IBM Security Z Security

We have a product that uses pseudo dataset names in the DATASET class for access checking within the product.   The access checks build the menu screens for the product and the functionality the user has within the product.

I have a concern that some administrators performing cleanup may not see real datasets cataloged with this HLQ, and think the profiles are obsolete and start to delete the profiles.   Naturally this would be devastating to that product.

I see where I can control access to the DELDSD command itself, and where I can control access to the profile.   But I don't think I see where I can control the two together.    The administrators still need access to DELDSD command for other cleanup functions, and I still need the administrators to perform ADDSD, ALTDSD, and Permit commands on those profiles.     I was hoping there was a Command Verifier profile something like C4R.DELDSD.ID.DNDVR.MENU.OPTION1.INQ

I attempted a few deletes and looked at my access monitor data on my Command Verifier Profiles, I did not seem to see anything that would let control the environment this way.

Any ideas?


------------------------------
Linnea Sullivan
------------------------------

The only option currently available is to control management of the affected profiles via the ID policy.  I assume all your pseudo datasets share some common HLQ, so you could disable add/delete of the entire collection using one policy profile.
I agree that the documentation of the ID policy profiles only talks about them in the context of CREATE, but they also apply to DELETE (as shown in the first column of the first table in section "Policy profiles for enforcing resource naming conventions").
And I assume that the set of pseudo datasets is rather static. If it isn't then the only options I see are
- subset the range of administrators that create/delete these profiles, and educating them about the effects of a delete.
- RFE for CV to differentiate between ADD and  DELETE actions. I'm not really in favor of such a policy that disallows admins to recover from their own typos (oops added the wrong profile, now I need to ask a true magician to fix this).

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Thu June 17, 2021 11:01 AM
From: Linnea Sullivan
Subject: Using Command Verifier to prevent DELETE DATASET profile command on certain profiles

We have a product that uses pseudo dataset names in the DATASET class for access checking within the product.   The access checks build the menu screens for the product and the functionality the user has within the product.

I have a concern that some administrators performing cleanup may not see real datasets cataloged with this HLQ, and think the profiles are obsolete and start to delete the profiles.   Naturally this would be devastating to that product.

I see where I can control access to the DELDSD command itself, and where I can control access to the profile.   But I don't think I see where I can control the two together.    The administrators still need access to DELDSD command for other cleanup functions, and I still need the administrators to perform ADDSD, ALTDSD, and Permit commands on those profiles.     I was hoping there was a Command Verifier profile something like C4R.DELDSD.ID.DNDVR.MENU.OPTION1.INQ

I attempted a few deletes and looked at my access monitor data on my Command Verifier Profiles, I did not seem to see anything that would let control the environment this way.

Any ideas?


------------------------------
Linnea Sullivan
------------------------------

Hi Linnea,

What product is this? Most products that default to using the DATASET class to control application functions offer options for using a resource class instead, either the FACILITY class or a user-defined class. Examples are Endevor and Connect:Direct (a.k.a., NDM). Changing the class would, in my opinion, be the preferred method of addressing with this situation.

Regards, Bob

------------------------------
Robert Hansel
President and Lead RACF Specialist
RSH Consulting, Inc.
Cambridge MA
6179698211
------------------------------

Original Message:
Sent: Thu June 17, 2021 11:01 AM
From: Linnea Sullivan
Subject: Using Command Verifier to prevent DELETE DATASET profile command on certain profiles

We have a product that uses pseudo dataset names in the DATASET class for access checking within the product.   The access checks build the menu screens for the product and the functionality the user has within the product.

I have a concern that some administrators performing cleanup may not see real datasets cataloged with this HLQ, and think the profiles are obsolete and start to delete the profiles.   Naturally this would be devastating to that product.

I see where I can control access to the DELDSD command itself, and where I can control access to the profile.   But I don't think I see where I can control the two together.    The administrators still need access to DELDSD command for other cleanup functions, and I still need the administrators to perform ADDSD, ALTDSD, and Permit commands on those profiles.     I was hoping there was a Command Verifier profile something like C4R.DELDSD.ID.DNDVR.MENU.OPTION1.INQ

I attempted a few deletes and looked at my access monitor data on my Command Verifier Profiles, I did not seem to see anything that would let control the environment this way.

Any ideas?


------------------------------
Linnea Sullivan
------------------------------