IzODA / MDS team,the MDS component of IzODA checks DB2 internal security to validate access permissions, and schedules a PSB to validate IMS permissions before accessing the data.
We are left with sequential and vsam files with no auth pre-check in RACF. We want the MDS team to simply RACHECK the sequential or VSAM dataset name against the RACF database. This will validate whether or not the IzODA consumers is authorized to access the sequential or VSAM DSN ... we do not want MDS to allow consumers to piggyback on the full authority of the izoda address spaces to access whether dataset they want.
|Who would benefit from this IDEA?||All IzODA/MDS consumers who have virtual tables referring to sequential and vsam datasets in Production systems.|
|Priority Justification||Close a Major security Exposure for Sequential and VSAM dataset access via IzODA/MDS.|
|Client Name||American Express|
How should it work?
With a huge security loophole like this for sequential and vsam datasets, we want MDS to check against the associated dataset profile in the racf db before delivering data. Please add this RACHECK logic and fail if it comes back unauthorized.
Consumer wants to read encrypted data from
AMEX.VSAM.DATA.FILE using MDS
MDS has the authority to the decryption keys, but the requesting user must have access to the RACF profile which covers the AMEX.VSAM.DATA.FILE dataset. We do not want MDS delivering data for consumers that have no racf authority to access sequential and vsam datasets.
|IBM's success depends on gathering feedback from customers like yourself. Aha Ideas Portal is the third party tool through which IBM Offering Managers gather feedback from customers such as yourself.|
|IBM is a global organization with business processes, management structures, technical systems and service provider networks that cross borders. As such, the information collected through Aha Ideas Portal (Customer Name, Customer Email Address) will be stored by them in the United States, and handled only as per IBM's instructions and policies. Your data (Name and Email Address) will NOT be shared with other IBM customers.|
|In order to safeguard your information in Aha, do not leave your workstation unattended while using this application, log off after using it, and print only if necessary. If you need to make a hardcopy, remember to pick up the print-out immediately, keep it under lock, and destroy it immediately when no longer needed.|
|NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "firstname.lastname@example.org" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions|