If that's the case - you don't grant access. I am objecting to the automatic assumption that there's a security problem because someone wants to use a driver to read a z/OS volume. Just as if I have a confidential file on my 191 disk.. I don't grant access even if the rest of the files are completely benign.
Note that none of us has really contributed to answering Tore's question. Scott Rohling On Fri, Jun 10, 2011 at 8:01 AM, Alan Altmark <alan_altm...@us.ibm.com>wrote: > On Thursday, 06/09/2011 at 04:15 EDT, Scott Rohling > <scott.rohl...@gmail.com> wrote: > > Implementing the driver isn't an auditable offense.. gaining access to > the > > volume through a DEDICATE or LINK, etc is another story - but that > shouldn't > > discourage use of the driver. I see little difference between this and > the > > cmsfs driver... access to a z/OS or CMS disk is auditable (or should > be) - > > the ability to read a z/OS volume or CMS disk is not. > > In the z/OS, case I must, in general, disagree. The problem is that MVS > volumes can contain multiple datasets and MVS access controls are at the > dataset level, not volume. (Subject to DASDVOL authority.) > > I did make the exception for an MVS volume very specifically constructed > for this purpose. But that also means additional controls on who can > allocate datasets on the volume. They better be only the Users Who > Understand The Implications. > > LINK to a fullpack minidisk would provide RACF control & audit on VM. > ATTACH/DEDICATE does not yet do so. For CMSFS, you can make the > reasonable argument that the volumes are owned by the VM system and the > audit records are properly contained there as CMS files on minidisk are > authorized at the virtual volume level. > > Alan Altmark > > z/VM and Linux on System z Consultant > IBM System Lab Services and Training > ibm.com/systems/services/labservices > office: 607.429.3323 > mobile; 607.321.7556 > alan_altm...@us.ibm.com > IBM Endicott > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
