Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Shared ID Risk

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics
View previous topic :: :: View next topic  
Author Message
namdrino

New User


Joined: 12 Feb 2013
Posts: 11
Location: USA

PostPosted: Thu Mar 21, 2013 12:52 am    Post subject: Shared ID Risk
Reply with quote

I'm reviewing shared IDs in our environment. I am aware of the risks of shared IDs with TSO acccess but I am trying to determine the risk that exists with IDs that only have the BATCH facility and cannot logon interactively via TSO. Most of these IDs are system/service type of IDs and I'm trying to determine if I should include them in my review. We are using TopSecret. Thoughts?
Back to top
View user's profile Send private message

enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Thu Mar 21, 2013 1:19 am    Post subject: Reply to: Shared ID Risk
Reply with quote

You should know better that the <product> used to enforce the security checks is irrelevant to the problem.

also the question as is a moot point,
a shared user/ID is in the general zOS terminology a user/ID shared among many persons to identify themselves to the system

the userids assigned by the system to started tasks, and similar, do not fall into the category of shared IDs

if the system is properly setup sharing user/ID does not raise any integrity issues
only AUDIT concerns ...

in many countries ( mostly for union issues ) the use shared user/ID is quite common outside the IT boundaries

at the end You are the
Quote:
Occupation: IT Auditor

and it is You who must decide what to put in Your report

what to put in an IT security review report is a religious war ...
so again everything is up to You

also You must verify if Your organization fall under specific legal obligations
Back to top
View user's profile Send private message
namdrino

New User


Joined: 12 Feb 2013
Posts: 11
Location: USA

PostPosted: Thu Mar 21, 2013 1:45 am    Post subject: Clarification
Reply with quote

Most of that response isn't relevant to the question. Let me clarify.

Does an ID (shared or otherwise) secured by TopSecret that only has the 'BATCH' facility present any type of security risk? For example, say the ID has ALL access to sensitive datasets... could a job be submitted under this ID that had the ability to modify/delete the sensitive datasets?
Back to top
View user's profile Send private message
Akatsukami

Global Moderator


Joined: 03 Oct 2009
Posts: 1738
Location: Bloomington, IL

PostPosted: Thu Mar 21, 2013 1:52 am    Post subject: Re: Clarification
Reply with quote

namdrino wrote:
Most of that response isn't relevant to the question. Let me clarify.

Does an ID (shared or otherwise) secured by TopSecret that only has the 'BATCH' facility present any type of security risk? For example, say the ID has ALL access to sensitive datasets... could a job be submitted under this ID that had the ability to modify/delete the sensitive datasets?

Probably. Whilst I don't know Top Secret (this is a RACF shop), a job can be written allowing user to submit more jobs having the same access. As I prefer not to share details on an open forum, PM me if you want to know more.
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Thu Mar 21, 2013 2:16 am    Post subject: Reply to: Shared ID Risk
Reply with quote

Quote:
Most of that response isn't relevant to the question.

just because You did not care to try to understand it icon_evil.gif

Quote:
... could a job be submitted under this ID...

the answer is in the Top Secret manuals
most probably yes using the surrogate userid facility
( possibility for a userid to submit jobs on behalf of a different one )

but that depends on the system setup
Back to top
View user's profile Send private message
Gary McDowell

Active User


Joined: 15 Oct 2012
Posts: 139
Location: USA

PostPosted: Thu Mar 21, 2013 4:08 am    Post subject:
Reply with quote

Since SAS 70 our company cannot use any shared ID's of any kind. Not passing a SAS 70 audit would mean losing a lot of business for us. Does your company follow SAS 70 regulations? If so, your choice is easy!
Back to top
View user's profile Send private message
enrico-sorichetti

Global Moderator


Joined: 14 Mar 2007
Posts: 10203
Location: italy

PostPosted: Thu Mar 21, 2013 4:23 am    Post subject: Reply to: Shared ID Risk
Reply with quote

Gary,

seems that there is a language barrier with the TS about the concept of SHARED

( just trying to clarify things for the lurkers icon_cool.gif )
in Racf terminology a <BATCH> userid could be defined as an ID without a TSO segment

and it is used when assigning a userid for the started tasks or started jobs
or as the target of a surrogate ...
or for CICS users
( for the USS side the situation is a bit murky)

I would define a bit extreme to defined as SHARED a <batch> ID which is surrogate ( or the other way around ) of many <TSO> id

( meny users capable of submitting jobs on behalf of the above )
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> All Other Mainframe Topics All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts CICS SOCKET shared between two transa... akont CICS 3 Mon Jun 27, 2016 1:27 pm
No new posts Moving files across LPARS through Sha... Bharath RajaramSridharan JCL & VSAM 2 Wed Jun 26, 2013 10:32 am
No new posts ISPF key-list with SHARED option Srinivasarangam TSO/ISPF 10 Thu Feb 28, 2013 9:07 pm
No new posts How to refresh the shared pool / panel? enrico-sorichetti TSO/ISPF 7 Fri Sep 07, 2012 8:09 pm
No new posts Shared Memmory in IMS DC ? reachsenthilnathan IMS DB/DC 7 Wed Jan 18, 2012 2:40 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us