We recommend that you use the PDSPROT control option only on data sets that need increased security for its members. If you use PDS member level protection, we recommend that you review the list of protected data sets periodically to address the following points:
Business Value:
By using the CA Top Secret PDS member level protection facility, a critical CA Top Secret extension to z/OS security, you can extend security to individual PDS/PDSE data set members. You configure PDS member level protection using the PDSPROT control option, which lets you define a list of data sets and optionally the volume on which they reside to be protected.
PDS member level protection is a useful feature, but we recommend that you limit its use to only those data sets needing this tighter degree of security control. Subjecting unwarranted data sets to PDS member level security controls can increase overhead and resource consumption.
Additional Considerations:
Standard z/OS data set security occurs at the data set level only, which means that a user with access to a PDS/PDSE data set also has access to all members within that data set. For most PDS/PDSE data sets, this processing is acceptable because authority can generally be determined at the data set level. However, for critical system configuration data sets such as SYS1.PARMLIB, the security requirements may be more stringent, with different security requirements for different members.
Consider the example of update access to the CA Top Secret, JES2, and other critical system procedures. You may want to employ additional security to ensure that only properly authorized individuals are permitted to update any of these critical members, which is consistent with the change control and update procedures that may be in place.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|