Re: PDS Lock
On Tue, 7 Oct 2008 12:30:06 -0700, George Fogg <[EMAIL PROTECTED]> wrote: >> On Tue, 7 Oct 2008 13:50:21 -0500, Mark Zelden <[EMAIL PROTECTED]> >> wrote: >> >>>On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: >>> I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted >>>at a shiop a few years ago that had one, and it was a PITA, since they were >>>securing some datasets with password, and others using RACF, believe it or >>> not. >>> >Walt said: >>>If they had RACF then nothing was being secured with PROTECT. >> >> Password protection should still work on systems using RACF, except for: >> (a) SMS-managed or VSAM data sets; and >> (b) data sets protected by (really, known to) RACF. >> >> Actually both (a) and (b) apply regardless of security product, as far as I >> know. >> >From the book DFSMSdfp Advanced Services, Chapter 6. >If SAF is active, password protection is bypassed for all data sets. The >system performs password validation only if SAF is inactive and the data set >being accessed is not SMS-managed. The system provides SMS-managed data set >and catalog protection through the system authorization facility (SAF) >interface. Thanks for pointing that out, George. Via RCF, the book will be updated to say: If a SAF (system authorization facility)-compliant security product is active and provides protection for the data set, then the system bypasses password protection for that data set. Additionally, the system always bypasses password protection for VSAM and for SMS-managed data sets. The system provides SMS-managed data set and catalog protection through the SAF interface. For more SAF information, see "System Authorization Facility" in z/OS MVS Programming: Assembler Services Guide and z/OS MVS Programming: Assembler Services Reference ABE-HSP. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
I've just returned from holiday and haven't read through all the postings for this, so apologies if somebody else has already told you this. It should be very simple to provide the level of protection you require using your Security product (RACF, ACF2 or Top Secret). If you have some form of protection for Production datasets, you certainly have a security product of some description. I'd be surprised if you had a training or test LPAR with no security product and astonished if this was part of your Production JES MAS or production sysplex. I am only familiar with RACF, but I believe the other products work in a similar way. The RACF way to do is : 1) Create a fully qualified dataset profile in with no wildcards, e.g. aa.bbb.ccc. 2) The new profile should have UACC (Universal Access) of NONE or READ, whichever best fits with your requirements. If you want to prevent anybody other than you accessing your dataset, the UACC should be NONE. If however you are happy for people to submit your JCL but not change it, then UACC should be READ. 3) Your user id should be added to the access list with ALTER access. SPECIAL (administrator) attributes are required to carry out the above actions. I presume you will have a System or Security Administration team who have this level of access and likely you will have a documented process for requesting it (for audit purposes). It's worth mentioning that this doesn't offer absolute protection as individuals with SPECIAL or OPERATOR attributes on their user profiles will override the RACF protection, but this level of access should be restricted and audited. Hope this is of some help. Ram Balaji <[EMAIL PROTECTED]> Sent by: IBM Mainframe Discussion List 07/10/2008 18:24 Please respond to IBM Mainframe Discussion List To IBM-MAIN@BAMA.UA.EDU cc Subject Re: PDS Lock Hi David, Iam not aware security packages... Is it possible to do it with JCLs... I mean while creating the PDS itself can we we lock it...? Regards, Ram Balaji.S -Original Message- From: Cebell, David <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 10:19 am Subject: Re: PDS Lock With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html This e-mail is confidential and, if you are not the intended recipient, please return it to us and do not retain or disclose it. We filter and monitor e-mails in order to protect our system and the integrity, confidentiality and availability of e-mails. We cannot guarantee that e-mails are risk free and are not responsible for any related damage or unauthorised alteration of e-mails by third parties after sending. For more information on Standard Life group, visit our website http://www.standardlife.com/ Standard Life plc (SC286832), Standard Life Assurance Limited* (SC286833) and Standard Life Employee Services Limited (SC271355) are all registered in Scotland at Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH. *Authorised and regulated by the Financial Services Authority. 0131 225 2552. Calls may be recorded/monitored. Standard Life group includes Standard Life plc and its subsidiaries. Please consider the environment. Think - before you print. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
There also ways of bypassing security Mike Liberatore wrote: you could zap the FMT-1 dscb for this data set to turn the password bit off of ourse if you want to Scott Rowe wrote: I'm not sure that is completely true, I remember there being an issue, but I don't remember the details. Not all datasets were protected by RACF (there were no GROUPs or profiles for most HLQs), so that might have had something to do with it. Do you have a reference for PASSWORD protection being ignored? I would be interested in trying to recall what the problem was, I think it had something to do with switching sysres, and the PASSWORD dataset not having an entry for a protected dataset. Mark Zelden <[EMAIL PROTECTED]> 10/7/2008 2:50 PM >>> On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted at a shiop a few years ago that had one, and it was a PITA, since they were securing some datasets with password, and others using RACF, believe it or not. If they had RACF then nothing was being secured with PROTECT. -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Sat, 11 Oct 2008 22:00:20 -0500 Wayne Driscoll <[EMAIL PROTECTED]> wrote: :>Of course superzap does have checking that allows installations to restrict :>the zapping of VTOC's, so this may (should??) not be available to the OP. More than one way to skin a cat. One can write a program to rewrite the VTOC (but that also requires some authorization - to open the VTOC for update). :>-Original Message- :>From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf :>Of Mike Liberatore :>Sent: Saturday, October 11, 2008 4:37 PM :>To: IBM-MAIN@BAMA.UA.EDU :>Subject: Re: PDS Lock :> :>you could zap the FMT-1 dscb for this data set to turn the password bit :>off of ourse if you want to :> :>Scott Rowe wrote: :> :>>I'm not sure that is completely true, I remember there being an issue, but :>I don't remember the details. Not all datasets were protected by RACF :>(there were no GROUPs or profiles for most HLQs), so that might have had :>something to do with it. :>> :>>Do you have a reference for PASSWORD protection being ignored? I would be :>interested in trying to recall what the problem was, I think it had :>something to do with switching sysres, and the PASSWORD dataset not having :>an entry for a protected dataset. :>> :>> :>> :>>>>>Mark Zelden <[EMAIL PROTECTED]> 10/7/2008 2:50 PM >>> :>>>>> :>>>>> :>>On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: :>> :>> :>> :>>>I make it a point NOT to have a PASSWORD dataset on my sysres. I :>consulted :>>> :>>> :>>at a shiop a few years ago that had one, and it was a PITA, since they were :>>securing some datasets with password, and others using RACF, believe it or :>not. :>> :>> :>> :>>If they had RACF then nothing was being secured with PROTECT. :>> :>>-- :>>Mark Zelden :>>Sr. Software and Systems Architect - z/OS Team Lead :>>Zurich North America / Farmers Insurance Group - ZFUS G-ITO :>>mailto:[EMAIL PROTECTED] :>>z/OS Systems Programming expert at :>http://expertanswercenter.techtarget.com/ :>>Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html :>> :>>-- :>>For IBM-MAIN subscribe / signoff / archive access instructions, :>>send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO :>>Search the archives at http://bama.ua.edu/archives/ibm-main.html :>> :>> :>> :>>Note that my email domain has changed from jo-annstores.com to joann.com. :>Please update your address book and other records to reflect this change. :>> :>>CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains :>confidential and privileged information intended only for the addressee. If :>you are not the intended recipient, please be advised that you have received :>this material in error and that any forwarding, copying, printing, :>distribution, use or disclosure of the material is strictly prohibited. If :>you have received this material in error, please (i) do not read it, (ii) :>reply to the sender that you received the message in error, and (iii) erase :>or destroy the material. Emails are not secure and can be intercepted, :>amended, lost or destroyed, or contain viruses. You are deemed to have :>accepted these risks if you communicate with us by email. Thank you. :>> :>>-- :>>For IBM-MAIN subscribe / signoff / archive access instructions, :>>send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO :>>Search the archives at http://bama.ua.edu/archives/ibm-main.html :>> :>> :>> :>> :> :> :>-- :>For IBM-MAIN subscribe / signoff / archive access instructions, :>send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO :>Search the archives at http://bama.ua.edu/archives/ibm-main.html :> :>-- :>For IBM-MAIN subscribe / signoff / archive access instructions, :>send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO :>Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Binyamin Dissen <[EMAIL PROTECTED]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Of course superzap does have checking that allows installations to restrict the zapping of VTOC's, so this may (should??) not be available to the OP. Wayne Driscoll Product Developer NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Mike Liberatore Sent: Saturday, October 11, 2008 4:37 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock you could zap the FMT-1 dscb for this data set to turn the password bit off of ourse if you want to Scott Rowe wrote: >I'm not sure that is completely true, I remember there being an issue, but I don't remember the details. Not all datasets were protected by RACF (there were no GROUPs or profiles for most HLQs), so that might have had something to do with it. > >Do you have a reference for PASSWORD protection being ignored? I would be interested in trying to recall what the problem was, I think it had something to do with switching sysres, and the PASSWORD dataset not having an entry for a protected dataset. > > > >>>>Mark Zelden <[EMAIL PROTECTED]> 10/7/2008 2:50 PM >>> >>>> >>>> >On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: > > > >>I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted >> >> >at a shiop a few years ago that had one, and it was a PITA, since they were >securing some datasets with password, and others using RACF, believe it or not. > > > >If they had RACF then nothing was being secured with PROTECT. > >-- >Mark Zelden >Sr. Software and Systems Architect - z/OS Team Lead >Zurich North America / Farmers Insurance Group - ZFUS G-ITO >mailto:[EMAIL PROTECTED] >z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ >Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > >Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. > >CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
you could zap the FMT-1 dscb for this data set to turn the password bit off of ourse if you want to Scott Rowe wrote: I'm not sure that is completely true, I remember there being an issue, but I don't remember the details. Not all datasets were protected by RACF (there were no GROUPs or profiles for most HLQs), so that might have had something to do with it. Do you have a reference for PASSWORD protection being ignored? I would be interested in trying to recall what the problem was, I think it had something to do with switching sysres, and the PASSWORD dataset not having an entry for a protected dataset. Mark Zelden <[EMAIL PROTECTED]> 10/7/2008 2:50 PM >>> On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted at a shiop a few years ago that had one, and it was a PITA, since they were securing some datasets with password, and others using RACF, believe it or not. If they had RACF then nothing was being secured with PROTECT. -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Be sure you understand the installation's security rules. I can't believe that there wouldn't be naming conventions in place that would allow datasets to be named so as to get appropriate access protection even for test/training/non-production datasets. If you are somehow dealing with a special test or development environment where everyone has access to everything, that sounds like a disaster waiting to happen. RACF by default gives a user ALTER access (CREATE/UPDATE/READ/DELETE) to any dataset with a high-level-qualifier (HLQ) of his own userid. These datasets should be private to that user by default, unless the installation has deliberately granted access to many others by explicit PERMITS or by giving an exceptional number of users OPERATIONS authority to access all datasets not explicitly denied. Either of those actions seems highly unreasonable, but that doesn't mean some installations might not have done it. Normally data that should be considered "private" to one user would have his userid as HLQ. Datasets that are to be shared by multiple users would normally be given a HLQ that is not a userid, and explicit access would be granted to specific RACF groups or users as required. There is no reason why additional groups cannot be established (by a Security Admin) if new access patterns arise. RACF protects at the dataset level, not at the PDS member level. If you have members with different security requirements, they will have to be kept in distinct PDS libraries with different access permissions. If your real goal is to prevent unauthorized updates to a specific database, the UPDATE authority to that database should be restricted, whether other users can get to your JCL or not. In z/OS, protection by ignorance (of constructing functional JCL) is not an acceptable practice. J C Ewing Ram Balaji wrote: Hi Anton/john, John your assumptions are correct, 1)Iam just a programmer. 2)Sensitive data (I should have clearly explained this point). My sensitive datas are training datasets which I have created dealing with training database. Many times I see?people trying to explore my dataset and run them. I dont mind ppl using my dataset but these program point?Training DB, Iam bit worried about this. I cant ask SAF to Protect since its my training dataset. Moreover keeping it in a notepad file is good option. But cant we make it bit easier(within Mainframes 3) Database should be visible to me alone. 4) Iam using Z/OS. Hey JOHN Thanks a lot for all your valuable suggestion. I tried using TSO PROTECT , this is no more a working command. Any other solution? Hope I made it clear. Sorry for delayed response. Regards, Ram Balaji.S. (Dying Hard to explore MainFrames) -Original Message- From: John McKown <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 6:08 pm Subject: Re: PDS LOCk On Tue, 7 Oct 2008, Anton Britz wrote: Hi Ram, Do not get confused with all these technical discussions that you received but lets start at the very beginning : a) Are you a User , a Systems programmer or just a programmer For some reason, I just ASSuMEd that he was likely a programmer. b) If you say "sensitive" data .. what do you mean by that Good point. If it is personal data, then I'd strongly suggest that it does not belong on a company machine. c) Who should be able to see this data ? ex. Only you, Your Department Again, on a company machine, "only you" should not be an option, IMO. Reminds me of some foolish print operators at a place that I used to work. The printer was a Xerox 8700 laser. The operators placed "sensitive personal" information in a file on it, thinking that nobody else would ever see it. Management was not amused when the machine was audited by a Xerox person. They were quickly shown the error of their ways, and the door. Any wonder that I'm paranoid? . d) What operating system are you using Do PDS'es exist on anything other than z/OS? I know that z/VSE has something similar, but the name is different. At least according to my fading memory. Anton -- Joel C. Ewing, Fort Smith, AR[EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Ram, I was also in the Outsourcing business for 10 years so here comes my opinion : a) You have to speak/find the Software support staff for the Computer that you are working on b) Tell them what you want to do and then ask them, what do they think you should do. They would help you, if only they know what and where you.. Note: There has to be a Software programmer that set the Machine/Operating system up. You just have to find him/her and it would be a better way to approach this problem. Anton On Wed, 8 Oct 2008 14:37:16 -0400, Ram Balaji <[EMAIL PROTECTED]> wrote: >Hi Anton/john, > >John your assumptions are correct, > >1)Iam just a programmer. >2)Sensitive data (I should have clearly explained this point). > >My sensitive datas are training datasets which I have created dealing with training database. Many times I see?people trying to explore my dataset and run them. I dont mind ppl using my dataset but these program point?Training DB, Iam bit worried about this. > >I cant ask SAF to Protect since its my training dataset. > >Moreover keeping it in a notepad file is good option. But cant we make it bit easier(within Mainframes). > >3) Database should be visible to me alone. > >4) Iam using Z/OS. > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Hi Linda, 1.? Are you a student?? Iam working in a software consultancy and new to Mainframes. 2.? What kind of data is it?? PDS? a database(if so what kind)? flat file? VSAM? Dataset contains JCLs,Proc and cobol programs. Say?it has some important JOBs. 3.? How much data, how many datasets, are you needing to protect? If I can find a way to protect 1 dataset it will be fine. 4.? Sensitive data can mean different things to different people.? Please explain why this data is sensitive.? It is sensitive because it updates the Training Database(say it adds a segment, deletes a segmentin DB). 5.? Are any of the datasets on your system resrticted?? Can anybody read, execute, update, or alter any datast they want too or are some/most datasets protected by some means? Ya this can be done in Production region and not in Test Region. Iam Working in Test Region. 6.? If some or many of the datasets on your system protected, can some there tell you how or help protect your dataset? I havent seen any protected datasets in test region. 7)Where are you located?? Have you heard about zNextGen?? Iam from India. No I havent heard of zNextGen. Now Iam trying to google it. Regards, Ram Balaji.S. (Dying Hard to explore MainFrames) -Original Message- From: Linda Mooney <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Wed, 8 Oct 2008 2:58 pm Subject: Re: PDS LOCk Hi Ram, I have been reading your posts and the replies. Could answer a few questions for me? 1. Are you a student? If so, high school, college, some other training program? 2. What kind of data is it? PDS? a database(if so what kind)? flat file? VSAM? 3. How much data, how many datasets, are you needing to protect? 4. Sensitive data can mean different things to different people. Please explain why this data is sensitive. 5. Are any of the datasets on your system resrticted? Can anybody read, execute, update, or alter any datast they want too or are some/most datasets protected by some means? 6. If some or many of the datasets on your system protected, can some there tell you how or help protect your dataset? On this forum, somthimes the 'old dogs' can be a bit gruff. Most times they are very helpful and kind, once you get to know them. I know too that all of us are cautious about people we don't know. None of us would want to offer help to anyone who might not use it for good things. Occasionally too, someone will ask many questions for what seems to be their own entertainment. Most of us don't have enough time to guess about what someone needs. Please try to give the full picture when you can. Where are you located? Have you heard about zNextGen? Thanks, Linda Mooney -- Original message -- From: Ram Balaji <[EMAIL PROTECTED]> > Hi Anton/john, > > John your assumptions are correct, > > 1)Iam just a programmer. > 2)Sensitive data (I should have clearly explained this point). > > My sensitive datas are training datasets which I have created dealing with > training database. Many times I see?people trying to explore my dataset and run > them. I dont mind ppl using my dataset but these program point?Training DB, Iam > bit worried about this. > > I cant ask SAF to Protect since its my training dataset. > > Moreover keeping it in a notepad file is good option. But cant we make it bit > easier(within Mainframes). > > 3) Database sh ould be visible to me alone. > > 4) Iam using Z/OS. > > > > Hey JOHN > > Thanks a lot for all your valuable suggestion. > > I tried using TSO PROTECT , this is no more a working command. > Any other solution? > > Hope I made it clear. Sorry for delayed response. > > > Regards, > Ram Balaji.S. > (Dying Hard to explore MainFrames) > > > -Original Message- > From: John McKown > To: IBM-MAIN@BAMA.UA.EDU > Sent: Tue, 7 Oct 2008 6:08 pm > Subject: Re: PDS LOCk > > > > On Tue, 7 Oct 2008, Anton Britz wrote: > > > Hi Ram, > > > > Do not get confused with all these technical discussions that you received but > > > lets start at the very beginning : > > > > a) Are you a User , a Systems programmer or just a programmer > > For some reason, I just ASSuMEd that he was likely a programmer. > > > b) If you say "sensitive" data .. what do you mean by that > > Good point. If it is personal data, then I'd strongly suggest that it does > not belong on a company machine. > > > c) Who should be able to see this data ? ex. Only you, Your Department > > Again, on a company machine, "only you" should not be an option, IMO. > Reminds me of some foolish print operators at a place that I used to work. > Th
Re: PDS LOCk
Hi Ram, I have been reading your posts and the replies. Could answer a few questions for me? 1. Are you a student? If so, high school, college, some other training program? 2. What kind of data is it? PDS? a database(if so what kind)? flat file? VSAM? 3. How much data, how many datasets, are you needing to protect? 4. Sensitive data can mean different things to different people. Please explain why this data is sensitive. 5. Are any of the datasets on your system resrticted? Can anybody read, execute, update, or alter any datast they want too or are some/most datasets protected by some means? 6. If some or many of the datasets on your system protected, can some there tell you how or help protect your dataset? On this forum, somthimes the 'old dogs' can be a bit gruff. Most times they are very helpful and kind, once you get to know them. I know too that all of us are cautious about people we don't know. None of us would want to offer help to anyone who might not use it for good things. Occasionally too, someone will ask many questions for what seems to be their own entertainment. Most of us don't have enough time to guess about what someone needs. Please try to give the full picture when you can. Where are you located? Have you heard about zNextGen? Thanks, Linda Mooney -- Original message -- From: Ram Balaji <[EMAIL PROTECTED]> > Hi Anton/john, > > John your assumptions are correct, > > 1)Iam just a programmer. > 2)Sensitive data (I should have clearly explained this point). > > My sensitive datas are training datasets which I have created dealing with > training database. Many times I see?people trying to explore my dataset and > run > them. I dont mind ppl using my dataset but these program point?Training DB, > Iam > bit worried about this. > > I cant ask SAF to Protect since its my training dataset. > > Moreover keeping it in a notepad file is good option. But cant we make it bit > easier(within Mainframes). > > 3) Database should be visible to me alone. > > 4) Iam using Z/OS. > > > > Hey JOHN > > Thanks a lot for all your valuable suggestion. > > I tried using TSO PROTECT , this is no more a working command. > Any other solution? > > Hope I made it clear. Sorry for delayed response. > > > Regards, > Ram Balaji.S. > (Dying Hard to explore MainFrames) > > > -Original Message- > From: John McKown > To: IBM-MAIN@BAMA.UA.EDU > Sent: Tue, 7 Oct 2008 6:08 pm > Subject: Re: PDS LOCk > > > > On Tue, 7 Oct 2008, Anton Britz wrote: > > > Hi Ram, > > > > Do not get confused with all these technical discussions that you received > > but > > > lets start at the very beginning : > > > > a) Are you a User , a Systems programmer or just a programmer > > For some reason, I just ASSuMEd that he was likely a programmer. > > > b) If you say "sensitive" data .. what do you mean by that > > Good point. If it is personal data, then I'd strongly suggest that it does > not belong on a company machine. > > > c) Who should be able to see this data ? ex. Only you, Your Department > > Again, on a company machine, "only you" should not be an option, IMO. > Reminds me of some foolish print operators at a place that I used to work. > The printer was a Xerox 8700 laser. The operators placed "sensitive > personal" information in a file on it, thinking that nobody else would > ever see it. Management was not amused when the machine was audited by a > Xerox person. They were quickly shown the error of their ways, and the > door. Any wonder that I'm paranoid? . > > > d) What operating system are you using > > Do PDS'es exist on anything other than z/OS? I know that z/VSE has > something similar, but the name is different. At least according to my > fading memory. > > > > > Anton > > > > -- > Q: What do theoretical physicists drink beer from? > A: Ein Stein. > > Maranatha! > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Oops..Sorry. This reply was to the OPI snipped too much On Wed, Oct 8, 2008 at 5:17 PM, Don Leahy <[EMAIL PROTECTED]> wrote: > The short answer, for an application programmer, is No. > > In the mainframe world, security is taken very seriously and is not > left in the hands of the programmer creating the data set. (I am > assuming that you *are* a newcomer, else you would be familiar with at > least one of RACF, ACF2 and Top Secret the three security packages > that dominate the mainframe world. If that assumption is incorrect, I > apologize). > > If your PDS contains sensitive data, you have to make it known to your > security admin who will set up the rules needed to protect it. Be > prepared to justify your request. > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
The short answer, for an application programmer, is No. In the mainframe world, security is taken very seriously and is not left in the hands of the programmer creating the data set. (I am assuming that you *are* a newcomer, else you would be familiar with at least one of RACF, ACF2 and Top Secret the three security packages that dominate the mainframe world. If that assumption is incorrect, I apologize). If your PDS contains sensitive data, you have to make it known to your security admin who will set up the rules needed to protect it. Be prepared to justify your request. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
>Or could the original poster be trying to restrict access to data >that is, by law or by corporate dictate, not to be limited? (I'm not >sure such a thing exists.) > >Pat O'Keefe HIPAA data is restricted by US law. PCI data is restricted by something (industry requirement? Law?). -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Wed, 8 Oct 2008 06:49:09 -0400, Jack Kelly <[EMAIL PROTECTED]> wrote: ..."If a SAF solution isn't available to the originator" means that the >user can not get a SAF profile for his DSN >... Something doesn't make sense to me here. If "a SAF solution isn't available" means a SAF product isn't installed, then protecting that one dataset doesn't make much sense to me. The whole system is a house of cards just ready to collapse around that secure PDS. (Ok. I've got blinders on. Maybe there is a realistic environment like that, but I'd like to be convinced.) If, on the other hand it means "can not get a SAF profile for his DSN" then I'd suggest a greater effort be made or an alternative be found. I know that many security groups have obscure rules to be followed, but it's usually easier to get them to restrict access than to grant access. Or could the original poster be trying to restrict access to data that is, by law or by corporate dictate, not to be limited? (I'm not sure such a thing exists.) Pat O'Keefe -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
On Wed, 8 Oct 2008 18:53:48 +, Ted MacNEIL <[EMAIL PROTECTED]> wrote: >>I cant ask because people who are using are also working for same client, But different team(say level)? > >If (hopefully) they are using different ID's, connect them to a group that has access to the PDS. >And, remove their access when no longer needed. > Sounds like the security people aren't really interested in protecting this data. But having it available is causing Ram problems due to coworkers. Perhaps it is time for some "social engineering" to convince the coworkers to keep their hands off Ram's datasets. Like the 2x4 that I mentioned before. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
>I cant ask because people who are using are also working for same client, But >different team(say level)? If (hopefully) they are using different ID's, connect them to a group that has access to the PDS. And, remove their access when no longer needed. >and moreover these are training datasets... Our concern does not provide >progtection for training datasets That's a process problem, not a technical one. Move them to a non-personal HLQ and modify access, as needed. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Did you try the ADDSD command? That will only work if: (1) your system uses RACF and (2) the dataset(s) in question start with your RACF id. This should work unless your system is secured in a truly extreme way. ADDSD 'myracfid.*.**' UACC(NONE) Replace 'myracfid' with your RACF (TSO) id and this will make it so that almost nobody can read any of your datasets. If either of the above is not true, then you are out of luck unless you can get your security administrator to do the securing for you. Have you considered a 2x4 on people who mess around with your stuff without permission? I do understand the problem! I used to have people copy my JCL and programs. And then come to me screaming when it didn't do what they wanted. So, being the main sysprog __and__ security admin, I made it impossible for them to read my datasets at all. I also made it impossible for them to look at my job output in SDSF. My motto is: "Don't irritate the sysprog. You won't like the results." -- Q: What do theoretical physicists drink beer from? A: Ein Stein. Maranatha! John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
I cant ask because people who are using are also working for same client, But different team(say level)? and moreover these are training datasets... Our concern does not provide progtection for training datasets Regards, Ram Balaji.S. (Dying Hard to explore MainFrames) -Original Message- From: Ted MacNEIL <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Wed, 8 Oct 2008 11:40 am Subject: Re: PDS LOCk >I cant ask SAF to Protect since its my training dataset. Why can't you? You can protect it from everybody, very easily. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
>I cant ask SAF to Protect since its my training dataset. Why can't you? You can protect it from everybody, very easily. - Too busy driving to stop for gas! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Hi Anton/john, John your assumptions are correct, 1)Iam just a programmer. 2)Sensitive data (I should have clearly explained this point). My sensitive datas are training datasets which I have created dealing with training database. Many times I see?people trying to explore my dataset and run them. I dont mind ppl using my dataset but these program point?Training DB, Iam bit worried about this. I cant ask SAF to Protect since its my training dataset. Moreover keeping it in a notepad file is good option. But cant we make it bit easier(within Mainframes). 3) Database should be visible to me alone. 4) Iam using Z/OS. Hey JOHN Thanks a lot for all your valuable suggestion. I tried using TSO PROTECT , this is no more a working command. Any other solution? Hope I made it clear. Sorry for delayed response. Regards, Ram Balaji.S. (Dying Hard to explore MainFrames) -Original Message- From: John McKown <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 6:08 pm Subject: Re: PDS LOCk On Tue, 7 Oct 2008, Anton Britz wrote: > Hi Ram, > > Do not get confused with all these technical discussions that you received > but > lets start at the very beginning : > > a) Are you a User , a Systems programmer or just a programmer For some reason, I just ASSuMEd that he was likely a programmer. > b) If you say "sensitive" data .. what do you mean by that Good point. If it is personal data, then I'd strongly suggest that it does not belong on a company machine. > c) Who should be able to see this data ? ex. Only you, Your Department Again, on a company machine, "only you" should not be an option, IMO. Reminds me of some foolish print operators at a place that I used to work. The printer was a Xerox 8700 laser. The operators placed "sensitive personal" information in a file on it, thinking that nobody else would ever see it. Management was not amused when the machine was audited by a Xerox person. They were quickly shown the error of their ways, and the door. Any wonder that I'm paranoid? . > d) What operating system are you using Do PDS'es exist on anything other than z/OS? I know that z/VSE has something similar, but the name is different. At least according to my fading memory. > > Anton > -- Q: What do theoretical physicists drink beer from? A: Ein Stein. Maranatha! John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
And if your image has an OMVS segment, does that not Imply that a Security package is present. Or "If a SAF solution isn't available to the originator" means that the user can not get a SAF profile for his DSN Jack Kelly 202-502-2390 (Office) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
On Tue, 7 Oct 2008, Anton Britz wrote: > Hi Ram, > > Do not get confused with all these technical discussions that you received > but > lets start at the very beginning : > > a) Are you a User , a Systems programmer or just a programmer For some reason, I just ASSuMEd that he was likely a programmer. > b) If you say "sensitive" data .. what do you mean by that Good point. If it is personal data, then I'd strongly suggest that it does not belong on a company machine. > c) Who should be able to see this data ? ex. Only you, Your Department Again, on a company machine, "only you" should not be an option, IMO. Reminds me of some foolish print operators at a place that I used to work. The printer was a Xerox 8700 laser. The operators placed "sensitive personal" information in a file on it, thinking that nobody else would ever see it. Management was not amused when the machine was audited by a Xerox person. They were quickly shown the error of their ways, and the door. Any wonder that I'm paranoid? . > d) What operating system are you using Do PDS'es exist on anything other than z/OS? I know that z/VSE has something similar, but the name is different. At least according to my fading memory. > > Anton > -- Q: What do theoretical physicists drink beer from? A: Ein Stein. Maranatha! John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS LOCk
Hi Ram, Do not get confused with all these technical discussions that you received but lets start at the very beginning : a) Are you a User , a Systems programmer or just a programmer b) If you say "sensitive" data .. what do you mean by that c) Who should be able to see this data ? ex. Only you, Your Department d) What operating system are you using Anton On Tue, 7 Oct 2008 13:06:40 -0400, Ram Balaji <[EMAIL PROTECTED]> wrote: >HI all, > >Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password >Please help me. > >Regards, >Ram Balaji.S > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 16:25:23 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: >Do you have a reference for PASSWORD protection being ignored? Already posted by George Fogg. http://bama.ua.edu/cgi-bin/wa?A2=ind0810&L=ibm-main&D=1&O=D&F=&S=&P=39162 But that conflicts with what Walt wrote (sort of). SAF is active on an ACF2 system and passwords do work.If I could test what Walt wrote, I would, but I can't without help from a RACF admin. When Walt wrote: > Password protection should still work on systems using RACF, except for: > (a) SMS-managed or VSAM data sets; and > (b) data sets protected by (really, known to) RACF. "known to" could be via single level name prefix (HLQ protection) and probably PROTECT-ALL also. Perhaps Walt can comment further on what he wrote and what is written in the DFSMSdfp Advanced Services manual (which is what I remembered and based my statement on). Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
And if your image has an OMVS segment, does that not Imply that a Security package is present. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of John McKown Sent: Tuesday, October 07, 2008 3:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock On Tue, 7 Oct 2008 15:32:16 -0400, Jack Kelly <[EMAIL PROTECTED]> wrote: > >... how to protect my PDS ... > > >If a SAF solution isn't available to the originator, I would suggest that >the originator look into a SCLM methodology since (s)he seems to be more >applications orientated. And if at 1.9, s(he) could use OMVS as the >repository and use ACL and UNIX permissions as easy as PDF edit. > >Jack Kelly >202-502-2390 (Office) An interesting thought. But it assumes that the OP has an OMVS segment and, hopefully, thereby a unique UID. Oh, and a home directory in the UNIX filesystem. Our programmers don't have an OMVS segment at all. They don't know from UNIX. But it is a very interesting idea. Given how few, at present, programmers know much about UNIX, this data would effectively be "invisible". -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
That makes sense, and matches the configuration I remember. >>> Walt Farrell <[EMAIL PROTECTED]> 10/7/2008 3:16 PM >>> On Tue, 7 Oct 2008 13:50:21 -0500, Mark Zelden <[EMAIL PROTECTED]> wrote: >On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: > >>I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted >at a shiop a few years ago that had one, and it was a PITA, since they were >securing some datasets with password, and others using RACF, believe it or not. >> > >If they had RACF then nothing was being secured with PROTECT. Password protection should still work on systems using RACF, except for: (a) SMS-managed or VSAM data sets; and (b) data sets protected by (really, known to) RACF. Actually both (a) and (b) apply regardless of security product, as far as I know. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
I'm not sure that is completely true, I remember there being an issue, but I don't remember the details. Not all datasets were protected by RACF (there were no GROUPs or profiles for most HLQs), so that might have had something to do with it. Do you have a reference for PASSWORD protection being ignored? I would be interested in trying to recall what the problem was, I think it had something to do with switching sysres, and the PASSWORD dataset not having an entry for a protected dataset. >>> Mark Zelden <[EMAIL PROTECTED]> 10/7/2008 2:50 PM >>> On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: >I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted at a shiop a few years ago that had one, and it was a PITA, since they were securing some datasets with password, and others using RACF, believe it or not. > If they had RACF then nothing was being secured with PROTECT. -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 15:32:16 -0400, Jack Kelly <[EMAIL PROTECTED]> wrote: > >... how to protect my PDS ... > > >If a SAF solution isn't available to the originator, I would suggest that >the originator look into a SCLM methodology since (s)he seems to be more >applications orientated. And if at 1.9, s(he) could use OMVS as the >repository and use ACL and UNIX permissions as easy as PDF edit. > >Jack Kelly >202-502-2390 (Office) An interesting thought. But it assumes that the OP has an OMVS segment and, hopefully, thereby a unique UID. Oh, and a home directory in the UNIX filesystem. Our programmers don't have an OMVS segment at all. They don't know from UNIX. But it is a very interesting idea. Given how few, at present, programmers know much about UNIX, this data would effectively be "invisible". -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
... how to protect my PDS ... If a SAF solution isn't available to the originator, I would suggest that the originator look into a SCLM methodology since (s)he seems to be more applications orientated. And if at 1.9, s(he) could use OMVS as the repository and use ACL and UNIX permissions as easy as PDF edit. Jack Kelly 202-502-2390 (Office) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
> On Tue, 7 Oct 2008 13:50:21 -0500, Mark Zelden <[EMAIL PROTECTED]> > wrote: > >>On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: >> >>>I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted >>at a shiop a few years ago that had one, and it was a PITA, since they were >>securing some datasets with password, and others using RACF, believe it or >> not. >>> >> Walt said: >>If they had RACF then nothing was being secured with PROTECT. > > Password protection should still work on systems using RACF, except for: > (a) SMS-managed or VSAM data sets; and > (b) data sets protected by (really, known to) RACF. > > Actually both (a) and (b) apply regardless of security product, as far as I > know. > >From the book DFSMSdfp Advanced Services, Chapter 6. If SAF is active, password protection is bypassed for all data sets. The system performs password validation only if SAF is inactive and the data set being accessed is not SMS-managed. The system provides SMS-managed data set and catalog protection through the system authorization facility (SAF) interface. George Fogg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Another possibility is to write a program to encrypt the PDS so that no one else can make sense out of it. Of course, anyone who looks at the PDS may think it is corrupted, and delete it out from under you. :-) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 13:50:21 -0500, Mark Zelden <[EMAIL PROTECTED]> wrote: >On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: > >>I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted >at a shiop a few years ago that had one, and it was a PITA, since they were >securing some datasets with password, and others using RACF, believe it or not. >> > >If they had RACF then nothing was being secured with PROTECT. Password protection should still work on systems using RACF, except for: (a) SMS-managed or VSAM data sets; and (b) data sets protected by (really, known to) RACF. Actually both (a) and (b) apply regardless of security product, as far as I know. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 13:47:44 -0400, John Eells <[EMAIL PROTECTED]> wrote: >(There's more...but nobody rational uses password protection any more.) > I know of 2 ACF2 shops that use them. I don't know about rational, but when I asked why the sysprog told me he liked the extra prompt before updating SYS1.PARMLIB and SYS1.PROCLIB to make him think about what he was doing. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 14:36:29 -0400, Scott Rowe <[EMAIL PROTECTED]> wrote: >I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted at a shiop a few years ago that had one, and it was a PITA, since they were securing some datasets with password, and others using RACF, believe it or not. > If they had RACF then nothing was being secured with PROTECT. -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 19:25:10 +0200, Lindy Mayfield <[EMAIL PROTECTED]> wrote: >What utility is used to password protect a dataset? That's one thing >I've never seen in over 20 years. > The TSO PROTECT command (TSO HELP PROTECT). It is ignored on RACF systems (and Top Secret) but still works on ACF2 systems. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:[EMAIL PROTECTED] z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
I make it a point NOT to have a PASSWORD dataset on my sysres. I consulted at a shiop a few years ago that had one, and it was a PITA, since they were securing some datasets with password, and others using RACF, believe it or not. >>> Lindy Mayfield <[EMAIL PROTECTED]> 10/7/2008 1:58 PM >>> I would have never guessed passwords could still be used, but then I went over to an ISPF edit screen and the password field is still there. I've ignored it for so long I don't see it anymore. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of John Eells Sent: 7. lokakuuta 2008 20:48 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock Lindy Mayfield wrote: > What utility is used to password protect a dataset? That's one thing > I've never seen in over 20 years. I thought at one point that password protection was completely withdrawn (not only for SMS and VSAM) but I find that it's still in the books. >From the JCL Reference: 12.38.2.3 Password Protection snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Note that my email domain has changed from jo-annstores.com to joann.com. Please update your address book and other records to reflect this change. CONFIDENTIALITY/EMAIL NOTICE: The material in this transmission contains confidential and privileged information intended only for the addressee. If you are not the intended recipient, please be advised that you have received this material in error and that any forwarding, copying, printing, distribution, use or disclosure of the material is strictly prohibited. If you have received this material in error, please (i) do not read it, (ii) reply to the sender that you received the message in error, and (iii) erase or destroy the material. Emails are not secure and can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by email. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Lindy Mayfield wrote: > I would have never guessed passwords could still be used, but then I > went over to an ISPF edit screen and the password field is still there. > I've ignored it for so long I don't see it anymore. > > I seem to remember that passwords aren't even checked anymore for sms managed datasets. > -Original Message- > From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On > Behalf Of John Eells > Sent: 7. lokakuuta 2008 20:48 > To: IBM-MAIN@BAMA.UA.EDU > Subject: Re: PDS Lock > > Lindy Mayfield wrote: > >> What utility is used to password protect a dataset? That's one thing >> I've never seen in over 20 years. >> > > > I thought at one point that password protection was completely withdrawn > > (not only for SMS and VSAM) but I find that it's still in the books. > From the JCL Reference: > > 12.38.2.3 Password Protection > > snip > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > > > -- Mark Jacobs Time Customer Service Tampa, FL Today, we celebrate the first glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology. Where each worker may bloom secure from the pests of contradictory and confusing truths. Our Unification of Thoughts is more powerful a weapon than any fleet or army on earth. We are one people, with one will, one resolve, one cause. Our enemies shall talk themselves to death and we will bury them with their own confusion. We shall prevail! Apple's television commercial - Super Bowl - 1984 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
I would have never guessed passwords could still be used, but then I went over to an ISPF edit screen and the password field is still there. I've ignored it for so long I don't see it anymore. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of John Eells Sent: 7. lokakuuta 2008 20:48 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock Lindy Mayfield wrote: > What utility is used to password protect a dataset? That's one thing > I've never seen in over 20 years. I thought at one point that password protection was completely withdrawn (not only for SMS and VSAM) but I find that it's still in the books. From the JCL Reference: 12.38.2.3 Password Protection snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Lindy Mayfield wrote: What utility is used to password protect a dataset? That's one thing I've never seen in over 20 years. I thought at one point that password protection was completely withdrawn (not only for SMS and VSAM) but I find that it's still in the books. From the JCL Reference: 12.38.2.3 Password Protection For an SMS-managed data set (one with an assigned storage class), SMS sets the password indicators in the VTOC and catalog but ignores the indicators and does not use password protection for the data set. See the DD SECMODEL parameter described on page 12.57. Password protecting data sets requires the following: * Data set names no longer than 17 characters. MVS retains in the tape label only the rightmost 17 characters of the data set name. Consequently, longer names could be identical in password checks. * Volumes with IBM standard labels or ISO/ANSI/FIPS Version 3 labels. * A password assigned in the PASSWORD data set. If a password is not assigned, the system will abnormally terminate a job step when it attempts to open the data set for output, if NOPWREAD is coded, or for input or output, if PASSWORD is coded. To create a password-protected data set following an existing password-protected data set, code the password of the existing data set. The password must be the same in both the existing and the new data set. To password-protect a data set on a tape volume containing other data sets, you must password-protect all the data sets on the volume and the passwords must be the same for all data sets. To password-protect an existing data set using PASSWORD or NOPWREAD, open the data set for output the first time it is used during the job step. PASSWORD Indicates that a data set cannot be read, changed, deleted, or written to unless the system operator or TSO/E user supplies the correct password. NOPWREAD Indicates that a data set cannot be changed, deleted, or written to unless the system operator or TSO/E user supplies the correct password. No password is necessary for reading the data set. From DFSMSdfp Utilities: IEHPROGM can be used to maintain non-VSAM password entries in the PASSWORD data set and to alter the protection status of DASD data sets in the data set control block (DSCB). This topic also explains why data set passwords provide poor security and why IBM recommends z/OS Security Server (RACF). A data set can have one of three types of password protection, as indicated in the DSCB for DASD data sets and in the tape label for tape data sets. The possible types of data set password protection are: * No protection, which means that no passwords are required to read or write the data set. * Read/write protection, which means that a password is required to read or write the data set. * Read-without-password protection, which means that a password is required only to write the data set; the data set can be read without a password. If a system data set is password protected and a problem occurs on the data set, maintenance personnel must be provided with the password in order to access the data set and resolve the problem. A data set can have one or more passwords assigned to it; each password has an entry in the PASSWORD data set. A password assigned to a data set can allow read and write access, or only read access to the data set. Figure 97 shows the relationship between the protection status of data set ABC and the type of access allowed by the passwords assigned to the data set. Passwords ABLE and BAKER are assigned to data set ABC. If no password protection is set in the DSCB or tape label, data set ABC can be read or written without a password. If read/write protection is set in the DSCB or tape label, data set ABC can be read with either password ABLE or BAKER and can be written with password ABLE. If read-without-password protection is set in the DSCB or tape label, data set ABC can be read without a password and can be written with password ABLE; password BAKER is never needed. Before IEHPROGM is used to maintain data set passwords, the PASSWORD data set must reside on the system residence volume. IEHPROGM can then be used to: * Add an entry to the PASSWORD data set. * Replace an entry in the PASSWORD data set. * Delete an entry from the PASSWORD data set. * Provide a list of information from an entry in the PASSWORD data set. (There's more...but nobody rational uses password protection any more.) -- John Eells z/OS Technical Marketing IBM Poughkeepsie [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 19:25:10 +0200, Lindy Mayfield <[EMAIL PROTECTED]> wrote: >What utility is used to password protect a dataset? That's one thing >I've never seen in over 20 years. The TSO PROTECT command updates the PASSWORD dataset. It is so old that I doubt that any system actually uses it any more. It is all documented in the DFP Advanced Services manual. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Forgot to mention that my "solution" with the ADDSD only works on a RACF protected system. I don't know Top Secret or ACF2. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 12:31:08 -0500, Cebell, David <[EMAIL PROTECTED]> wrote: >It is difficult to imagine a shop without some type of security package. >That said, > >You may want to look at the LABEL Parameter of the DD Statement. > Probably won't work anymore. It requires that a special dataset, named PASSWORD, exist on the IPL volume. I don't bother creating that dataset any more. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
On Tue, 7 Oct 2008 13:24:24 -0400, Ram Balaji <[EMAIL PROTECTED]> wrote: >Hi David, > >Iam not aware security packages... Is it possible to do it with JCLs... I mean while creating the PDS itself can we we lock it...? > >Regards, >Ram Balaji.S Basically, no. If you have a security package, then that is the only way that I know to set an access list to determine who can use / update / create / delete your files (PDS or other). If you want, and are willing to take the chance of getting in trouble, then you could try the following command on ISPF option 6: ADDSD 'myuser.PROTECT.PDS' UACC(NONE) Replace "myuser" in the above command with your actual TSO userid. I don't know what this "sensitive" information is. If it is company sensitive, then talk to your security admin to get it secured. If it is personally sensitive, then don't keep it on your company's system. In our company, I can look at literally anything that I want to. Nobody can stop me, I'm am "root" (as the UNIX people say). Now, if this is execution JCL, I have another possible option. Keep your JCL on your PC. Use something like notepad to maintain it as a normal "text" file. When you want to submit it as a job, just do an ftp session like: ftp mainframe.ip.address myuserid mypass quote site filetype=jes put mysecure.job.jcl quit You might even be able to keep this on a USB thumb drive so that it is physically secure. -- John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
It is difficult to imagine a shop without some type of security package. That said, You may want to look at the LABEL Parameter of the DD Statement. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:27 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock Lindy Mayfield This is a curious question... -Original Message- From: Lindy Mayfield <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 10:25 am Subject: Re: PDS Lock What utility is used to password protect a dataset? That's one thing I've never seen in over 20 years. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Cebell, David Sent: 7. lokakuuta 2008 20:20 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Lindy Mayfield This is a curious question... -Original Message- From: Lindy Mayfield <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 10:25 am Subject: Re: PDS Lock What utility is used to password protect a dataset? That's one thing I've never seen in over 20 years. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Cebell, David Sent: 7. lokakuuta 2008 20:20 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
What utility is used to password protect a dataset? That's one thing I've never seen in over 20 years. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Cebell, David Sent: 7. lokakuuta 2008 20:20 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PDS Lock With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
Hi David, Iam not aware security packages... Is it possible to do it with JCLs... I mean while creating the PDS itself can we we lock it...? Regards, Ram Balaji.S -Original Message- From: Cebell, David <[EMAIL PROTECTED]> To: IBM-MAIN@BAMA.UA.EDU Sent: Tue, 7 Oct 2008 10:19 am Subject: Re: PDS Lock With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: PDS Lock
With you Security package you should be able to secure (lock) this PDS So only you have access to it. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ram Balaji Sent: Tuesday, October 07, 2008 12:07 PM To: IBM-MAIN@BAMA.UA.EDU Subject: PDS LOCk HI all, Can anyone say how to lock a PDS. All the members of my PDS are sensitive can I lock them with password Please help me. Regards, Ram Balaji.S -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
