Michael L Gueterman wrote:

>   Well,  if your programmers have AM capability in the same
> account as your proposed groups, then you're pretty much
> stuck.  Anything you do via standard MPE security they'll
> be able to bypass.  This would be true even with a "full blown
> change control package".  I suggest that (although it may not
> make you the most popular person in the eyes of the programmers)
> you take a step back from the situation and review *why* the
> programmers need AM.  Work on getting them what they need
> with minimal capabilities, and then remove AM from them.

I agree 100%.

> Then you can secure the groups in question from write access.

One "end-around" we use, without going outright to AM is to give AL to
the programmers.  Most of the groups where they need access have group
security set to (R,A,W,L,X,S:AL,GU) or suitable subset thereof, while
the really secure groups omit the AL access.

This works great for MPE.  It gets weird with Posix, where "AL" has no
direct connotation.

Jeff Kell <[log in to unmask]>