In ncbblknfeephcaamofkleebmlhaa.r.han...@rshconsulting.com, on
05/02/2010
at 07:04 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com
said:
For datasets, the ICH408I message and associated SMF type 80 record
will show the Generic profile that was guarding the resource at the
time of the
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of Shmuel Metz (Seymour
J.)
In ncbblknfeephcaamofkleebmlhaa.r.han...@rshconsulting.com, on
05/02/2010
at 07:04 AM, Robert S. Hansel (RSH) r.han...@rshconsulting.com
said:
For datasets, the ICH408I message and
Nope. We have other means to make that determination. The unnamed company
in Nevada provides a nice report.
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Paul Gilmartin
Sent: Saturday, May 01, 2010 7:05 PM
To:
Gil,
For datasets, the ICH408I message and associated SMF type 80 record will
show the Generic profile that was guarding the resource at the time of the
violation or warning. If they do not specify a profile, it is usually the
case that a Discrete profile (one exactly matching the name of the
Ted,
In those banking environments, did you protect or monitor the use of the
LISTDSD, RLIST, or SEARCH commands and their aliases? As discussed in the
October 2009 issue of our RSH RACF Tips newsletter, these commands offer a
wealth of information to a would-be hacker, and their use is not
In those banking environments, did you protect or monitor the use of the
LISTDSD, RLIST, or SEARCH commands and their aliases?
I wasn't the security admin.
I was just aware of the policy and the potential 'exposure'.
Considering how obsessive most security personel are, I can assume what was
On 04/30/2010 07:43 PM, Edward Jaffe wrote:
Stocker, Herman wrote:
To answer the why needed question:
On occasion security has stated that access has been given only later
to find out that the incorrect access was granted or not granted at
all. Causing jobs to fail and time to be lost,
wants away to check security.
Coming from a Banking background, I believe a user should not have the ability
to check beforehand.
That's a security exposure, because the user may find something that they
normally wouldn't.
Also, don't blame it on out-sourcing.
I've seen incompetent in-house
Who cares if there is decent logging in place.
I also have a banking background (amongst others), and there were situations
where I preferred not
to have code fail unnecessarily. Particularly exits that were checking using
some elses ACEE.
ISTR ACF2 made this more do-able than RACF. No news
On Sat, 1 May 2010 13:01:24 +, Ted MacNEIL wrote:
wants away to check security.
Coming from a Banking background, I believe a user should not have the ability
to check beforehand.
That's a security exposure, because the user may find something that they
normally wouldn't.
I was hoping
Way back when we converted to RACF from Top Secret we received a number of
requests, often from dis-belief that access was still there. What we did to
quickly check that USER1 had access to the HLQ1.NODE2.WHATEVER.** (the user
was connected to multiple groups that made checking timeconsuming)
Some shops allow the use of an API to the security system in order to
allow applications to determine if a user has access to a resource or
not. This can be used to control application behaviour by limiting
the data displayed or the actions available.
To cite a trivial example, an application
Some shops allow the use of an API to the security system in order to allow
applications to determine if a user has access to a resource or not.
This can be used to control application behaviour by limiting the data
displayed or the actions available.
That is a different situation.
That is
On Sat, 1 May 2010 17:02:39 -0400 Don Leahy don.le...@leacom.ca wrote:
:Some shops allow the use of an API to the security system in order to
:allow applications to determine if a user has access to a resource or
:not. This can be used to control application behaviour by limiting
:the data
On Sat, 1 May 2010 11:12:00 -0500, Tony wrote:
1. rdef a surrogat profile USER1.submit and permit ourselves to it.
2. run a batch job as user=USER1 that would attempt to allocate
HLQ1.NODE2.WHATEVER.TESTRACF.FILE.
3. run another job to load a record into said file.
4. run another job to delete
G'day,
I have been asked if there is away for the user to find out what access they
have to a data set before they attempt to update or read it.
Is their any RACF command that a general user could use to find out the type
access they have to a data set?
Thank you.
Regards,
Herman Stocker
Stocker, Herman wrote:
I have been asked if there is away for the user to find out what access they
have to a data set before they attempt to update or read it.
Is their any RACF command that a general user could use to find out the
type access they have to a data set?
Yes, let the general
Remember that this will *not* take into account any logic in the RACF exits (if
any) that can upgrade/downgrade the user's access - plus there might be
volser-specific rules in effect as well.
Rob Scott
Developer
Rocket Software
275 Grove Street * Newton, MA 02466-2272 * USA
Tel:
On Fri, 30 Apr 2010 06:42:08 -0600 Stocker, Herman
herman.stoc...@avisbudget.com wrote:
:I have been asked if there is away for the user to find out what access they
have to a data set before they attempt to update or read it.
Well, they could ask the security guy.
The real issue is why do
Rob Scott wrote:
Remember that this will *not* take into account any logic in the RACF exits
(if any) that can upgrade/downgrade the user's access - plus there might be
volser-specific rules in effect as well.
I know. The OP asked for a command. My example also assumes there is a
GENERIC
Thank you for you fast response.
To answer the why needed question:
On occasion security has stated that access has been given only later to find
out that the incorrect access was granted or not granted at all. Causing jobs
to fail and time to be lost, therefore the user wants away to check
IIRC, it is also a way to verify which profile is covering a file, so if the
SecAdmin said they changed it and it isn't working, you can confirm that the
correct profile was changed.
* Don *
On Fri, Apr 30, 2010 at 10:26 AM, Stocker, Herman
herman.stoc...@avisbudget.com wrote:
Thank you for
Stocker, Herman wrote:
To answer the why needed question:
On occasion security has stated that access has been given only later to find
out that the incorrect access was granted or not granted at all. Causing jobs
to fail and time to be lost, therefore the user wants away to check security.
23 matches
Mail list logo
