To Dave's point, there is an exposure that can be exploited to cause denial of service with what appears to be relatively "safe" access levels for production.
Rob Schramm On Tue, Sep 13, 2016, 11:50 AM Steve <[email protected]> wrote: > The challenge you will have is that the user in question had authority to > build > the AIX and the PATH but did not do the BUILD. And he could read the > PRIMARY > KSDS. > > This is an apples and oranges discussion or a Catch-22. > > -----Original Message----- > From: "Roach, Dennis" <[email protected]> > Sent: Tuesday, September 13, 2016 11:45am > To: [email protected] > Subject: Re: IDCAMs DEF AIX authorization > > Since it can, and did, cause a production outage, I voted for it. > > I would think that a production outage would rate higher than a medium > priority. > > Dennis Roach, CISSP, PMP > AIG > IAM Access Administration – Consumer | Identity & Access Management > > 2929 Allen Parkway, America Building, 3rd Floor | Houston, TX 77019 > Phone: 713-831-8799 > > [email protected] | www.aig.com > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Jousma, David > Sent: Tuesday, September 13, 2016 9:09 AM > To: [email protected] > Subject: Re: IDCAMs DEF AIX authorization > > I did open an RFE for this, if anyone wishes to vote on it, here is the > info. > > > -------------------------------------------------------------------------------------------------------------------------- > Notification generated at: 13 Sep 2016, 10:06 AM Eastern Time (ET) > > ID: 94515 > Headline: Add SAF check on DEF AIX for > RELATE Cluster > Submitted on: 13 Sep 2016, 10:06 AM Eastern > Time (ET) > Brand: Servers and Systems > Software > Product: z/OS > > Link: > http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=94515 > > _________________________________________________________________ > Dave Jousma > Manager Mainframe Engineering, Assistant Vice President > [email protected] > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f > 616.653.2717 > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Jousma, David > Sent: Tuesday, September 13, 2016 9:49 AM > To: [email protected] > Subject: Re: IDCAMs DEF AIX authorization > > Steve, > > That’s what I am seeing, and IBM just confirmed it. I guess all we can > do is give the contractor a slap on the hands, and move on. > > > IBM comments: > > Basically, authorization checking is done against the AIX being defined > (ALTER access to the AIX cluster name as shown in the table above) not the > VSAM dataset the AIX relates to. Checking against the related VSAM cluster > will be done when accessed by BLDINDEX. > > So, this is working as intended and documented. If you wish, you could > open an 'enhancement request' to have this behavior changed. > > > > _________________________________________________________________ > Dave Jousma > Manager Mainframe Engineering, Assistant Vice President > [email protected] > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f > 616.653.2717 > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Steve > Sent: Tuesday, September 13, 2016 9:33 AM > To: [email protected] > Subject: Re: IDCAMs DEF AIX authorization > > AS I remember, DEF AIX and PATH only operate in the CAT. The BLX would to > the extract to the AIX > > -----Original Message----- > From: "Jousma, David" <[email protected]> > Sent: Tuesday, September 13, 2016 9:19am > To: [email protected] > Subject: IDCAMs DEF AIX authorization > > All, > > I've got a PMR open with IBM asking the question, but thought I'd also > pass this by the brain trust on this list. We recently had an off-shore > contractor do a DEFINE AIX for a TEST dataset name, but RELATEd it to a > PROD dataset name. The process was allowed surprisingly. Contractor > only had read access to prod dataset. The subsequent BLDINDEX did fail > with security violation as expected. Nightly processing of that prod file > failed however due to the empty AIX. Seems like DEF AIX should have been > disallowed if the user didn't have the appropriate access for what it was > related too? > > Dave > > _________________________________________________________________ > Dave Jousma > Manager Mainframe Engineering, Assistant Vice President > [email protected] > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f > 616.653.2717 > > This e-mail transmission contains information that is confidential and may > be privileged. > It is intended only for the addressee(s) named above. If you receive this > e-mail in error, please do not read, copy or disseminate it in any manner. > If you are not the intended recipient, any disclosure, copying, > distribution or use of the contents of this information is prohibited. > Please reply to the message immediately by informing the sender that the > message was misdirected. After replying, please erase it from your computer > system. Your assistance in correcting this error is appreciated. > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Rob Schramm ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
