In all the mainframe shops I've worked in, HLQ alias creation is step in the userid creation process, meaning almost certainly the 'security folks'. Of course they use tools provided by the system folks, but in a larger shop, they're different people in different departments and maybe in different corporate divisions.
I've always considered outrageous the common middleware practice of having 'sysadmins' do everything from OS installation to userid management. If I were an auditor... . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Paul Gilmartin Sent: Tuesday, June 26, 2018 10:40 AM To: [email protected] Subject: (External):Re: ALIAS On Tue, 26 Jun 2018 06:30:19 -0500, Elardus Engelbrecht wrote: > ... >So, in this scenario, all TSO ids can create their own ALIAS in a >catalog upon logon? (unless that routine CREATEALS has its own assigned >user id authorized to create an ALIAS on the logging-on TSO id.) > Isn't that what AC=1 is for? Then CREATEALS must be examined and reviewed so it creates no integrity exposure. >AFAIK, I believe only specially assigned persons (usually Storage Admins) may >create ALIAS in a catalog. This is to protect the catalog system and to ensure >only approved HLQ can be used at all. > "a catalog"? Of course the master catalog must be suitably protected. Otherwise, users should be as free to create ALIAS entries as data set entries. I've done so routinelly. This is reminiscent of Windows requiring admin authority to use the mklink command. Wisely, the UNIX "ln" command requires no special privilege. >Of course, if you can do it, good for you simply it make the administration of >the TSO ids and Catalogs much easier. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
