On Tue, 26 Feb 2008 16:08:17 -0800, George Fogg <[EMAIL PROTECTED]> wrote:
>I wrote a REXX interface to our JCL scan product so it can check a >production userid access to a dataset resource. I told the folks that use it >that they must understand the fact that they cannot rely on the results of >the access when the "real" task opens the dataset in its environment during >OPEN time if: >1.) the task at OPEN is running Privileged or Trusted, >2.) the task at OPEN happened to have a trusted token, >3.) the task flipped one or more of those "bypass authority checking" bits >before OPEN, >4.) the task at OPEN when the REQUEST=AUTH was a CSA or PRIVATE request, >therefore bypassing GAC authority, >5.) that the Rexx interface call does not check for conditional access >entries. >The REXX interface function does a RACROUTE REQUEST=AUTH and uses: >USERID=user_id (for third party checking) >STATUS=ACCESS (send back the access code (NONE, READ, UPDATE, CONTROL, >ALTER) >LOG=NONE (do not cut SMF audit records) >And a few other necessary parameters. USERID and LOG require APF. >I also check if the caller has the authority to use this function with a >profile in the FACILITY class. Good description, George. Thanks. I'll note that your results should also be inaccurate if they try to use PADS (Program Access to Data Sets) to grant access only when running a specific program. Since your program is a different one, it might indicate a failure when the actual job would work properly. That's a case that none of the JCL checking products can handle, as far as I know, because the results can not be checked except during actual execution. Any outside attempt to check them may give either a false "success" or a false "failure" indication. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
