An interesting take on ADDSD. We produce a periodic report here on userids with 'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign type). OPERATIONS cannot grant privileges but could do a lot of damage. I consider AUDITOR vital for sysprogs in order to diagnose--not necessarily fix--security problems at odd hours. It's been pointed out to me that AUDITOR allows someone to change RACF audit rules. A far-fetched but not inconceivable exposure.
I think that managers here are required now and again to 'confirm' the need for elevated access, but no major battles have ensued within my earshot. ;-) . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Tuesday, May 17, 2016 8:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? On Tue, May 17, 2016 at 9:41 AM, Mike Schwab <mike.a.sch...@gmail.com> wrote: > Any ID that can grant privileges to another ID. > By the above definition, _every_ id in RACF which has TSO capability is an administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the commands: ADDSD MY.DATASET UACC(NONE) PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE) I have granted priviliges to another ID, therefore I am an Admin user. I would really hope that what the auditor might be satisfied with would be people who are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on this list know how to make a joke of any security, short of encrypted data to which they don't have the key. -- The unfacts, did we have them, are too imprecisely few to warrant our certitude. Maranatha! <>< John McKown ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN