I understand your security group's point of view. I understand yours as well. When considering this there are a couple of extra points.
Firstly, when a task is given the Trusted attribute then it effectively has UID(0) as well as gaining access via each RACF check. Secondly, when IBM states that a task should be given the attribute of Trusted, then I take it to mean that IBM is saying that the task can be trusted that this attribute cannot be the source of an exposure for that task. Some tasks should not be given the Trusted attribute as it could lead to exposures; or in other words, they cannot be trusted. So I take it, that XCFAS can be trusted. Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Andrew Rowley Sent: 21 August 2023 00:20 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: XCFAS and TRUSTED On 20/08/2023 8:53 pm, Mike Cairns wrote: > I worked at one site many years ago where the local specialist had actually > tested across multiple IPL's the necessity for each and every one of these > tasks to actually have the TRUSTED attribute and the conclusion was that many > of these did not actually need to be TRUSTED and could manage perfectly fine > using normal RACF access to resources granted via permissions to profiles. I worked at a site which did a similar exercise. The risk is: 1) If the doc says it should be trusted, IBM are free to add functions that require access to other resources without documentating them. It's possible that IBM don't even consider what access would normally be required for an address space they specify as TRUSTED, or test it without TRUSTED. 2) There may be functions that are invoked only in unusual circumstances, so you only find out that access is missing when you are already dealing with a problem. Not worth the risk, in my view (our security group disagreed!) -- Andrew Rowley Black Hill Software ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
