I may have mentioned it before, but Volva Data (the organization that handles data operations for the various Volvo companies worldwide) has, or used to have when I worked there, a requirement that any department with more than <n> employees have someone within the area authorized to reset passwords. This is not less secure, it's more secure. Instead of a strange voice calling me on the phone asking for a password reset and "proving" they are who they say they are by giving me some datum such as a social-security number, the same person can just walk up to Anna in his department and say "I botched my logon this morning; can you reset me please?". Anna doesn't have to ask who he is; she sees him every day. My job is then to provide expertise to Anna when she needs it, to back her up when she's not at her desk, and to watch the logs to be sure she's doing her job right. Less work for me, better security for the department.
Although I know most security admins worry about this sort of thing, I'm actually more a fan of decentralization than otherwise. When it was my baby, I also went to Anna's boss and said "how would you like to have dataset access changes made when you want them, rather than when I can find time to do them?". It's an easy sell. Then I scope Anna to do dataset-access permissions over the datasets owned by her boss (no one else's datasets, of course). Again, my job is to show her how, to advise when necessary, and to watch the logs to be sure it's all going well. Generally I find that evil-doers take liberties with other people's resources, not with their own. So I can mostly trust the general-ledger owner to be responsible in permitting access to general-ledger resources, and so on. --- Bob Bridges, [email protected], cell 336 382-7313 /* You can go wrong by being too skeptical as readily as by being too trusting. -from the Notebooks of Lazarus Long */ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Wayne Bickerdike Sent: Wednesday, January 12, 2022 19:31 I was RACF admin at ADF and due to the huge workload in managing the Defence forces, we assigned GROUP SPECIAL to different divisional admins. It reduced the workload for us, particularly password resets. It reduced our workload down to creating Dataset aliases to enable TSO access. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
