Ian MacLure([EMAIL PROTECTED])@Sun, Nov 27, 2005 at 06:31:28PM -0800: > ------------------------------ > Message: 7 > Date: Sat, 26 Nov 2005 15:05:48 -0800 > From: Wade Curry <[EMAIL PROTECTED]> > > <SNIPPET> > MVS is stretching me again as I learn a new security system (RACF). > I have to humbly admit that I am doing better with this than others > who know the *system* better because I understand the *importance* > of it, while some still are only annoyed &/or intimidated by it. > (It's very much based on ACL's, by the way) > <SNIPPET> > > RACF? > > Is that still around? > It was state of the art in the heavy iron world 20+ years ago. > Wasn't very secure IMHO. Apparently wasn't too difficult to > compromise according to some colleagues at the time. > > IBM
Yep, it's still around. Security is very modular, or so I'm told. RACF is the IBM product, though, so I think it is actually fairly ubiquitous. I can't compare it to older versions. I don't know of vulnerabilities other than the user-introduced variety. At this point I have to dance around the edges of my knowledge. MVS training these days is mostly on-the-job, learning from people with strong experience and ability, but who have forgotten a lot of what they knew. I'm not working with the SYSPROGs, so that is part of it. My knowledge has some good sized holes in it as a result. RACF has only presented one issue that really bothered me. The issue is that I wanted to give a job access to only the one dataset that it needed. I defined that dataset's profile as HLQ.WHATEVER.JCLLIB and gave the job read-only access. Well, other jobs and users needed access to that dataset, too. However, they were given their access using HLQ.** as the dataset profile. The effect is that only the most fully qualified profile will be used to determine who gets access. So my defining that profile actually removed access that was granted in the more general one. I understand the purpose. It does make it difficult to create a profile that doesn't wreck existing permissions. It has encouraged people to use the most general profiles they can, and subverts the goal of having security in place. Wade Curry syntaxman -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
