Jon,It seems to me that what you’re saying is that if one works in a badly run z/OS shop with unprotected UserIDs and unscrupulous employees who share their user credentials then that might result in a security exposure. In that regard z/OS is like any other system out there. Ultimately Your arguments fail to convince me of the existence of any actual vulnerabilities in z/OS itself. Keven
Get Outlook for iOS On Sat, Dec 23, 2017 at 1:11 PM -0600, "Jeremy Nicoll" <jn.ls.mfrm...@letterboxes.org> wrote: On Sat, 23 Dec 2017, at 18:40, Jon Perryman wrote: > I only wanted to know why dynalloc is no longer considered an exposure. > When these people did the risk analysis for dynalloc on MVS, what made > them decide why it's not an exposure and does not need to be a > controlled resource? Maybe it's because, in general, allocation of a dataset isn't an issue? Anyone could try to create (ie allocate) a dataset of any name in JCL, but security software would prevent it from actually being created except by those users allowed to do so. Anyone could reference any existing dataset in JCL, but security software will prevent unauthorised users from reading or writing its contents. Maybe your experience is of a site without proper security controls set up? -- Jeremy Nicoll - my opinions are my own.