Forums & Discussions Home

    A place for members, communities, and committees to have discussions online and via e-mail.
    Click a category or topic to below to start the conversation...

    You are currently in view only mode for this forum. Please click the appropriate below to login as a member and participate. If you are not a member, please CLICK HERE for more information.


    John Amsden
    [Lincoln Financial Group]
    I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

    Thanks in advance!





    Notice of Confidentiality: **This E-mail and any of its attachments may contain
    Lincoln National Corporation proprietary information, which is privileged, confidential,
    or subject to copyright belonging to the Lincoln National Corporation family of
    companies. This E-mail is intended solely for the use of the individual or entity to
    which it is addressed. If you are not the intended recipient of this E-mail, you are
    hereby notified that any dissemination, distribution, copying, or action taken in
    relation to the contents of and attachments to this E-mail is strictly prohibited
    and may be unlawful. If you have received this E-mail in error, please notify the
    sender immediately and permanently delete the original and any copy of this E-mail
    and any printout. Thank You.**

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Mark Vickers
    [Grocers Supply]
    John,
    We are a grocery distributor and retailer, and as our data is
    non-sensitive we allow within MIS (IT) developers:
    data migration from production image copies (unload/load) into test
    regions
    read only access to production
    emergency update access is granted temporarily for production fixes only

    All MIS staff have signed confidentiality agreements and are not treated
    as potential criminals and it works well.

    Let me state that we are not a public company, so do not have to comply
    with SOX, HIPAA etc. and all the other auditing pre-req's of public
    companies.

    This is a very "Company Specific" security policy decision that IMO should
    be made firstly according to any Federal or State requirements and then
    secondly consideration within your own organization for privacy
    obligations and other related risks for sensitive data.
    HTH
    Mark Vickers.



    "Amsden, John W" <[login to unmask email]>
    Sent by: DB2 Data Base Discussion List <[login to unmask email]>
    07/15/2008 08:10 AM
    Please respond to
    DB2 Database Discussion list at IDUG <[login to unmask email]>


    To
    [login to unmask email]
    cc

    Subject
    db2 v8 nfm, z/os 1.7






    I've been asked to get some feedback from other companies on access to
    production DB2 subsystems from test//QA systems. Does anyone allow any
    access to production DB2 subsystems from non production entities (batch,
    online, distributed)?
    Thanks in advance!




    Notice of Confidentiality: **This E-mail and any of its attachments may
    contain
    Lincoln National Corporation proprietary information, which is privileged,
    confidential,
    or subject to copyright belonging to the Lincoln National Corporation
    family of
    companies. This E-mail is intended solely for the use of the individual or
    entity to
    which it is addressed. If you are not the intended recipient of this
    E-mail, you are
    hereby notified that any dissemination, distribution, copying, or action
    taken in
    relation to the contents of and attachments to this E-mail is strictly
    prohibited
    and may be unlawful. If you have received this E-mail in error, please
    notify the
    sender immediately and permanently delete the original and any copy of
    this E-mail
    and any printout. Thank You.**



    IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
    list archives, FAQ, and delivery preferences are at IDUG.ORG under the
    Listserv tab. While at the site, you can also access the IDUG Online
    Learning Center, Tech Library and Code Place, see the latest IDUG
    conference information, and much more. If you have not yet signed up for
    Basic Membership in IDUG, available at no cost, click on Member Services




    This e-mail (and any attachments) may contain information that is
    confidential and/or protected by law. Any review, use, distribution or
    disclosure to anyone other than the
    intended recipient(s) is strictly prohibited. If you are not the intended
    recipient, please contact the sender by reply email and delete all copies
    of this message.



    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Martin Kenney
    [Railinc]
    We do not allow access to production from test/QA

    here.



    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
    Behalf Of Amsden, John W
    Sent: Tuesday, July 15, 2008 9:00 AM
    To: [login to unmask email]
    Subject: [DB2-L] db2 v8 nfm, z/os 1.7



    I've been asked to get some feedback from other companies on access to
    production DB2 subsystems from test//QA systems. Does anyone allow any
    access to production DB2 subsystems from non production entities (batch,
    online, distributed)?

    Thanks in advance!









    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Cathy Taddei
    [Standard Insurance]
    I'm almost afraid to answer, because we are not as far along in our data scrubbing as we want to be. However, we do unload production data periodically (about every 6 weeks or so) and load it into test. One or two individuals can update production via spufi to fix data problems. There is no direct connection from a test CICS, DB2, or batch job to production.

    ________________________________
    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Amsden, John W
    Sent: Tuesday, July 15, 2008 6:00 AM
    To: [login to unmask email]
    Subject: db2 v8 nfm, z/os 1.7


    I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

    Thanks in advance!

    ------------------------------------------------------------------------------

    This email is confidential and may be legally privileged.

    It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

    ======

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Troy Coleman
    Hi John,
    We "SoftBase" have a product called TestBase used  by many companies to copy, subset and mask production data to test.  Almost all of them have a DDF link from test to prod.  A few customers wanted to secure the connection so that only TestBase could connect so I built them a RLF rule to exclude all remote connections except TestBase.  We did have one customer who did not allow the DRDA connection so we added a feature to unload, subset, mask on production.  Then from Test pull the different sets of files over FTP or NDM and load into test.

    In general if you have your security RACF setup then having a connection to production is not a problem.


    Troy Coleman, Support Engineer IBM Certified Database Administrator - DB2 9 for z/OS and LUW SoftBase Systems, Inc. 847-776-0618 828-670-9900 ext. 334 [login to unmask email] Compliance Challenged with Test Data Privacy? White Papers and More at http://www.softbase.com/ The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.

    Amsden, John W wrote:

    I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

    Thanks in advance!

    
    
    Notice of Confidentiality: **This E-mail and any of its attachments may contain 
    Lincoln National Corporation proprietary information, which is privileged, confidential,
    or subject to copyright belonging to the Lincoln National Corporation family of 
    companies. This E-mail is intended solely for the use of the individual or entity to 
    which it is addressed. If you are not the intended recipient of this E-mail, you are 
    hereby notified that any dissemination, distribution, copying, or action taken in 
    relation to the contents of and attachments to this E-mail is strictly prohibited 
    and may be unlawful. If you have received this E-mail in error, please notify the 
    sender immediately and permanently delete the original and any copy of this E-mail 
    and any printout. Thank You.**
      
    


    IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services



    IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services

    Philip Gunning
    [GTS]
    John, most times we did not allow this as it was used to get around testing in qa or test. We did use similar products (Fileaid) to bring over subsets of data. That access was tightly controlled. Phil
    ------Original Message------
    From: Troy Coleman
    Sender: DB2 Data Base Discussion List
    To: [login to unmask email]
    ReplyTo: DB2 Database Discussion list at IDUG
    Sent: Jul 15, 2008 1:26 PM
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

    Hi John,
    We "SoftBase" have a product called TestBase used  by many companies to copy, subset and mask production data to test.  Almost all of them have a DDF link from test to prod.  A few customers wanted to secure the connection so that only TestBase could connect so I built them a RLF rule to exclude all remote connections except TestBase.  We did have one customer who did not allow the DRDA connection so we added a feature to unload, subset, mask on production.  Then from Test pull the different sets of files over FTP or NDM and load into test.

    In general if you have your security RACF setup then having a connection to production is not a problem.


    Troy Coleman, Support Engineer IBM Certified Database Administrator - DB2 9 for z/OS and LUW SoftBase Systems, Inc. 847-776-0618 828-670-9900 ext. 334 [login to unmask email] <mailto:[login to unmask email]> Compliance Challenged with Test Data Privacy? White Papers and More at http://www.softbase.com/ < http://www.softbase.com/ > The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.

    Amsden, John W wrote:

    I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?
    Thanks in advance! Notice of Confidentiality: **This E-mail and any of its attachments may contain Lincoln National Corporation proprietary information, which is privileged, confidential, or subject to copyright belonging to the Lincoln National Corporation family of companies. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. Thank You.**

    ----------------

    < http://idug.org/lsin > IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG < http://www.idug.org/lsidug > under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference
    information <http://www.idug.org/lsconf> , and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services < http://www.idug.org/lsms >

    Sent via BlackBerry by AT&T

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Myron Miller
    [NONE OF YOUR BUSINESS]
    My client provides access fairly similarly except that certain management within the applications area have update auth and can do whatever to the data that they desire.  They own the data with their users so they should be able to change it.

    Other than that, we allow programmers to copy from production to test, and have read-only access to production, provided their management approves.

    In addition, we provide a complete copy of many of the production tables in a test controlled read-only environment daily  (and another one in Production for reporting only).

    Myron

    --- On Tue, 7/15/08, Mark Vickers <[login to unmask email]> wrote:
    From: Mark Vickers <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Tuesday, July 15, 2008, 10:33 AM



    John,

    We are a grocery distributor and retailer,
    and as our data is non-sensitive we allow within MIS (IT) developers:

    data migration from production
    image copies (unload/load) into test regions
    read only access to production
    emergency update access is granted
    temporarily for production fixes only

    All MIS staff have signed confidentiality
    agreements and are not treated as potential criminals and it works well.



    Let me state that we are not a public
    company, so do not have to comply with SOX, HIPAA etc. and all the other
    auditing pre-req's of public companies.



    This is a very "Company Specific"
    security policy decision that IMO should be made firstly according to any
    Federal or State requirements and then secondly consideration within your
    own organization for privacy obligations and other related risks for sensitive
    data.

    HTH

    Mark Vickers.








    "Amsden, John W"
    <[login to unmask email]>

    Sent by: DB2 Data Base Discussion List
    <[login to unmask email]>
    07/15/2008 08:10 AM



    Please respond to

    DB2 Database Discussion list at IDUG <[login to unmask email]>






    To
    [login to unmask email]


    cc




    Subject
    db2 v8 nfm, z/os 1.7















    I've been asked to get some feedback from other companies
    on access to production DB2 subsystems from test//QA systems. Does anyone
    allow any access to production DB2 subsystems from non production entities
    (batch, online, distributed)?
    Thanks in advance!








    Notice of Confidentiality: **This E-mail and any of its attachments may
    contain

    Lincoln National Corporation proprietary information, which is privileged,
    confidential,

    or subject to copyright belonging to the Lincoln National Corporation family
    of

    companies. This E-mail is intended solely for the use of the individual
    or entity to

    which it is addressed. If you are not the intended recipient of this E-mail,
    you are

    hereby notified that any dissemination, distribution, copying, or action
    taken in

    relation to the contents of and attachments to this E-mail is strictly
    prohibited

    and may be unlawful. If you have received this E-mail in error, please
    notify the

    sender immediately and permanently delete the original and any copy of
    this E-mail

    and any printout. Thank You.**








    IDUG 2008
    - India * 21-23 August 2008 * Bangalore, India

    The IDUG DB2-L Listserv is only part of your membership
    in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at
    IDUG.ORG
    under the Listserv tab. While at the site, you can also access the IDUG
    Online Learning Center, Tech Library and Code Place, see the latest IDUG
    conference
    information, and much more. If you have not
    yet signed up for Basic Membership in IDUG, available at no cost, click
    on Member
    Services








    This e-mail (and any attachments) may contain information that is confidential
    and/or protected by law. Any review, use, distribution or disclosure to
    anyone other than the

    intended recipient(s) is strictly prohibited. If you are not the intended
    recipient, please contact the sender by reply email and delete all copies
    of this message.







    IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at
    IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Ted MacNEIL
    >read-only access to production, provided their management approves.

    What if their management has no idea about the exposure granting that access?
    Not exactly a secure process!

    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    John Amsden
    [Lincoln Financial Group]
    Many thanks for all the replies. What a great resource!

    -----Original Message-----
    From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
    Behalf Of Ted MacNEIL
    Sent: Tuesday, July 15, 2008 8:45 PM
    To: [login to unmask email]
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7


    >read-only access to production, provided their management approves.

    What if their management has no idea about the exposure granting that access?
    Not exactly a secure process!

    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms




    Notice of Confidentiality: **This E-mail and any of its attachments may contain
    Lincoln National Corporation proprietary information, which is privileged, confidential,
    or subject to copyright belonging to the Lincoln National Corporation family of
    companies. This E-mail is intended solely for the use of the individual or entity to
    which it is addressed. If you are not the intended recipient of this E-mail, you are
    hereby notified that any dissemination, distribution, copying, or action taken in
    relation to the contents of and attachments to this E-mail is strictly prohibited
    and may be unlawful. If you have received this E-mail in error, please notify the
    sender immediately and permanently delete the original and any copy of this E-mail
    and any printout. Thank You.**

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Myron Miller
    [NONE OF YOUR BUSINESS]
    Somebody has to be responsible somewhere.  Audits follow the access as well as other checks and balances.  But I suppose one can always assume to trust nobody anywhere.  Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

    After the best security is that which no one can access, period.  Never trust anybody.

    --- On Tue, 7/15/08, Ted MacNEIL <[login to unmask email]> wrote:
    From: Ted MacNEIL <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Tuesday, July 15, 2008, 8:44 PM

    >read-only access to production, provided their management approves.

    What if their management has no idea about the exposure granting that access?
    Not exactly a secure process!

    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
    list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
    under the Listserv tab. While at the site, you can also access the IDUG Online
    Learning Center, Tech Library and Code Place, see the latest IDUG conference
    information and much more. If you have not yet signed up for Basic Membership
    in IDUG, available at no cost, click on Member Services at
    http://www.idug.org/lsms

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Ted MacNEIL
    >But I suppose one can always assume to trust nobody anywhere.  Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

    I realise that, but I got RACF Audit once because my manager didn't even know what it meant.
    He was a non-mainframer, and didn't even realise I could change audit options.

    There needs to be a stronger control than using a manager's approval.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Raymond Bell
    [Lloyds Banking Group]
    I don't trust you, Myron. But do you trust I don't trust you? Ah,
    forgeddaboudit. I'm just getting my shots in early as I'm mostly out of
    the office tomorrow.



    Cheers,





    Raymond

    PS. You haven't seen me, right?



    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
    Behalf Of Myron Miller
    Sent: 17 July 2008 01:42
    To: [login to unmask email]
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7



    Somebody has to be responsible somewhere. Audits follow the access as
    well as other checks and balances. But I suppose one can always assume
    to trust nobody anywhere. Then in that case, don't provide any access
    to the users either, after all who knows the exposure that they can
    create.

    After the best security is that which no one can access, period. Never
    trust anybody.

    --- On Tue, 7/15/08, Ted MacNEIL <[login to unmask email]> wrote:

    From: Ted MacNEIL <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Tuesday, July 15, 2008, 8:44 PM

    >read-only access to production, provided their management approves.



    What if their management
    has no idea about the exposure granting that access?

    Not exactly a secure process!



    -

    Too busy driving to stop for gas!



    ______________________________________________________________________



    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *

    ______________________________________________________________________





    The IDUG DB2-L Listserv is only part of your membership in IDUG. The
    DB2-L

    list archives, FAQ, and delivery preferences are at
    http://www.idug.org/lsidug

    under the Listserv tab. While at the site, you can also access the IDUG
    Online

    Learning Center, Tech Library and Code Place, see the latest IDUG
    conference

    information and much more. If you have not yet signed up for Basic
    Membership

    in IDUG, available at no cost, click on Member Services at

    http://www.idug.org/lsms



    ________________________________

    IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
    < http://idug.org/lsin >

    The IDUG DB2-L Listserv is only part of your membership in IDUG. The
    DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG
    < http://www.idug.org/lsidug > under the Listserv tab. While at the site,
    you can also access the IDUG Online Learning Center, Tech Library and
    Code Place, see the latest IDUG conference information
    < http://www.idug.org/lsconf > , and much more. If you have not yet signed
    up for Basic Membership in IDUG, available at no cost, click on Member
    Services < http://www.idug.org/lsms >


    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Cathy Taddei
    [Standard Insurance]
    Once upon a time this was true in many shops. I can't speak for other shops, but since Sarbanes-Oxley, our managers take their approval authorities very seriously. If they don't understand what a request is for, they ask before they approve.

    -----Original Message-----
    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Ted MacNEIL
    Sent: Wednesday, July 16, 2008 6:13 PM
    To: [login to unmask email]
    Subject: Re: db2 v8 nfm, z/os 1.7

    >But I suppose one can always assume to trust nobody anywhere. Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

    I realise that, but I got RACF Audit once because my manager didn't even know what it meant.
    He was a non-mainframer, and didn't even realise I could change audit options.

    There needs to be a stronger control than using a manager's approval.
    -
    Too busy driving to stop for gas!


    ------------------------------------------------------------------------------

    This email is confidential and may be legally privileged.

    It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

    =====

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Myron Miller
    [NONE OF YOUR BUSINESS]
    Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices?  And was this before Sarbanes-Oxley?  Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving.  Jail time or civil suits are not something to pass off lightly.

    Myron

    --- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
    From: Ted MacNEIL <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Wednesday, July 16, 2008, 9:13 PM

    >But I suppose one can always assume to trust nobody anywhere.  Then in that
    case, don't provide any access to the users either, after all who knows the
    exposure that they can create.

    I realise that, but I got RACF Audit once because my manager didn't even
    know what it meant.
    He was a non-mainframer, and didn't even realise I could change audit
    options.

    There needs to be a stronger control than using a manager's approval.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
    list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
    under the Listserv tab. While at the site, you can also access the IDUG Online
    Learning Center, Tech Library and Code Place, see the latest IDUG conference
    information and much more. If you have not yet signed up for Basic Membership
    in IDUG, available at no cost, click on Member Services at
    http://www.idug.org/lsms

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Ted MacNEIL
    This was in 2006.
    Well after SOX.
    I was/am in Canada, he was/is in Santa Ana, CA.
    I told him why I needed it, not what it did.
    It also blew right by our security team and our auditors.

    -
    Too busy driving to stop for gas!

    -----Original Message-----
    From: Myron Miller <[login to unmask email]>

    Date: Thu, 17 Jul 2008 15:45:09
    To: <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7


    Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices? And was this before Sarbanes-Oxley? Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving. Jail time or civil suits are not something to pass off lightly.

    Myron

    --- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
    From: Ted MacNEIL <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Wednesday, July 16, 2008, 9:13 PM

    >But I suppose one can always assume to trust nobody anywhere. Then in that
    case, don't provide any access to the users either, after all who knows the
    exposure that they can create.

    I realise that, but I got RACF Audit once because my manager didn't even
    know what it meant.
    He was a non-mainframer, and didn't even realise I could change audit
    options.

    There needs to be a stronger control than using a manager's approval.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
    list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
    under the Listserv tab. While at the site, you can also access the IDUG Online
    Learning Center, Tech Library and Code Place, see the latest IDUG conference
    information and much more. If you have not yet signed up for Basic Membership
    in IDUG, available at no cost, click on Member Services at
    http://www.idug.org/lsms

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Cathy Taddei
    [Standard Insurance]
    Sounds like you did your manager a disservice by failing to explain the full ramifications of your request. You can't blame your manager when you withhold information from him/her. I would have explained the risk and offered possible compensating controls (extra reporting, etc.) to mitigate that risk.

    ________________________________
    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Ted MacNEIL
    Sent: Thursday, July 17, 2008 4:14 PM
    To: [login to unmask email]
    Subject: Re: db2 v8 nfm, z/os 1.7

    This was in 2006.
    Well after SOX.
    I was/am in Canada, he was/is in Santa Ana, CA.
    I told him why I needed it, not what it did.
    It also blew right by our security team and our auditors.

    -
    Too busy driving to stop for gas!

    ________________________________
    From: Myron Miller <[login to unmask email]>
    Date: Thu, 17 Jul 2008 15:45:09 -0700
    To: <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

    Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices? And was this before Sarbanes-Oxley? Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving. Jail time or civil suits are not something to pass off lightly.

    Myron

    --- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
    From: Ted MacNEIL <[login to unmask email]>
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
    To: [login to unmask email]
    Date: Wednesday, July 16, 2008, 9:13 PM


    >But I suppose one can always assume to trust nobody anywhere. Then in that
    case, don't provide any access to the users either, after all who knows the
    exposure that they can create.

    I realise that, but I got RACF Audit once because my manager didn't even
    know what it meant.
    He was a non-mainframer, and didn't even realise I could change audit
    options.

    There needs to be a stronger control than using a manager's approval.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
    list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
    under the Listserv tab. While at the site, you can also access the IDUG Online
    Learning Center, Tech Library and Code Place, see the latest IDUG conference
    information and much more. If you have not yet signed up for Basic Membership
    in IDUG, available at no cost, click on Member Services at
    http://www.idug.org/lsms





    ------------------------------------------------------------------------------

    This email is confidential and may be legally privileged.

    It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

    If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

    ======

    ______________________________________________________________________

    * IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Ted MacNEIL
    >Sounds like you did your manager a disservice by failing to explain the full ramifications of your request.  You can't blame your manager when you withhold information from him/her.  I would have explained the risk and offered possible compensating controls (extra reporting, etc.) to mitigate that risk.


    I did all that, but it still should have been checked by our admins and auditors.
    I tried to explain it to him, but he either didn't want to understand, or was afraid to admit his ignorance.
    I needed audit to quickly test and install VANGUARD, and I knew the power of the attribute, so I wasn't going to abuse it.
    I also requested the removal of the attribute as soon as the project was completed.

    My point was not about disservice, or abuse of power; rather that a manager's approval is not necessarily safe.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms
    Nick Dordea
    Where's the beef? Where's DB2 ? Could you switch to private emailing
    please?


    -----Original Message-----
    From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
    Behalf Of Ted MacNEIL
    Sent: Thursday, July 17, 2008 7:05 PM
    To: [login to unmask email]
    Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

    >Sounds like you did your manager a disservice by failing to explain the
    full ramifications of your request.  You can't blame your manager when
    you withhold information from him/her.  I would have explained the risk
    and offered possible compensating controls (extra reporting, etc.) to
    mitigate that risk.


    I did all that, but it still should have been checked by our admins and
    auditors.
    I tried to explain it to him, but he either didn't want to understand,
    or was afraid to admit his ignorance.
    I needed audit to quickly test and install VANGUARD, and I knew the
    power of the attribute, so I wasn't going to abuse it.
    I also requested the removal of the attribute as soon as the project was
    completed.

    My point was not about disservice, or abuse of power; rather that a
    manager's approval is not necessarily safe.
    -
    Too busy driving to stop for gas!

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The
    DB2-L list archives, FAQ, and delivery preferences are at
    http://www.idug.org/lsidug under the Listserv tab. While at the site,
    you can also access the IDUG Online Learning Center, Tech Library and
    Code Place, see the latest IDUG conference information and much more.
    If you have not yet signed up for Basic Membership in IDUG, available at
    no cost, click on Member Services at http://www.idug.org/lsms

    ______________________________________________________________________

    * IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
    ______________________________________________________________________


    The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

    All Times America/New_York

    Copyright © 2014 IDUG. All Rights Reserved

    All material, files, logos and trademarks within this site are properties of their respective organizations.

    Terms of Service - Privacy Policy - Contact