Re: Alter access to datasets
In an ideal world: 1. Subject matter experts set the guidelines (with mgt approval) 2. Auditors have no authourity, they merely report. 3. Compliance officers enforce the rules. -teD Original Message From: Arthur Sent: Friday, April 29, 2016 00:31 To: IBM-MAIN@LISTSERV.UA.EDU Reply To: IBM Mainframe Discussion List Subject: Re: Alter access to datasets On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main (Message-ID:<9982011699705061.wa.gsg808yahoo@listserv.ua.edu>) 0053fe88ed35-dmarc-requ...@listserv.ua.edu (gsg) wrote: >As part of a systems programmer duties, they have ALTER >access to many datasets. They need/require this access to >install, upgrade, maintain and resolve problems. Audit >has been pushing more and more to remove the ALTER access. > >Has anyone else been experiencing this? The following is opinion based on my experience: Auditors feel they have to make recommendations in order to justify their existence. Thus, if you have a secure system, they start to make stuff up. Removing required sysprog authorities is one of the easier demands to think of, regardless of its impracticality. Too many companies then make those ridiculous "recommended" changes because they think the auditors know what they're doing, or because it's easier to defend stupid things ordered by auditors than smart things contrary to the auditors advice. I do know one person who managed to short-circuit this particular suggestion. He said, "If I have enough tools to do my job, I can access any dataset regardless of the security system. If I have to bypass the security system, I'll do so in a way that leaves no traces. But, it would take time and effort I'd rather put into doing my actual job. So, leave my access and just make sure to thoroughly check my audit trail." It worked. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
Perhaps the link folding. Try this: http://tinyurl.com/hnx4k4p Can you audit down to the level of saying "Joe Sysprog changed record 247 of this dataset"? No. Down to the member level of PDS(E)'s and down to the table of DB2 -- that's the limits of the granularity. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of gsg Sent: Friday, April 29, 2016 12:02 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Alter access to datasets Unable to access the first link tot he Share doc. Does this auditing go down to the record level? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
Did you see the wrap? http://s23.a2zinc.net/clients/SHARE/Winter2016/Public/SessionDetails.aspx?FromPage=Sessions.aspx&SessionID=312&SessionDateID=8 Lizette > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of gsg > Sent: Friday, April 29, 2016 12:02 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Alter access to datasets > > Unable to access the first link tot he Share doc. > > Does this auditing go down to the record level? > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
Unable to access the first link tot he Share doc. Does this auditing go down to the record level? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
I've got a horse in this race (http://s23.a2zinc.net/clients/SHARE/Winter2016/Public/SessionDetails.aspx?F romPage=Sessions.aspx&SessionID=312&SessionDateID=8) but you might consider real-time auditing of ALTER access to the datasets as a way of mitigating the risk (for the auditors). We also have an installation that runs this http://marc.info/?l=racf-l&m=137035593915579&w=2 program. Combining that approach with real-time auditing would seem to provide a great combination of "whatever the sysprog needs" with excellent accountability for the auditors. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Arthur Sent: Thursday, April 28, 2016 9:32 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Alter access to datasets On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main (Message-ID:<9982011699705061.wa.gsg808yahoo@listserv.ua.edu>) 0053fe88ed35-dmarc-requ...@listserv.ua.edu (gsg) wrote: >As part of a systems programmer duties, they have ALTER access to many >datasets. They need/require this access to install, upgrade, maintain >and resolve problems. Audit has been pushing more and more to remove >the ALTER access. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
Does anyone know if the STGADMIN Facility Class will allow the Storage Guys to ALTER a dataset that they do not have direct access to? The RACF Administrator thought we could remove the ALTER access from our SYSPROGs and that the Storage guys could ALTER in the event of problems. ex. running out of space, directory blocks etc... Then they would only grant access to SYSPROGs for upgrades. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
ex. CAI.OPS.OPSLOG or COMPWARE.LMS.CHKPTA The concern is someone will do something and try to delete a log entry to cover their tracks. These are mostly ISV products that I'd think would be tracked in SMF records. My thought would be to accept the risk, since these are not critical datasets. Auditors have a different opinion. The next thought is to remove the ALTER access and then give us temporary access when we need to upgrade the products or "fix" a problem. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
gsg wrote: >As part of a systems programmer duties, they have ALTER access to many >datasets. They need/require this access to install, upgrade, maintain and >resolve problems. Audit has been pushing more and more to remove the ALTER >access. >Has anyone else been experiencing this? Nearly everyone, yes of course. Check RACF-L for similar discussions. Also nearly everyone re-trains those auditors during each audit session. [1] Like Tom asked, please give us examples of those datasets. What you can do is, ensure all installation/upgrade/maintenance are done on a separate LPAR, usually a sandbox. Then create a group for SMP/E and add your programmers there where needed. Give ALTER on resources as needed. On production, give minimum access where needed as approved by the owners. Get rid of UACC=ALTER unless you have a good reason. On all systems, give audit(all(READ)) for all dataset profiles. There are exceptions. I leave it to the student to find it out on the hard way... Ensure you collect ALL and every SMF records needed for audit. Review your global settings. LOGOPTIONS is one example. I agree with Arthur, you can crack open a z/Os if you have the tools and the know-how without leaving trails. But sooner or later you will be caught out and then it is pavement promotion time! Have your auditors understand that System programmers are to be trusted and need accesses to do their work. Good luck, with those lame auditors you're having, you can try explain ICH408* for failed accesses to OMVS files+folders... Groete / Greetings Elardus Engelbrecht [1] - I have a hard time to explain those GIM.** and IRR.PWRESET.OWNER. profiles in FACILITY class. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main (Message-ID:<9982011699705061.wa.gsg808yahoo@listserv.ua.edu>) 0053fe88ed35-dmarc-requ...@listserv.ua.edu (gsg) wrote: As part of a systems programmer duties, they have ALTER access to many datasets. They need/require this access to install, upgrade, maintain and resolve problems. Audit has been pushing more and more to remove the ALTER access. Has anyone else been experiencing this? The following is opinion based on my experience: Auditors feel they have to make recommendations in order to justify their existence. Thus, if you have a secure system, they start to make stuff up. Removing required sysprog authorities is one of the easier demands to think of, regardless of its impracticality. Too many companies then make those ridiculous "recommended" changes because they think the auditors know what they're doing, or because it's easier to defend stupid things ordered by auditors than smart things contrary to the auditors advice. I do know one person who managed to short-circuit this particular suggestion. He said, "If I have enough tools to do my job, I can access any dataset regardless of the security system. If I have to bypass the security system, I'll do so in a way that leaves no traces. But, it would take time and effort I'd rather put into doing my actual job. So, leave my access and just make sure to thoroughly check my audit trail." It worked. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Alter access to datasets
On Thu, 28 Apr 2016 20:43:35 -0500, gsg wrote: >As part of a systems programmer duties, they have ALTER access to many >datasets. They need/require this access to install, upgrade, maintain and >resolve problems. Audit has been pushing more and more to remove the >ALTER access. What data sets? >Has anyone else been experiencing this? Hard to say without some specific examples of the data sets you mean. -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Alter access to datasets
As part of a systems programmer duties, they have ALTER access to many datasets. They need/require this access to install, upgrade, maintain and resolve problems. Audit has been pushing more and more to remove the ALTER access. Has anyone else been experiencing this? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN