On Wednesday, September 25, 2019, 07:34:05 AM PDT, Allan Staller <allan.stal...@hcl.com> wrote: > That is not considered a good practice in RACF circles. The best practice > would be:
> MCAT - UACC(NONE) READ(*) ALTER(sysprogs) (note: No update access > except via sysprogs) Any system where the master catalog is not tightly controlled is at great risk and could become unusable. Any user can delete any alias in this environment. Potentially DB2, CICS, IMS or any number of important aliases could be lost. It's been many years since I've done anything with security. I believe at that time, IDCAMS DELETE NOSCRATCH for non-sms datasets was not controlled because it was only catalog services and no actual I/O was occurring. Has this problem been fixed? If not, then anyone can uncatalog sys1.linklib or sys1.lpalib thus causing the IPL to fail. Why aren't aliases created at the same time as the User? Additionally, data is out of control on your system. The RACF admin has not reviewed the security implication for aliases. Jon. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
