On Wednesday, 12/16/2009 at 02:13 EST, David Boyes <dbo...@sinenomine.net> wrote: > The CA products are significantly more expensive, but are substantially more > polished and functional. If you go CA, seriously consider VM:Secure as well > -- it's dramatically better than RACF/VM if you don't need to share a > database with z/OS any more.
So. You had to push the Do Not Push button? ;-) You are painting with a too-wide brush. "Better" is in the eye of the beholder. When choosing an ESM, you need to assess, aside from cost: - Your skill set. If you have z/OS RACF, then z/VM RACF is a no-brainer. If you have ACF2 or Top Secret on z/OS, then the z/VM equivalents are more palatible. But watch out for functional differences between z/OS and z/VM versions. This applies to both IBM and CA. - Functionality. If you need mandatory access controls, then RACF is, to the best of my knowledge, the only choice. - Security policy. Creation of virtual machines vs. authorization to use them may need to be managed separately. VM:Secure's combination of security and directory management is convenient, but may violate local security policy. - Certifications. z/VM with RACF has received Common Criteria certification to EAL 4+ under both CAPP and LSPP. - Command syntax. Not. :-) I give high marks to VM:Secure for CMS bigots. RACF is definitely MVS-centric in that respect, though mechanisms are available to let you alter the syntax of the commands. If you add an admin front-end like Tivoli zSecure, you significantly reduce your contact with raw RACF commands and utilities. But command syntax should be the last thing you worry about. (EXECs can hide a lot of sins.) The IBM and CA offerings are robust, commercial-grade products with their fans clubs and detractors. There are, contrary to what any salesman might say, plusses and minuses with each. As it turns out (wait for it...), people like best what they know best. (An awesome surprise, right?) Technical comparisons can be difficult without bringing in CA since they do not provide product documentation to the general public. (Product documentation from ca.com is only available after you login, and that requiresa CA customer number.) :-( While I specifically responded to your point about ESM, similar analysis needs to be performed for any system management products you buy. Here's a good Best Practice: Buy the one that best fits your needs! :-) Alan Altmark z/VM Development IBM Endicott