MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » May 2014

RE: Morbid curiosity about a V7R2 feature.



fixed

Which is exactly why everyone should do a routine audit of the system audit journals to look for people doing things they should not be doing. And not an audit done by someone with QSECOFR authority

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, May 13, 2014 2:25 PM
To: Midrange Systems Technical Discussion
Subject: Re: Morbid curiosity about a V7R2 feature.

I think James is right.

MESECOFR creates user HRCLERK.
In 7.2 MESECOFR can grant HRCLERK ability to maintain data in the schema HRDATA even though MESECOFR cannot get to that same data. MESECOFR has *ALLOBJ and everything else. But still can't access that data.
So, MESECOFR can create a user called DELETEME. And grant DELETEME the permission to get into that data. MESECOFR can signoff and sign back on as DELETEME.

Here's a close analogy.
QSECOFR can do
WRKSYSVAL QLMTSECOFR
and set them up so that they can only sign on to terminals they have access to. Even if they have *ALLOBJ, etc.
QSECOFR tries to sign on to DSP01005 but cannot. So QSECOFR runs GRTOBJAUT OBJ(DSP01005) OBJTYPE(*DEVD) USER(QSECOFR) AUT(*ALL) and now they can sign on to DSP01005.
Or QSECOFR can run
CHGSYSVAL QLMTSECOFR ...
and turn it off and back on at will.

So don't give IBM more credit than they deserve. Or, on a more positive spin, don't 'assume' it works like you want it to - verify.


Rob Berendt





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact