At most installations, I think, they start out with the sysprogs doing security, and in the first months or even a year or two that makes sense, while things are getting set up and the kinks worked out. But at every installation I've worked at, the security function has evolved sooner or later into a separate area. Usually much later than it should, but what the heck, they always get it done eventually.
But at those same shops, when I come aboard as a sec analyst I'm very often given the keys not just to the security kingdom but to the system kingdom as well. They know that security jocks aren't sysprogs, but by tradition they nevertheless give me the sysprog access, logon procs, ISPF menus and everything. And as a security jock that makes me uncomfortable; I'm afraid I'll accidentally trash something important while I was just trying to explore. And believe me, security jocks like to explore :). --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* I don't have to attend every argument I'm invited to. */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Jack Zukt Sent: Saturday, August 5, 2023 06:08 Role based security is the only kind that is manageable. Any other kind and you are playing at security, you are not managing it. Sysprogs and Secadmins really should be different persons. It is a very different role. It is a different mindset. I have worked both roles, sometimes both at the same time. From a security perspective, auditors, secadmins and sysprogs all should be different persons. But life can be much easier when you are a sysprog with the special attribute and you do know well the RACF structure. And the opposite is also true. You have a much easier life as a secadmins when you have a solid sysprog background. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
