Go to the knowledge center if you want details. It may be that the
ability to put someone under this new function usage, that only QSECOFR
or *SECOFR class can do it.
Come on James, you know that IBM is smarter than you are giving them
credit for. So instead of spreading FUD, go read the documentation, then
come back with issues if there are any you see.
As to logging, now I'm assuming that the assignment of function usage is
auditable - auditing is something YOU as the customer have to turn on
and set up.
As to rogue admins, hey, you end up having to trust your people at some
level. Trust and audit, right? In the corporate world, it isn't Trust
and Obey, I hope.
On 5/13/2014 11:10 AM, James H. H. Lampert wrote:
On 5/12/14 8:49 PM, Vernon Hamberg wrote:
It is definitely proactive.
Not if there is nothing to PREVENT a rogue administrator from giving
himself or herself, or some "strawman" user, the authority in
question. Not "log it for the auditors if it happens," not even "alert
the auditors immediately if it happens"; PREVENT.
Without active prevention, it still sounds to me like "security
theatre." The same kind of "security theatre" that, in airline
passenger screening, made the World Trade Center Atrocities possible.