Now you know that you can't use AM , I'd suggest a different approach. First be sure to spell out your concerns about identity propagation. IE where it is acceptable, -vs- desirable, -vs- not acceptable. I usually -want- propagation from batch job and TSO users, in fact usually any single user address space. It is the multi user address spaces where you usually don't want the identity of the "server" propagated to work initiated by individual users, Think CICS, IMS etc. A recent enhancement was made to CICS in this regard (your CICS sysprog, Tim, will have details). A Job scheduler is another instance where you usually/hopefully don't what the ID of the scheduler itself propagated to all scheduled jobs, but need more granularity/accountability for the business applications (batch ids). I used to insist on a procedural checkpoint for all STC's to determine whether they needed PROPCNTL. You may even go as far as having a formal policy(s) established regarding HOW jobs are to be submitted from various environments and how identities are to be propagated/established. I seem to recall a financial institution that had such a policy where all STC's , by default, had PROPCNTL established for their STUSER. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid. Any exceptions needed to go through a periodic review process to verify suitable controls were in place to prevent "hijacking" of the STC's authority. I think they had a comprehensive report showing all their STC's, the STUSER and whether PROPCNTL existed for that userid. Some online systems perform archiving of log data and spawn/submit jobs to do that, where they rely on id propagation. They can possibly be enhanced to use an alternate method for invoking their archive process, eliminating the need for ID propogation.
------------------------------
Simon Dodge
------------------------------
Original Message:
Sent: Wed October 26, 2022 09:06 AM
From: Linnea Sullivan
Subject: PROPCNTL and Access Monitor
We are wanting to enhance our implementation of PROPCNTL. Does Access Monitor record any activity concerning PROPCNTL? I am looking to see if it can show me potential instances I should create PROPCNTL profiles.
From what I can tell it seems the data may not be present.
------------------------------
Linnea Sullivan
------------------------------