But group-special gives some additionnal unwanted capabilities. For instance, a user with group-special in group A can create subgroups of A. And i definitely not like the idea of PROGRAM protecting RACF commands to further restrict group-special abilities.
Juan G. Mautalen -----Mensaje original----- De: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] En nombre de R.S. Enviado el: Lunes, 12 de Febrero de 2007 12:35 p.m. Para: [email protected] Asunto: Re: RACF Surrogate Authority Mautalen Juan Guillermo wrote: > Itschak: > > I general i agree with you, but there are some exceptions where > surrogate authority proves useful even for users (persons). > > Example: > I needed that 4 users could fully administrate some RACF profile. > Basically, they should be able to do what the OWNER of the profile is > able to do. However, you know that ownership of profiles only gives > administrative authority when the owner is actually a RACF USER and > not a RACF GROUP. So, my solution was: > I specifically created a user and made it the OWNER of the profile. It > is a PROTECTED user. > Then, i gave those 4 users authority to submit jobs on behalf of it > (surrogate authority). This way, i managed to give those 4 users > "ownership" of the profile. > That's why we use group-special. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
