Create a profile or group named ADMIN, add some users to it, and list
that out for the auditors whenever they ask.
Best case, they will fall for it and you're done. Worst case, you have
a spot (like a paper list but in RACF where it looks more legitimate)
where you at least have a chance of keeping track of users with some
kind (any kind) of elevated access that auditors might be concerned about.
It's a silly idea, but I've had sillier that were put into production.
Tony Harminc wrote:
On 16 May 2016 at 15:47, Jerry Whitteridge
<[email protected]> wrote:
I'd reply to the Auditor "Please define Admin access as there is no one privilege
that grants all access"
But there are several -- perhaps many -- privileges that grant access
to grant all access. For instance, anyone with READ access to
BPX.FILEATTR.APF in the FACILITY class can own your entire system.
Tony H.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
