|
|
|
The UADS data set is a partitioned data set that contains members for each authorized user of TSO. Each UADS logical member consists of one or more physical PDS members and contains four types of information:
This information is organized in an inverted tree structure, with the user ID at the top of the tree. Each user ID can have multiple passwords. Each password can access multiple accounts. Each account can have multiple procedures, called logon procs.
The TSO user uses the ACCNT keyword during logon to specify which account to use. Users use the PROC keyword during logon to specify which procedure to use. Different accounts are used mainly for billing purposes. A logon proc defines the set of libraries that a TSO user can access during an online session. Some data centers use their logon procs to control which commands and files a TSO user can access.
Fortunately, few data centers use the full UADS tree structure, usually because it is difficult to administer. It is common, however, to have a single password for a user, along with a single account, but to permit more than one logon proc. This gives users some flexibility without being too complicated. From a control standpoint, auditors must verify that passwords, accounts, and procs are given out on a need‑to‑have basis. Most audit and security authorities recommend that passwords be changed periodically.
TSO user IDs who have “account” authority normally do online UADS maintenance. These IDs also need access to the SYS1.UADS file to update information. It is also possible to apply maintenance to UADS in batch by executing the TSO terminal monitor program (TMP), IKJEFT01. Batch executions automatically gain account authority, regardless of the user ID that initiated them. From a control standpoint though, the key issue is blocking access to the SYS1.UADS data set because changes can be made with any number of utility programs.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |