Greetings all,
I posted this on RACF-L a week ago. There were not replies, so I thought I would try this list. I am implementing RACF control for DSCMON for the first time and wondering how others have implemented it. Below is some background information, my thoughts, and some questions. DSCMON is a Started Task that can dynamically and, in some cases, automatically refresh the in-memory copies of Linklist library directories maintained by LLA (Library Lookaside Facility). To perform this function, DSCMON needs READ access to all the Linklist libraries. It also needs access in OPERCMDS to modify LLA. Ensuring DSCMON is permitted READ access to all Linklist libraries will be an ongoing administrative burden. It will require constant review of the list of Linklist libraries to confirm DSCMON has READ access and, if necessary, permitting DSCMON READ access to any new libraries that are added to the Linklist. Failure to provide READ access to a Linklist library will prevent DSCMON from updating the LLA directory for that library. Most likely, the process of maintaining these permissions could be partially automated, and maybe an alert could be set for any Linklist library changes, but it will still require ongoing RACF changes. Note that a computer operator could still perform a refresh using an operator command, but less conveniently and not automatically as when done by DSCMON. The technician installing DSCMON proposed giving it TRUSTED authority and claims most organizations implement it this way. TRUSTED would certainly eliminate the need to maintain its access permissions. I suspect its access activity is likely to be low so I would be inclined to give its ID UAUDIT to track its access activity if it were made TRUSTED. Nonetheless, I have mixed feelings about giving it TRUSTED. This is not a product on IBM's sanctioned TRUSTED list, and I am loath to give any task TRUSTED that is not sanctioned. To any of you who currently have DSCMON on your system or previously worked with it, how have you implemented RACF controls? Has it been given TRUSTED authority? If so, was its ID also given UAUDIT? If not TRUSTED, how have its READ permissions to all the Linklist libraries been maintained? Is there an alert for the addition of libraries to Linklist. Has a RACF exit been implemented to grant it access? I look forward to reading your replies. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 <http://www.linkedin.com/in/roberthansel> www.linkedin.com/in/roberthansel <http://www.rshconsulting.com/> www.rshconsulting.com -------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - OCT 7-11, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - NOV 19-22, 2024 --------------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
