We have VM:Secure, but the same question came up the other day. We have application userids that have a number of developers authorized to use LOGONBY, but the application owners don't want those developers to be able to change the Rules files for those userids. They want that authority restricted to just a couple of people. VM:Secure normally prompts for the directory password when a user enters a command to modify the directory or Rules file. If the password is LBYONLY, then the user enters LBYONLY in response to the prompt. There's also an authorization similar to DIRM NEEDPASS NO to remove the prompt. The solution for this application was to withhold the authorization for the userids to manage their own Rules files, and grant it to an administrator userid that only the Rules administrators could LOGONBY to.
As far as security and audit trails go, there's no functional difference between an audit trail that says userid DENNIS did LOGONBY to MAINT and then MAINT did VMSECURE EDIT RSCS, vs an audit trail that says userid DENNIS did VMSECURE EDIT RSCS, except that the first version takes more steps to follow. To the question of whether DIRM NEEDPASS YES is still needed, our security standards require re-authentication, i.e. enter your password, at the time a password is changed. Even though we're not a DIRMAINT customer, I'm sure there are DIRMAINT shops with the same requirement. I've used DIRMAINT before, and I agree that the setup and configuration is arcane. My suggestion for changing it is to make it look just like VM:Secure. Dennis O'Brien 39,585 -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, February 12, 2009 06:22 To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Setting DIRM NEEDPASS NO in a LOGONBY user On Thursday, 02/12/2009 at 04:16 EST, Colin Allinson <cgallin...@amadeus.com> wrote: > Alan Altmark <alan_altm...@us.ibm.com> wrote: > > > > I would say "No." You have LOGON BY access, but that doesn't confer > > "modify the directory" permission. If MAINT is LBYONLY (in the RACF > > sense) then you need to make such changes from another user who is > > authorized to act FOR MAINT. > > From my point of view I would have thought that this is not what you would > want. In our installation, for security reasons, privileged functions are not > carried out on personal userids and all privileged userids (including MAINT) > are LOGONBY. This means there is an audit trail of who did what. > > MAINT has been set to 'DIRM NEEDPASS NO' for as long as I can remember so I > can't remember how we did that in the first place but it is certainly what we > would want. The alternative is for function to be distributed and then you > have little chance of following or controlling/auditing what is going on. I'm not denying the requirement (need/desire) for the capability. The question was asked whether the way it works is correct or not. It is working as we (IBM) intend. Over time I hope to provide better controls for this sort of thing. It was not until recently that LOGON BY considerations began to appear in implicit authorizations. This leads me to ask: Is NEEDPASS YES still needed? I view it as an anachronism from an older time when we didn't have autolock screensavers and generally more stringent workstation security policies. No more "always on" terminals. Alan Altmark z/VM Development IBM Endicott