We have VM:Secure, but the same question came up the other day. We have
application userids that have a number of developers authorized to use
LOGONBY, but the application owners don't want those developers to be
able to change the Rules files for those userids. They want that
authority restricted to just a couple of people. VM:Secure normally
prompts for the directory password when a user enters a command to
modify the directory or Rules file. If the password is LBYONLY, then
the user enters LBYONLY in response to the prompt. There's also an
authorization similar to DIRM NEEDPASS NO to remove the prompt. The
solution for this application was to withhold the authorization for the
userids to manage their own Rules files, and grant it to an
administrator userid that only the Rules administrators could LOGONBY
to.
As far as security and audit trails go, there's no functional difference
between an audit trail that says userid DENNIS did LOGONBY to MAINT and
then MAINT did VMSECURE EDIT RSCS, vs an audit trail that says userid
DENNIS did VMSECURE EDIT RSCS, except that the first version takes more
steps to follow.
To the question of whether DIRM NEEDPASS YES is still needed, our
security standards require re-authentication, i.e. enter your password,
at the time a password is changed. Even though we're not a DIRMAINT
customer, I'm sure there are DIRMAINT shops with the same requirement.
I've used DIRMAINT before, and I agree that the setup and configuration
is arcane. My suggestion for changing it is to make it look just like
VM:Secure.
Dennis O'Brien
39,585
-----Original Message-----
From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On
Behalf Of Alan Altmark
Sent: Thursday, February 12, 2009 06:22
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: [IBMVM] Setting DIRM NEEDPASS NO in a LOGONBY user
On Thursday, 02/12/2009 at 04:16 EST, Colin Allinson
<cgallin...@amadeus.com> wrote:
> Alan Altmark <alan_altm...@us.ibm.com> wrote:
> >
> > I would say "No." You have LOGON BY access, but that doesn't confer
> > "modify the directory" permission. If MAINT is LBYONLY (in the RACF
> > sense) then you need to make such changes from another user who is
> > authorized to act FOR MAINT.
>
> From my point of view I would have thought that this is not what you
would
> want. In our installation, for security reasons, privileged functions
are not
> carried out on personal userids and all privileged userids (including
MAINT)
> are LOGONBY. This means there is an audit trail of who did what.
>
> MAINT has been set to 'DIRM NEEDPASS NO' for as long as I can remember
so I
> can't remember how we did that in the first place but it is certainly
what we
> would want. The alternative is for function to be distributed and
then
you
> have little chance of following or controlling/auditing what is going
on.
I'm not denying the requirement (need/desire) for the capability. The
question was asked whether the way it works is correct or not. It is
working as we (IBM) intend. Over time I hope to provide better controls
for this sort of thing. It was not until recently that LOGON BY
considerations began to appear in implicit authorizations.
This leads me to ask: Is NEEDPASS YES still needed? I view it as an
anachronism from an older time when we didn't have autolock screensavers
and generally more stringent workstation security policies. No more
"always on" terminals.
Alan Altmark
z/VM Development
IBM Endicott
