IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Delivered
Workspace zSecure
Categories zSecure Admin
Created by Guest
Created on Jun 12, 2024

RELATED IDEAS

Add option or make it default to use PHYSICAL_ATTR instead of ATTR RE:U:F

See IBM case tickets TS016343010 and TS016139824. If you read thru the cases, you'll see that z/Secure is not displaying the correct data when querying the USS file permission bits. We searched on GLOBAL WRITE files and directories and got very few. When we capture the CARLa and change the ATTR field to PHYSICAL_ATTR we get the correct information. We've verified this by looking at permission bits and by utilizing the IRRHFS unload utility.

Idea priority Medium
  • Admin
    JEROEN TIGGELMAN
    Oct 1, 2025

    This has been delivered in zSecure 3.2.

    Reply
  • Guest
    Jun 14, 2024

    Agreed that having both available would be a commonsense type of approach, allowing the client to select what is relevant for their given situation and requirements.

    Thank you,

    Brent Brimacomb


    Reply
  • Guest
    Jun 14, 2024

    Actually, it is not uncustomary in the UNIX world for whole UNIX packages to be shipped with physical global attributes on, where access to the file is expected to be restricted though the path to get there not giving read/execute access to the directory. If that is the case there is no global write capability at all, even though the physical attribute at the lowest file level might suggest it. So looking at the physical attributes can give lots of false positives as the vendors of these products have poined out in the past, which is why we created effective attributes.

    In standards there is a very big difference between standard requiring no (effective) access (e.g. PCI-DSS) and a standard requiring individual physical file attributes to not be set (e.g. CIS benchmark). The former can be checked with effective attr, and the latter requires checking against phyical attr, but obfuscates the distinction of what is a real major security hole in your system versus what is just one of the layers of defense that could be tightened.

    That being said, we'll interpret the idea as a request to switch between physical and effective in the selection criteria, or provide them both.

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.