z/VM ________________________________
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Howard Rifkind Sent: Tuesday, September 23, 2008 9:33 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: LOGONBY Is LOGONBY a RACF thing or z/VM??? T.y. >>> Graves Nora E <[EMAIL PROTECTED]> 9/23/2008 8:59 AM >>> And it makes it easy to revoke privileges from a user: just remove the LOGONBY authority. This is handy in an environment where roles change frequently. And if the person leaves or retires, deleting the User ID takes care of all access, without scrambling to remember which seldom-used accounts that the person may have used occasionally. Nora Graves -----Original Message----- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of David Boyes Sent: Tuesday, September 23, 2008 8:35 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: LOGONBY > So the only thing you are buying here is that you keep TCPMAINT password > secret is that the whole idea behind LOGOnBY? So then you only add > certain user ids to do LOGONBY for this user id correct? Think of it more as a role: you are assuming the role of TCPMAINT, using your own login credentials to validate your claim to the role. The idea is minimum privilege; shared ids should not be directly logged into, because you lose the audit trail of who did what. You give individual ids minimum privilege (essentially with the combination of LOGINBY and PROP, there's rarely a real reason for any individual id to have more than class G), and they authenticate to the shared ID when they need to do something more powerful, or an extended string of things that require privileges or access to files w/o having to jump through a lot of maintenance-intensive hoops. _____________ LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately, then delete this message and empty from your trash.