On Fri, Jun 5, 2015 at 11:14 AM, Jousma, David <[email protected]> wrote:
> Unless I am missing something, how is it a security issue? You had to > logon with an id and password. It can access its own home directory, and > was created based on a template I am assuming you or someone in your shop > setup. > > I can, sort of, see a possible security concern here. At present, to access CICS, a RACF id must have a CICS segment. To access TSO, it must have a TSO segment. A CICS user cannot log in to TSO if they don't have a TSO segment. But, with the automatic UID & GID assignment, that CICS user could, if they were knowledgeable enough, use PuTTY on their PC to connect and have a z/OS UNIX prompt. Depending on the environment, they may then have access to information to which they should not. Especially if the "security" department in the past has been lax because "they can only get to stuff via CICS, so why bother with a lot of unnecessary data set profiles?" At the very least, the "unauthorized" user could be running stuff "for learning purposes" which would use up CPU and DASD resources (e.g. fill up /tmp) and so impact performance and perhaps even billing (MSU increase). Can _you_ say "fork bomb"? Also, it could cause other problems with auditing. As in not having any reports for this sort of thing at present because "nobody uses it". So now the auditors and security people may need to be involved. And that may have other, political, repercussions. -- Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be. My sister opened a computer store in Hawaii. She sells C shells down by the seashore. If someone tell you that nothing is impossible: Ask him to dribble a football. He's about as useful as a wax frying pan. 10 to the 12th power microphones = 1 Megaphone Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
