I definitely agree with your points. The security admin staff should be sharp smart people. However, I have worked for more than one company whose security admin staff where nothing more than "dumb command issuers". They might have run DSMON once or twice in an audit cycle (which could be several years). Those companies did not allocate resources to hire smart security people or to educate the people they had. I've also worked with incredibly smart RACF people. They don't need or want my suggestion. Like you, they would not want to pay for such a feature in money, CPU, or IO. My suggestion was for the below average security dept which I have encounter all too often. However, I still believe that someone, someday will design a security feature to automatically provide better protection for all the system libraries, APF, Linklist, etc. for the below average.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of R.S. Sent: Wednesday, April 07, 2010 10:10 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use No single DATASET profile is not a problem, the problem is to automatically update the list of APF libraries in RACF. In fact, you propose additional check for updating APF libraries just because the are APFed. Some kind of wizard (no irony) checking APF attrib dynamically. The same job can be done manually by simple DSMON report which lists all the APF libraries. I would not pay for such change. It could be also costly in terms of CPU and I/O. Last, but not leat it does not exhaust possible holes - there are LNKLST (usually run auth), LPA, exits, etc. Those objects lists are easily available by a command and can be compared to RACF protection. BTW: RACF admin shouldn't be dumb command issuer. He's resonsibility is to define/change the profiles as well as document the changes, as well as understand the changes (to know what is ABC.DEF.APFLOAD, etc.). In many cases RACF admin creates security policy (maybe he shouldn't but he does), and decides who should have access to APF, LPA, etc. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html