Reason:
When you set your CA 1 security option FUNC=N, then you are suppressing the security checks made when EXPDT=98000 is used. That means, any user can code EXPDT=98000 along with DSN=dummyhlq.original.dsname. Since EXPDT=98000 bypasses CA 1's full data set name checking, z/OS will access the name the user has coded as the actual data set name only validating the last seventeen characters. For example, assume tape volume PAY001 is the current payroll master file (PAYROLL.MASTER.FILE). If user JOHNDOE codes:
//SYSUT1 DD DSN=JOHNDOE.PAYROLL.MASTER.FILE,DISP=OLD,
// EXPDT=98000,VOL=SER=PAY001
The system will check to see if JOHNDOE can access JOHNDOE.PAYROLL. MASTER.FILE. Since the last seventeen characters,"PAYROLL.MASTER.FILE", match and the data set name begins with JOHNDOE, the system would allow user JOHNDOE to read the payroll master file.
Action:
This message is issued by the CA 1 Health Check component, which provides extensive detail on the problem encountered and the suggested response. The following actions and responses are documented for this check:
The system will continue processing. Your tape data is not secure from unauthorized access.
Notify the systems programmer of this exposure.
The TMS security option FUNC is currently set to "NO". This needs to be set to "YES". You can also set the option to "EXT", which causes CA 1 to call the external security system with more information including the tape volume serial number and unit.
Setting the TMS security option to "YES" also requires certain security resources to be defined to your security system and certain access rules must be created to control who may use EXPDT=98000.
You can use the CA 1 ISPF panels to display the current values of all your CA 1 options along with other information about the CA 1 Tape Management system.
CA 1 Tape Management System.
Programming Guide.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|