On Tue, 22 Nov 2016, at 18:44, Tony Thigpen wrote: > As usual, some pc based person only thinks of the way their world works. > > I have been though multiple audits at multiple companies where they > accepted that: > 1) System programmers had two logons. One "normal" and one "higher". The > "normal" userid still had some privileged access, but nothing like the > "higher" userid which had basically unlimited access. > 2) Additional audit trails were created for the "higher" userid. Both > that fact that they logged on and what they did. > 3) The systems programmers split their libraries and work processes so > that they only used the "higher" userid when really necessary.
The place I worked in, in the 1990s did this. We were an ACF2 site. Each if us still only used our own userid, which contained flags saying which sysprog team we were in, so eg write access to SYS1.PARMLIB was only ever given to MVS team people who would never have access to IMS or CICS stuff. The userids also all had an on-call flag which could only be set outwith normal hours of work, and the dataset/resource rules were all revised so that anyone with that flag set had higher levels of access and auditing. It took a while for the non-MVS sysprogs to get used to never having access to the MVS- team-owned SYS1.PARMLIB etc, but it basically boiled down to them having to tell us what scheduled changes they wanted made there, and of course it gave them an incentive to revise PROCs etc so that their products read parms from PDSs they controlled (which we had no access to). In an on-call situation you logged in as your normal userid then executed a TSO command processor which altered the flag in your ACF2 logonid record & forced a reload of it in your address space. So far as I remember the times of day that the command would do this were themselves enforced through some sort of ACF2 resource rule which the command processor tested before either making the change or rejecting it. I can't remember, but I expect when executing this we were re-prompted for our normal password. I think there was an ACF2 production batch job which revoked the privilege on all eligible userids, so if you were called in at 0730 and granted yourself extra access, you'd lose it at 8am, when the normal working-hours procedures for getting extra access applied instead. -- Jeremy Nicoll - my opinions are my own. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
