Re: XCFAS and TRUSTED

Mon, 21 Aug 2023 06:36:15 -0700 

Good point.

Just to clarify:
1. I have no problem with giving XCFAS the TRUSTED attribute. I have several STARTED class profiles with the attribute, however everytime I checked IBM doco before that. Just to be auditor-proof. ;-) So, I asked just to be sure that I can answer "yes, it is documented - it is IBM recommendation". 

2. (omitted)


3. In my case it was no problem to re-IPL the system. However it is 
possible, someone has to wait for service window. In that case a bunch 
of PERMITs could save the situation. Of course I still support the XCFAS 
should be TRUSTED. This is matter or temporary solution only.



Thank you all gentlemen for the answers!

--
Radoslaw Skorupka
Lodz, Poland





W dniu 21.08.2023 o 15:22, Robert S. Hansel (RSH) pisze:

To add to this discussion, it is my understanding that when IBM tests new 
version of z/OS, they do so with the tasks named in the documentation with 
TRUSTED authority. Since they have TRUSTED, IBM does not determine or document 
what access authorization the tasks require. If you choose to run z/OS with any 
of these tasks without TRUSTED, you are doing so in a state IBM has not tested 
nor provided access authorization guidance; hence, you do so at your own risk 
and may encounter access authorization issues that could be detrimental to the 
system. I used to advocate for not using PRIVILEGED or TRUSTED for any tasks 
but relented once I learned of this for the sake of system availability. I now 
warn clients whenever I discover any of these tasks running without TRUSTED.

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

-----Original Message-----
Date:    Mon, 21 Aug 2023 09:40:20 +1000
From:    Andrew Rowley <[email protected]>
Subject: Re: XCFAS and TRUSTED

On 21/08/2023 9:28 am, Lennie Dymoke-Bradshaw wrote:


Secondly, when IBM states that a task should be given the attribute of Trusted, 
then I take it to mean that IBM is saying that the task can be trusted that 
this attribute cannot be the source of an exposure for that task.

I think when IBM says a task should be given trusted, it's a stronger
statement than that.

I take it to mean that the task should never be denied access by the
security system, and any denial of access risks the stability or
operation of the system.



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN























					Reply via email to