|
View previous topic :: View next topic
|
| Author |
Message |
namdrino
New User
Joined: 12 Feb 2013
Posts: 11
Location: USA
|
|
|
|
| I'm reviewing shared IDs in our environment. I am aware of the risks of shared IDs with TSO acccess but I am trying to determine the risk that exists with IDs that only have the BATCH facility and cannot logon interactively via TSO. Most of these IDs are system/service type of IDs and I'm trying to determine if I should include them in my review. We are using TopSecret. Thoughts? |
|
| Back to top |
|
 |
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
You should know better that the <product> used to enforce the security checks is irrelevant to the problem.
also the question as is a moot point,
a shared user/ID is in the general zOS terminology a user/ID shared among many persons to identify themselves to the system
the userids assigned by the system to started tasks, and similar, do not fall into the category of shared IDs
if the system is properly setup sharing user/ID does not raise any integrity issues
only AUDIT concerns ...
in many countries ( mostly for union issues ) the use shared user/ID is quite common outside the IT boundaries
at the end You are the
| Quote: |
| Occupation: IT Auditor |
and it is You who must decide what to put in Your report
what to put in an IT security review report is a religious war ...
so again everything is up to You
also You must verify if Your organization fall under specific legal obligations |
|
| Back to top |
|
|
namdrino
New User
Joined: 12 Feb 2013
Posts: 11
Location: USA
|
|
|
|
Most of that response isn't relevant to the question. Let me clarify.
Does an ID (shared or otherwise) secured by TopSecret that only has the 'BATCH' facility present any type of security risk? For example, say the ID has ALL access to sensitive datasets... could a job be submitted under this ID that had the ability to modify/delete the sensitive datasets? |
|
| Back to top |
|
|
Akatsukami
Global Moderator
Joined: 03 Oct 2009
Posts: 1788
Location: Bloomington, IL
|
|
|
|
| namdrino wrote: |
Most of that response isn't relevant to the question. Let me clarify.
Does an ID (shared or otherwise) secured by TopSecret that only has the 'BATCH' facility present any type of security risk? For example, say the ID has ALL access to sensitive datasets... could a job be submitted under this ID that had the ability to modify/delete the sensitive datasets? |
Probably. Whilst I don't know Top Secret (this is a RACF shop), a job can be written allowing user to submit more jobs having the same access. As I prefer not to share details on an open forum, PM me if you want to know more. |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
| Quote: |
| Most of that response isn't relevant to the question. |
just because You did not care to try to understand it 
| Quote: |
| ... could a job be submitted under this ID... |
the answer is in the Top Secret manuals
most probably yes using the surrogate userid facility
( possibility for a userid to submit jobs on behalf of a different one )
but that depends on the system setup |
|
| Back to top |
|
|
Gary McDowell
Active User
Joined: 15 Oct 2012
Posts: 139
Location: USA
|
|
|
|
| Since SAS 70 our company cannot use any shared ID's of any kind. Not passing a SAS 70 audit would mean losing a lot of business for us. Does your company follow SAS 70 regulations? If so, your choice is easy! |
|
| Back to top |
|
|
enrico-sorichetti
Superior Member
Joined: 14 Mar 2007
Posts: 10873
Location: italy
|
|
|
|
Gary,
seems that there is a language barrier with the TS about the concept of SHARED
( just trying to clarify things for the lurkers  )
in Racf terminology a <BATCH> userid could be defined as an ID without a TSO segment
and it is used when assigning a userid for the started tasks or started jobs
or as the target of a surrogate ...
or for CICS users
( for the USS side the situation is a bit murky)
I would define a bit extreme to defined as SHARED a <batch> ID which is surrogate ( or the other way around ) of many <TSO> id
( meny users capable of submitting jobs on behalf of the above ) |
|
| Back to top |
|
|
|
|
