gsg wrote: >As part of a systems programmer duties, they have ALTER access to many >datasets. They need/require this access to install, upgrade, maintain and >resolve problems. Audit has been pushing more and more to remove the ALTER >access.
>Has anyone else been experiencing this? Nearly everyone, yes of course. Check RACF-L for similar discussions. Also nearly everyone re-trains those auditors during each audit session. [1] Like Tom asked, please give us examples of those datasets. What you can do is, ensure all installation/upgrade/maintenance are done on a separate LPAR, usually a sandbox. Then create a group for SMP/E and add your programmers there where needed. Give ALTER on resources as needed. On production, give minimum access where needed as approved by the owners. Get rid of UACC=ALTER unless you have a good reason. On all systems, give audit(all(READ)) for all dataset profiles. There are exceptions. I leave it to the student to find it out on the hard way... Ensure you collect ALL and every SMF records needed for audit. Review your global settings. LOGOPTIONS is one example. I agree with Arthur, you can crack open a z/Os if you have the tools and the know-how without leaving trails. But sooner or later you will be caught out and then it is pavement promotion time! Have your auditors understand that System programmers are to be trusted and need accesses to do their work. Good luck, with those lame auditors you're having, you can try explain ICH408* for failed accesses to OMVS files+folders... Groete / Greetings Elardus Engelbrecht [1] - I have a hard time to explain those GIM.** and IRR.PWRESET.OWNER.<blahblah> profiles in FACILITY class. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
