> Not worth the risk, in my view (our security group disagreed!) In the Army they taught me that unauthorized denial of service is also a security breach.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Andrew Rowley [and...@blackhillsoftware.com] Sent: Sunday, August 20, 2023 7:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: XCFAS and TRUSTED On 20/08/2023 8:53 pm, Mike Cairns wrote: > I worked at one site many years ago where the local specialist had actually > tested across multiple IPL's the necessity for each and every one of these > tasks to actually have the TRUSTED attribute and the conclusion was that many > of these did not actually need to be TRUSTED and could manage perfectly fine > using normal RACF access to resources granted via permissions to profiles. I worked at a site which did a similar exercise. The risk is: 1) If the doc says it should be trusted, IBM are free to add functions that require access to other resources without documentating them. It's possible that IBM don't even consider what access would normally be required for an address space they specify as TRUSTED, or test it without TRUSTED. 2) There may be functions that are invoked only in unusual circumstances, so you only find out that access is missing when you are already dealing with a problem. Not worth the risk, in my view (our security group disagreed!) -- Andrew Rowley Black Hill Software ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
