>>How can RACF stop someone when they have a legitimate need
It can't of course. That's why the Target attack (like most others) essentially revolved around a bit of social engineering and getting access to a privileged account. Along with poor malware detection, lack of network segregation and various other factors. The systems were basically running on Microsoft Virtualization and other MS facilities. To suggest this all comes down to "Dynamic Allocation" which is unique to MVS based systems (due to its two-level dataset access via DDs) is a bit of a stretch. Limiting dynalloc via more security software would still be open to privilege elevation attacks.
