Jesse Robinson wrote: >And once you have all protections in place, remember that someone has to have >the key to master catalog. Whoever that is--including you--may occasionally >get caught by a missing alias. At every shop I've worked in, userids are >defined and managed by a non-sysprog department. If they set up a new user, >especially a new sysprog, a missing alias may be caught only after many data >sets have gone to master catalog. So it pays to check now and again even with >all recommended protections set up.
Good catch! I agree 1000000% with you. I would check every day, not now and again, that everything is in order. Just do daily audit on MCAT with event=access and intent = update or higher and outcome = success and failure. retired mainframer wrote: >In addition to protecting the master catalog, you should prohibit HLQs for >which there is not a group or user profile. Then make it part of your >procedures whenever a new user or group is created to simultaneously create >the catalog alias. Indeed. That will save you gray hairs. We have formal procedures for that. Say for new TSO ids, a request must go to 3 teams: RACF, storage and billing. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
