Thirty + years ago (pre-RACF) we put update password on the mastercats. Worked like a charm for us.
Ed > On Dec 14, 2016, at 1:16 AM, Elardus Engelbrecht > <[email protected]> wrote: > > Jesse Robinson wrote: > >> And once you have all protections in place, remember that someone has to >> have the key to master catalog. Whoever that is--including you--may >> occasionally get caught by a missing alias. At every shop I've worked in, >> userids are defined and managed by a non-sysprog department. If they set up >> a new user, especially a new sysprog, a missing alias may be caught only >> after many data sets have gone to master catalog. So it pays to check now >> and again even with all recommended protections set up. > > Good catch! I agree 1000000% with you. > > I would check every day, not now and again, that everything is in order. > > Just do daily audit on MCAT with event=access and intent = update or higher > and outcome = success and failure. > > > retired mainframer wrote: > >> In addition to protecting the master catalog, you should prohibit HLQs for >> which there is not a group or user profile. Then make it part of your >> procedures whenever a new user or group is created to simultaneously create >> the catalog alias. > > Indeed. That will save you gray hairs. > > We have formal procedures for that. Say for new TSO ids, a request must go to > 3 teams: RACF, storage and billing. > > Groete / Greetings > Elardus Engelbrecht > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
