinguish security and integrity issues from one another. Lennie Dymoke-Bradshaw -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Allan Staller Sent: 17 September 2020 17:16 To: [email protected] Subject: Re: EXTERNAL EMAIL: How get a user to use his own catalog rather than master? Classification: HCL Internal Would you allow random updates of the ROOT directory on a *NIX system?. This is definitely both a integrity and an operational exposure -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Steve Smith Sent: Thursday, September 17, 2020 11:14 AM To: [email protected] Subject: Re: EXTERNAL EMAIL: How get a user to use his own catalog rather than master? [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] There's not much benefit to debating the semantics of "integrity". Nobody who doesn't thoroughly understand catalog management should be able to update the master catalog, because you can easily destroy the system by removing critical dataset entries. Much more typically, it just fills up with junk. sas On Thu, Sep 17, 2020 at 11:58 AM Gibney, David Allen <[email protected]> wrote: > I could damage the catalog, perhaps as easily as adding datasets until > I overflow it. Perhaps not integrity as in ability to upgrade my > authority, but certainly a potential DOS and a threat to system stability. > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
