Tony Thigpen wrote: >> 1) System programmers had two logons. One "normal" and one "higher". The >> "normal" userid still had some privileged access, but nothing like the >> "higher" userid which had basically unlimited access. >> 2) Additional audit trails were created for the "higher" userid. Both that >> fact that they logged on and what they did. >> 3) The systems programmers split their libraries and work processes so that >> they only used the "higher" userid when really necessary.
Good precautions to prevent unintended changes, but it is a PITA! Some of us have TWO ids. One as a backup in case your session is busy with something else and you're in a hurry or you want to test out changes. Jeremy Nicoll wrote: >in, so eg write access to SYS1.PARMLIB was only ever given to MVS team people >who would never have access to IMS or CICS stuff. Seperation of duties. It is a good thing. If you're finished with a task and you hand it over, it is over. For example, it was my work to play with SYS1.VTAMLST and friends. I handed that over and my accesses were taken away. Part of the job. Same with DB2 and CICS, I know how to start/stop and basic debugging, but I don't touch the internals. As a RACF person I can give myself access, but then I will get in serious trouble... >I think there was an ACF2 production batch job which revoked the privilege on >all eligible userids, so if you were called in at 0730 and granted yourself >extra access, you'd lose it at 8am, when the normal working-hours procedures >for getting extra access applied instead. Weird and messy! It is my not so humble opinion of course. Of course some of these accesses are temporary by nature, for example during an once-off problem solving. We don't time [1] access based on date/time/type of work, simply for practical reasons. What, if you need access just when that timed RACF / ACF job is running? It is much easier to lock an application to allow logons during x-y hours during a-b days. We do that seldom, however. Groete / Greetings Elardus Engelbrecht [1] - RACF tools can assist you with that. Give PErmits at 03:00. Remove Group connection at 08:00 and so on... Modify logon date/time for groups based on weekend and holidays. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
