Hi Victor, This is probably the answer you have considered and rejected.
If you require field level security for this production data you need to get that data moved out of sequential or VSAM files and into a DBMS like DB2. DB2 provides the granular security and encryption you require. The time to develop and support the subsystem you are proposing even if it is technically possible is going to be cost prohibitive to any commercial concern. Migration of the data to a DBMS will have benefits well beyond providing the multilevel security access you require. One useful reference: Multilevel Security and DB2 Row-Level Security Revealed http://www.redbooks.ibm.com/abstracts/sg246480.html Best Regards, Sam Knutson, GEICO Performance and Availability Management mailto:[EMAIL PROTECTED] (office) 301.986.3574 "Think big, act bold, start simple, grow fast..." -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Gil, Victor x28091 Sent: Thursday, March 23, 2006 3:14 PM To: IBM-MAIN@BAMA.UA.EDU Subject: How to "marry" subsystem and dynamic allocation Good afternoon, IBM-MAIN We'd like to be able to prevent certain "confidential" fields in production files from being revealed to "unauthorized" users while still allowing access to the rest of the record. From the users prospective these files are read-only and are accessed through TSO, batch or CICS for testing or comparison purposes. The total volume of such files is huge and changes daily, so cloning them and altering the sensitive fields is not an option. The only other option we can think of is to develop an in-house method of intercepting and altering records while they are being read, transparently to the application. Here's what we've researched so far: - In CICS this should be easily achievable through the file control exit. The exit would look up the dataset in a table and if found, apply a correspondent "rule". - In batch we would implement a subsystem that would intercept each [sequential] I/O and alter the record using the very same rules. What do we do in TSO? Generally, how do we intercept records of a dynamically allocated file? There is a system-wide dynalloc input validation exit, IEFDB401, and it might be able to add "SUBSYS=..." to the DYNALLOC requests, but this would severe overtax all other dynamic allocations in the shop. Appreciate all and any ideas, as crazy as they might sound -Victor- _ ==================== This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html