>Also, ACF2 works with the HLQ, >If you want to protect a specific dataset, you have to start with the HLQ rule in the >database. >And, ACF2 really doesn't have the equivalent of discrete profiles; everything is >generic.
Ohhhhhhhhhhhhh, please do be veryyyyyyyyyyyy careful here. ACF2 works, as does RACF and all security systems by necessity, from "bottom up" instead of "top down" as we sysprogs are accustomed to do. In other words, if you define a more specific rule, ACF2 will enforce the privileges, or lack thereof, of the more specific ruleset rather than the more generic ruleset. If someone previously has access to the specific resource you are defining (ABC.DEF), but has it only through the more generic ruleset (ABC.***), he will lose that access unless you carry his rule definition down to your more specific ruleset definition. I have the scars to prove it. For example. If there is a generic ACF2 rules set: ABC.*** and userid PRODJOB has access to dataset ABC.DEF and you now define a more specific ruleset: ABC.DEF and give yourself JSMITH access to it and fail to bring down PRODJOB's access rule line, then you have just locked production out of dataset ABC.DEF Welcome to the club. On Thu, Apr 15, 2010 at 1:45 PM, Pinnacle <[email protected]> wrote: > ----- Original Message ----- From: "Natarajan Mohan" <[email protected]> > Newsgroups: bit.listserv.ibm-main > Sent: Thursday, April 15, 2010 1:03 PM > > Subject: Re: ACF2 equiv of RACF command > > > You do not need A(A) unless its RACF equivalent is ALTER. >> >> Natarajan >> >> > The answer on CONTROL is "IT DEPENDS". About 99% of the CONTROL accesses I > saw required ALLOCATE(A) in order to complete successfully under ACF2. YMMV. > > Regards, > Tom Conley > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- George Henke (C) 845 401 5614 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
