The rise of computer networking means that computer center services can increasingly be outsourced. There are thus circumstances under which security-critical data has to be entrusted to external service companies. Administration activities have to be carried out under the user ID TSOS. However, a user with the user ID TSOS has unrestricted co-administration rights for files and job variables and is thus in a position to change protection mechanisms and gain access to data entrusted into his or her care.

Example

A DV user wants to prevent a security-critical file NOT-FOR-TSOS from being accessed by the computer center staff of an external service company. To this end, the user links the file with the guard GUA. The guard prevents the user TSOS from carrying out any read, write or execute data accesses (see section "Data access control and system access control"):

Because the external computer center administrators have system-wide TSOS co-owner rights under the user ID TSOS, they can administer the protection attributes of this file and thus also remove the file protection:

/modify-file-attributes file-name=$customer.not-for-tsos, -
/ protection=*par(guards=*none)

Without guard protection the data of the $CUSTOMER.NOT-FOR-TSOS file is not accessible on an unrestricted basis to the user with the user ID TSOS. SAT logging can provide evidence of data accesses in retrospect but cannot prevent any damage resulting from them.