Oh - and to make sure MAINT can't be logged on except by a LOGONBY user: RAC PERMIT LOGONBY.MAINT CL(SURROGAT) ID(MAINT) ACC(NONE)
Now MAINT can't be logged into directly using it's own password. Scott Rohling On Wed, Mar 9, 2011 at 9:33 AM, Scott Rohling <scott.rohl...@gmail.com>wrote: > My suggestion would be to use RACF SURROGAT .. For example: > > RAC RDEF SURROGAT LOGONBY.MAINT > RAC PERMIT LOGONBY.MAINT CL(SURROGAT) ID(YOURID) ACC(READ). > > > Now, when you login to maint -- they will know who did it. You would > login to MAINT using: > > LOGON MAINT BY YOURID > > And enter YOURID password.. > > This should give them the audit trail they need - and keeps passwords > private, etc. > > Scott Rohling > > > On Wed, Mar 9, 2011 at 9:28 AM, Vogtmann, Wallace B > <wvogt...@tcfbank.com>wrote: > >> We're new to zVM. Have the system operational with standard IBM supplied >> User/Guest definitions. For example, we've implemented RACF, DIRMAINT, >> & PERF TK (soon Omegamon XE). >> >> Our security folks don't really like us logging in as MAINT, TCPMAINT, >> RACMAINT, etc. to do our changes - can't really tell who is doing what. >> Plus it's hard to have good/secure passwords when need to have multiple >> real users login to multiple guests, etc. >> >> Is there any examples of what would be good definitions for (1) standard >> system programmer guest accounts and (2) standard service machines? What >> RIGHTS and ACCESS definitions should be standard. We only plan on running >> Linux guests and standard IBM/3rd party tools, so just need a few >> Users/Guests >> that have the appropriate access for SysProg support, etc. >> >> Basically, we have the system in and operational, but NOW how should we >> REALLY >> have it setup to run/manage it securely and effectively. Any RedBooks? >> I've looked, but don't see any that fit the bill. >> >> Thx >> - Wally Vogtmann >> - Technical Services >> - wvogt...@tcfbank.com >> ----------------------------Disclaimer---------------------------- >> This email may contain privileged and/or confidential information that >> is intended solely for the use of the addressee. If you are not the >> intended recipient, you are strictly prohibited from disclosing, copying, >> distributing or using any of the information contained in the >> transmission. >> If you received this communication in error, please contact the sender >> (“Company”) immediately and destroy the material in its entirety, >> including all electronic and hard copies. >> >> This communication may contain nonpublic personal information about >> consumers which is subject to restrictions under the Gramm-Leach-Bliley >> Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse >> or disclose such nonpublic personal information for any purpose other than >> to provide the services for which you are receiving the information. >> >> There are risks associated with the use of electronic transmission. The >> sender of this information does not control the method of transmittal or >> any service providers and the sender assumes no duty, liability, or >> obligation for the security, receipt, or any third party interception of >> this transmission. >> >> The Company reserves the right to amend statements made herein in the >> event >> of a mistake. Unless expressly stated herein to the contrary, only >> agreements >> in writing signed by an authorized officer of the Company may be enforced >> against it. >> > >