Wednesday, November 04, 2009
Rethinking the security of mainframe elevation procedures
Should an elevation to production in a mainframe environment be accomplished by moving all the components (copycode, source (most often COBOL), object, load modules, etc, as well as JCL and Procs) separately from a QA region or even the programmer’s region, or should the modules be recompiled and relinked in the production environment as part of the promotion process?
I seem to recall that back around 1991, when the shop where I worked used CA-Librarian, that all the components were moved separately. Testing and file-file comparing had been done with the load modules that were actually moved. Theoretically, if they were recompiled and relinked in a production environment, the same load modules so heavily tested wouldn’t be used. The programmer had to remember to manually “process” the source (that is, lock it) to guarantee that the source and load modules match. But to the best of my recollection, in the late 1990s with a Changeman environment, all the load modules were recreated with the production environment. This seems like a more secure procedure. It guarantees that source and load modules are in sync.