There's no way that adding a RACF segment would reduce the exposure. They need to close the loophole. I'm cheering for the auditor, assuming that he's not brain dead.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Paul Gilmartin <[email protected]> Sent: Thursday, September 5, 2019 1:34 PM To: [email protected] Subject: Re: Submitting batch if you don't have TSO On Thu, 5 Sep 2019 12:05:30 +0000, Lennie Dymoke-Bradshaw wrote: > >"The problem, of course, is that if I'm authorized to submit jobs with >USER=<region> on the JOB card then I can submit ~any~ such job, to do anything >I want that the region can do." > >The CICS transaction runs under the security context of the region userid. > Looking at the condition in the Subject:, "if you don't have TSO" I wonder, would the exposure somehow be less if the user were given a RACF TSO segment? I wouldn't expect so. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
