For a while, about 15 years ago, we had "firecall" IDs. When you logged in, it prompted you for information that, in turn, updated RACF with Name, expiration, etc. These IDs were kept in paper form, in the Data Center Manager's office.
Of course, you had to jump thru the flaming hoops of Change Management first! BobL -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Tuesday, November 22, 2016 2:25 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe systems programmer ID 'vaulting' [ EXTERNAL ] Isn't this a violation of PCI DSS? "10.1 Implement audit trails to link all access to system components to each individual user." Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Bigendian Smalls Sent: Tuesday, November 22, 2016 7:37 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe systems programmer ID 'vaulting' This is something I hadn’t heard much about, but a couple questions come to mind - for anyone who has thought about or implemented this: 1) If you have a pool of IDs, then are you losing granularity with which you might want to assign privelages? Meaning you now have to have IDs that have exactly the same permissions - if they are user-agnostic (among some class of users obviously, like DEVs or SYSPROGs or whatever) - Seems like that is back to the old, “Create a new id. What perms to give him? Dunno, just build it like Chad’s, they have the same job.” Which has kind of gone out of style for obvious reasons (though still prevelant in practice). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or disclose the content of all email communications. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN