I've got a horse in this race (http://s23.a2zinc.net/clients/SHARE/Winter2016/Public/SessionDetails.aspx?F romPage=Sessions.aspx&SessionID=312&SessionDateID=8) but you might consider real-time auditing of ALTER access to the datasets as a way of mitigating the risk (for the auditors).
We also have an installation that runs this http://marc.info/?l=racf-l&m=137035593915579&w=2 program. Combining that approach with real-time auditing would seem to provide a great combination of "whatever the sysprog needs" with excellent accountability for the auditors. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Arthur Sent: Thursday, April 28, 2016 9:32 PM To: [email protected] Subject: Re: Alter access to datasets On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main (Message-ID:<[email protected]>) [email protected] (gsg) wrote: >As part of a systems programmer duties, they have ALTER access to many >datasets. They need/require this access to install, upgrade, maintain >and resolve problems. Audit has been pushing more and more to remove >the ALTER access. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
