Compared to what was, access is now limited to the members of a restricted club, accessing a restricted part of CSA. The club administration can select trusted members for the club. I think this is quite acceptable.
Kees. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Martin Packer > Sent: 10 September, 2019 9:55 > To: [email protected] > Subject: Re: APAR OA56180 / RUCSA > > Up to a point: > > If you are enabled to use User-Key CSA via RUCSA I believe you "have a > ticket to THE party", the ONE AND ONLY party. Meaning you can access other > users' allocations of User Key CSA. > > Someone correct me if I've got this wrong. > > If I'm right auditors might not be quite so happy. > > Thanks, Martin > > Martin Packer > > zChampion, Systems Investigator & Performance Troubleshooter, IBM > > +44-7802-245-584 > > email: [email protected] > > Twitter / Facebook IDs: MartinPacker > > Blog: > https://www.ibm.com/developerworks/mydeveloperworks/blogs/MartinPacker > > Podcast Series (With Marna Walle): https://developer.ibm.com/tv/mpt/ or > > https://itunes.apple.com/gb/podcast/mainframe-performance- > topics/id1127943573?mt=2 > > > Youtube channel: https://www.youtube.com/channel/UCu_65HaYgksbF6Q8SQ4oOvA > > > > From: "Vernooij, Kees (ITOP NM) - KLM" <[email protected]> > To: [email protected] > Date: 10/09/2019 08:37 > Subject: Re: APAR OA56180 / RUCSA > Sent by: IBM Mainframe Discussion List <[email protected]> > > > > I think security auditors should be happy, provided they have done their > homework. > CSA was wide open to everybody since the beginning, the option to close > the gate (userkeycsa(no)) is available for a decade already and now the > gate can be controlled in detail. > > Kees. > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected]] On > > Behalf Of Paul Gilmartin > > Sent: 09 September, 2019 21:21 > > To: [email protected] > > Subject: Re: APAR OA56180 / RUCSA > > > > On Mon, 9 Sep 2019 13:19:40 -0400, Tom Conley wrote: > > > > >On 9/9/2019 1:04 PM, Mark Zelden wrote: > > >> On Mon, 9 Sep 2019 07:55:29 -0500, Peter Fatzinger wrote: > > >> > > >>> The 1M increment for RUCSA storage was not chosen haphazardly. We > > understand the scarcity of below-the-line memory, but in order to > provide > > the isolation needed to adequately protect the area we couldn't use any > > increment smaller than 1M. > > >> > > >> I pretty much assumed that, but thanks for the confirmation. > > >> > > >>> Also, in case anyone is unaware, beginning in z/OS V2R4 RUCSA is a > > separately ordered paid feature. > > > > > >Youse wants to break da rules, youse gotta pay. > > > > > How might security auditors look at RUCSA which: > > > > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2 > > r3.ieae100/ieae1-rucsa.htm > > Accessible only from address spaces that are running under user IDs > > that have > > SAF READ authority to the IARRSM.RUCSA profile in the FACILITY > class, > > or > > on z/OS(r) V2R3 or earlier systems that have the VSM > > ALLOWUSERKEYCSA(YES) > > parameter specified > > > > I suppose it depends on the breadth of the exposure. > > > > This is vaguely similar to the changes introduced by IO11698: IBM found > > it > > impractical to make the facility secure so they wrapped it with SAF so > the > > onus can be placed on the customer. > > > > -- gil > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > ******************************************************** > For information, services and offers, please visit our web site: > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.klm.com&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=BsPGKdq7-Vl8MW2- > WOWZjlZ0NwmcFSpQCLphNznBSDQ&m=6Vh6B4IO9HnM8cMs55Vw5QY7Q0pcsq9sd3OqA2UDMu8& > s=tDEyoxIOWwL4a9MCwt9GvM-X80I5rNFskT6bOxgCiLk&e= > . This e-mail and any attachment may contain confidential and privileged > material intended for the addressee only. If you are not the addressee, > you are notified that no part of the e-mail or any attachment may be > disclosed, copied or distributed, and that any other action related to > this e-mail or attachment is strictly prohibited, and may be unlawful. If > you have received this e-mail by error, please notify the sender > immediately by return e-mail, and delete this message. > > Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its > employees shall not be liable for the incorrect or incomplete transmission > of this e-mail or any attachments, nor responsible for any delay in > receipt. > Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch > Airlines) is registered in Amstelveen, The Netherlands, with registered > number 33014286 > ******************************************************** > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > > > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ******************************************************** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ******************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
