On Mon, 25 Apr 2011 11:25:42 -0500, McKown, John <[email protected]> wrote:
>Basically you cannot do what you want because the RACF id of SANCHEZ is in REVOKEd status. It is weird, to me, that you cannot affect a revoked user's datasets. But I've had it happen too many times. > The point you don't seem to understand, John, is that the check is not about the user running the command, but about the "resource owner" (RESOWNER) of the data set, and the check is to determine whether that RESOWNER is allowed to use a particular SMS management class or storage class. And when the RESOWNER is a revoked user ID RACF cannot perform the check. You can specify, via the USE_RESOWNER parameter in PARMLIB(IGDSMSxx) whether it is the RESOWNER who must have authority to use management classes and storage classes or the user (user allocating a new data set, or administrator using commands). By default, the system checks the RESOWNER's authority, and that can lead to the failures you've seen. -- Walt Farrell IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
