Mark Zelden wrote: >> Use RACF LOGOPTIONS ALWAYS for OPERCMDS class. >(playing devil's advocate a bit here)
You may do that, but cool off please... ;-D >Why? Do you insist on logging all access to everything from your system programmers (not just commands - data sets, other resources). Yes, most of the resources. First, I trusted my colleauges fully, because of TRUST - until some drama happened. Of course I need to balance ability to audit with the quantity of SMF records. The mere fact that everything is logged, certainly made them more careful to READ before entering <ENTER>. ;-D >Don't you think they can destroy or sabotage a system with much less visibility than a person with SDSF command authority (both are presumed to be "trusted" employees)? SDSF can show the userid who entered the commands and you can set your consoles to require logons as well and then those commands will also be logged in the syslog/operlog. Problem is NOT within SDSF alone. You can enter commands from other systems and batch jobs too. Still I realize the most damage can come from insiders and trusted persons. Ed Gould wrote: >One of the issues (using RACF as an example) is that I can;'t trust the RACF person all the time. RACF persons are unpopular. Look in RACF-L. RACF and RACF persons are guilty until proven innocent according to a lot of members there. ;-D >I have seen them bend to political pressure rather than arguing. It is not about politic. I just ignore politics and state my business case WHY I do something. >He tried an end run on that and I caught him. He got kicked out on his keister. Good! No one will mess with you again, here or in a galaxy far far away! ;-) >Rick Fochtman wrote: >Political pressure can be resisted; it just depends on the courage of the resistor. A good explanation of the risks and advantages involved can make a BIG difference. Agreed. >To disallow any Assembler programming seems a bit paranoid to me. A decent review process can prevent any misuse or abuse and there are a few types of things that can't be done (or couldn't until recently be done) except in Assembler, such as system exits and processing of certain SMF records. Seems to me that a consultant should have access to the tools he needs to do his job, subject to a thorough review by appropriate KNOWLEDGEABLE staff members. Especially in the case of programs that need to be AUTHORIZED. Agreed. My sources are open for anyone inside my work for review. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
