If you have not done so, you may also wish to post this question on the RACF list. The generic question
SHOULD CIC/IMS be able to do this, could be a valid question for them To join, if you have not done so use this URL RACF http://www.listserv.uga.edu/archives/racf-l.html Lizette > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Leonardo Vaz > Sent: Wednesday, April 05, 2017 8:39 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Do you use CA-ACF2 and CICS or IMS? Be aware your CICS/IMS developers > have security admin priviledges and can do whatever they want to the ACF2 > database. > > "And that's working as designed" is the reply I got from CA... and they don't > see it as a security exposure... > > Well, I do see it as a HUGE security exposure, and I would like to know what > my fellow IBM-MAIN'ers think. > > ACF2 has an SVC call facility called "Supercall Facility", which any program > executing under a CICS region or IMS region can use. If they do, they have > unrestricted read/write access to the ACF2 database. > > I just can't get my head around CA thinking that's ok just because it has > "always been that way (TM)". Am I being overdramatic? Do you think it's OK for > CICS/IMS developers to have security admin privileges? > > Thanks for any feedback, > Leo > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN