On Thursday, 02/12/2009 at 04:16 EST, Colin Allinson <cgallin...@amadeus.com> wrote: > Alan Altmark <alan_altm...@us.ibm.com> wrote: > > > > I would say "No." You have LOGON BY access, but that doesn't confer > > "modify the directory" permission. If MAINT is LBYONLY (in the RACF > > sense) then you need to make such changes from another user who is > > authorized to act FOR MAINT. > > From my point of view I would have thought that this is not what you would > want. In our installation, for security reasons, privileged functions are not > carried out on personal userids and all privileged userids (including MAINT) > are LOGONBY. This means there is an audit trail of who did what. > > MAINT has been set to 'DIRM NEEDPASS NO' for as long as I can remember so I > can't remember how we did that in the first place but it is certainly what we > would want. The alternative is for function to be distributed and then you > have little chance of following or controlling/auditing what is going on.
I'm not denying the requirement (need/desire) for the capability. The question was asked whether the way it works is correct or not. It is working as we (IBM) intend. Over time I hope to provide better controls for this sort of thing. It was not until recently that LOGON BY considerations began to appear in implicit authorizations. This leads me to ask: Is NEEDPASS YES still needed? I view it as an anachronism from an older time when we didn't have autolock screensavers and generally more stringent workstation security policies. No more "always on" terminals. Alan Altmark z/VM Development IBM Endicott