restricting use of iebupdte
Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Thanks, Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Randy Harris Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Past replies to questions like this have suggested securing the target resources rather than a means of updating those resources. Is that not practical in your situation? -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
Oops, I ass.u.med this was RACF-L. The past replies to which I refer below appeared in the RACF-L ([EMAIL PROTECTED]). -Original Message- From: Chase, John -Original Message- From: IBM Mainframe Discussion List On Behalf Of Randy Harris Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Past replies to questions like this have suggested securing the target resources rather than a means of updating those resources. Is that not practical in your situation? -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
Yes, you are correct. In most cases we do that. Recently we had some situations occur that lead us to at least look at the possibility of restricting IEBUPDTE. Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chase, John Sent: Wednesday, December 06, 2006 9:18 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte -Original Message- From: IBM Mainframe Discussion List On Behalf Of Randy Harris Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Past replies to questions like this have suggested securing the target resources rather than a means of updating those resources. Is that not practical in your situation? -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
I didn't know there was a RACF-L. Can someone tell me how to subscribe? Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chase, John Sent: Wednesday, December 06, 2006 9:21 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte Oops, I ass.u.med this was RACF-L. The past replies to which I refer below appeared in the RACF-L ([EMAIL PROTECTED]). -Original Message- From: Chase, John -Original Message- From: IBM Mainframe Discussion List On Behalf Of Randy Harris Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Past replies to questions like this have suggested securing the target resources rather than a means of updating those resources. Is that not practical in your situation? -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
On Wed, 6 Dec 2006 09:02:44 -0600, Randy Harris wrote: Does anyone know how IEBUPDTE can be locked down with the use of RACF? What are you trying to accomplish? Have you considered the possibility that a user could bring in their own copy of IEBUPDTE and use that? It's not difficult to obtain a copy from MVS 3.8, freely available on the web. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
Randy just be aware that this is an ineffective control. Programs which provide IEBUPDTE equivalent processing are easy enough to build and require no special authority. Ready to use IEBUPDTE type tools generally with additional features are easily found on the CBT tape and other places. Thanks, Sam -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Randy Harris Sent: Wednesday, December 06, 2006 10:32 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte Yes, you are correct. In most cases we do that. Recently we had some situations occur that lead us to at least look at the possibility of restricting IEBUPDTE. Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] This email/fax message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this email/fax is prohibited. If you are not the intended recipient, please destroy all paper and electronic copies of the original message. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
On Wed, 2006-12-06 at 09:02 -0600, Randy Harris wrote: Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I cannot imagine why you would want to do this, or what you intend to accomplish... but your business and all that. Knock yourself out. But I will suggest that you simply tell those users not to use IEBUPDTE -- then fire the first one who does. (After Lot's wife was turned to a pillar of salt, nobody else looked back, right?) This is a management issue. You are going through significant effort to misuse the security system to plug an imaginary hole that can be easily circumvented. Just tell your employees where the line is, then audit them. -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
David, I agree completely with your method of control. I see many cases on a daily basis which should handled in that manner. But then, I have no control. Anyway, restricting IEBUPDTE was just a thought and may not be feaseable or effective as Sam mentioned. I will continue to restrict access the proper way. Thank you all for your comments. Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of David Andrews Sent: Wednesday, December 06, 2006 9:54 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte On Wed, 2006-12-06 at 09:02 -0600, Randy Harris wrote: Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I cannot imagine why you would want to do this, or what you intend to accomplish... but your business and all that. Knock yourself out. But I will suggest that you simply tell those users not to use IEBUPDTE -- then fire the first one who does. (After Lot's wife was turned to a pillar of salt, nobody else looked back, right?) This is a management issue. You are going through significant effort to misuse the security system to plug an imaginary hole that can be easily circumvented. Just tell your employees where the line is, then audit them. -- David Andrews A. Duda and Sons, Inc. [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Randy Harris Sent: Wednesday, December 06, 2006 9:03 AM To: IBM-MAIN@BAMA.UA.EDU Subject: restricting use of iebupdte Good Day, Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I have added IEBUPDTE to the general resource profiles in class PROGRAM. I then gave access to the users that I want to have access. It doesn't seem to make any difference. Thanks, The only real way, and it is not very effective, is to REMOVE the program from SYS1.LINKLIB and put it into another library. This second library must have UACC of NONE and only READ access to restricted users. This assumes that you can trust those users to not copy it into yet another library. IEBUPDTE is not APF authorized. In my not-so-humble opinion, this is silly. Secure the datasets, not the programs. The only programs which may need securing would be ones which are APF authorized. APF authorized program __may__ bypass RACF. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology This message (including any attachments) contains confidential information intended for a specific individual and purpose, and its content is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this transmission, or taking any action based on it, is strictly prohibited. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
I have certain users that I do not want to allow to use IEBUPDTE. Why would you want to do this? When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
I don't know the specifics off hand, and, since no one has answered yet, you can look it up yourself by sending email to: [EMAIL PROTECTED] In the body (leave the subject line blank) type list global /RACF And send it off. You should get an answer in a few minutes telling you where the list lives and how to sign up. You can sign up using the above address as well - In fact, I use it to control most of my listserve subscriptions. Same address, type in the body: subscribe RACF-L your name That server will then route your request to the correct destination For full instructions, send the command: info refcard to the same address. - Original Message From: Randy Harris [EMAIL PROTECTED] To: IBM-MAIN@BAMA.UA.EDU Sent: Wednesday, December 6, 2006 10:34:39 AM Subject: Re: restricting use of iebupdte I didn't know there was a RACF-L. Can someone tell me how to subscribe? Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
Thanks, I found it. Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Jim Sent: Wednesday, December 06, 2006 12:31 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte I don't know the specifics off hand, and, since no one has answered yet, you can look it up yourself by sending email to: [EMAIL PROTECTED] In the body (leave the subject line blank) type list global /RACF And send it off. You should get an answer in a few minutes telling you where the list lives and how to sign up. You can sign up using the above address as well - In fact, I use it to control most of my listserve subscriptions. Same address, type in the body: subscribe RACF-L your name That server will then route your request to the correct destination For full instructions, send the command: info refcard to the same address. - Original Message From: Randy Harris [EMAIL PROTECTED] To: IBM-MAIN@BAMA.UA.EDU Sent: Wednesday, December 6, 2006 10:34:39 AM Subject: Re: restricting use of iebupdte I didn't know there was a RACF-L. Can someone tell me how to subscribe? Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
Since it seems like the general consensus is that this is a bad idea, I will not do it. Thanks for all replys. Randy Harris System Programmer/DBA, I.S. Dept. Lane Furniture Industries, Inc. Tupelo, MS 38802 Phone: 662-566-3447 [EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ted MacNEIL Sent: Wednesday, December 06, 2006 12:26 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: restricting use of iebupdte I have certain users that I do not want to allow to use IEBUPDTE. Why would you want to do this? When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ___ This message is intended only for the use of the individual or entity to which it is addressed and may contain privileged, proprietary or otherwise private information. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone and delete this communication from your system. Warning: Although this e-mail and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
David Andrews wrote: On Wed, 2006-12-06 at 09:02 -0600, Randy Harris wrote: Does anyone know how IEBUPDTE can be locked down with the use of RACF? I have certain users that I do not want to allow to use IEBUPDTE. I cannot imagine why you would want to do this, or what you intend to accomplish... but your business and all that. Knock yourself out. But I will suggest that you simply tell those users not to use IEBUPDTE -- then fire the first one who does. (After Lot's wife was turned to a pillar of salt, nobody else looked back, right?) This is a management issue. You are going through significant effort to misuse the security system to plug an imaginary hole that can be easily circumvented. Just tell your employees where the line is, then audit them. Better still - tell the auditors. Let them do the dirty work. Encourage their paranoia and get them to tell the culprits that using restricted programs is a career limiting option. Colin, the grumpy old Sysprog. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: restricting use of iebupdte
On 12/6/2006 11:03 AM, Randy Harris wrote: I agree completely with your method of control. I see many cases on a daily basis which should handled in that manner. But then, I have no control. Anyway, restricting IEBUPDTE was just a thought and may not be feaseable or effective as Sam mentioned. I will continue to restrict access the proper way. Thank you all for your comments. If you want to stop people from using IEBUPDTE (or any other program except those in LPA) then PROGRAM profiles in RACF should do it. Without seeing exactly how you set it up I can not comment on why that did not work for you. However, as others have noted, restricting the program is often the wrong answer. In this case, what problem are you trying to solve that makes restricting IEBUPDTE the answer? IEBUPDTE can only update data sets to which the user has update access, and if the user has update access there are many programs he could use to perform an update. So what makes IEBUPDTE special and worthy of control in this case? (That is, what makes use of IEBUPDTE problematic when use of other programs is OK?) Walt Farrell, CISSP z/OS Security Design, IBM -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
