Hello Bob, I would not make it trusted, but that is mainly up to the security standards of the company.
It depends on the shop and how there datasets are. I have always advocated that a LLA, LPA, and APF datasets should rarely change and have a standard nomenclature so that someone doesn't try to shove in SYS$KA2.NONSTAND.WEIRD.MYLOADLIB It really depends on how LLA looks. If the names in there look random and the member(s) is(are) updated frequently, then it is painful. If there are a lot of SETPROG LNKLST commands, it's painful. If there is no change control process required for updates, nor a PARMLIB monitor process to catch any changes, I would encourage standards and advise them. I would let the customer decide about trusted, versus horribly generic dataset read access, or having to update the STCID security dataset access. I am working from horribly generic to standards. ________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Robert S. Hansel <[email protected]> Sent: Friday, June 21, 2024 7:50 AM To: [email protected] <[email protected]> Subject: Data Set Commander Monitor (DSCMON) Access Authority Greetings all, I posted this on RACF-L a week ago. There were not replies, so I thought I would try this list. I am implementing RACF control for DSCMON for the first time and wondering how others have implemented it. Below is some background information, my thoughts, and some questions. DSCMON is a Started Task that can dynamically and, in some cases, automatically refresh the in-memory copies of Linklist library directories maintained by LLA (Library Lookaside Facility). To perform this function, DSCMON needs READ access to all the Linklist libraries. It also needs access in OPERCMDS to modify LLA. Ensuring DSCMON is permitted READ access to all Linklist libraries will be an ongoing administrative burden. It will require constant review of the list of Linklist libraries to confirm DSCMON has READ access and, if necessary, permitting DSCMON READ access to any new libraries that are added to the Linklist. Failure to provide READ access to a Linklist library will prevent DSCMON from updating the LLA directory for that library. Most likely, the process of maintaining these permissions could be partially automated, and maybe an alert could be set for any Linklist library changes, but it will still require ongoing RACF changes. Note that a computer operator could still perform a refresh using an operator command, but less conveniently and not automatically as when done by DSCMON. The technician installing DSCMON proposed giving it TRUSTED authority and claims most organizations implement it this way. TRUSTED would certainly eliminate the need to maintain its access permissions. I suspect its access activity is likely to be low so I would be inclined to give its ID UAUDIT to track its access activity if it were made TRUSTED. Nonetheless, I have mixed feelings about giving it TRUSTED. This is not a product on IBM's sanctioned TRUSTED list, and I am loath to give any task TRUSTED that is not sanctioned. To any of you who currently have DSCMON on your system or previously worked with it, how have you implemented RACF controls? Has it been given TRUSTED authority? If so, was its ID also given UAUDIT? If not TRUSTED, how have its READ permissions to all the Linklist libraries been maintained? Is there an alert for the addition of libraries to Linklist. Has a RACF exit been implemented to grant it access? I look forward to reading your replies. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681029668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wK%2Bb5%2FKqQHMFqtsib%2BgfxSilw4h2LK0gbDdELxUfgMk%3D&reserved=0<http://www.linkedin.com/in/roberthansel>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681044154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sj9EdtrZqMKusQZSPhJNT7XhHA2IAVQx8bX7dggTdSg%3D&reserved=0<http://www.linkedin.com/in/roberthansel> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681047843%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oeSx8xI%2Bx5Bq4lvLacy9uTEapxWSqykC6pseIgQQLC8%3D&reserved=0<http://www.rshconsulting.com/>> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681051088%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5YqwpQBTa6zBL%2FRzZuRHUgG6PRThWGpiCQgcuqD3%2F3A%3D&reserved=0<http://www.rshconsulting.com/> -------------------------------------------------------------------------- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - OCT 7-11, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - NOV 19-22, 2024 --------------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
