>On Tue, 15 May 2007 09:03:56 -0500, Paul Gilmartin ><[EMAIL PROTECTED]> wrote: > >Why does RACF not support rules restricting the set of users who may ENQ >on protected data set names? > >-- gil >
RACF will support you creating a new CLASS and defining whatever resource you want. As another post stated, it is not RACF's job to enforce it, just say yea or nay. So after this new CLASS gets created, something has to start making calls to RACF and checking profiles. It scares me that one post stated CA-MIM will try to free the dataset from a task that has it. What happens to that task when it then tries to use it after CA-MIM took it away? A program does not need to open every DD immediately upon starting. Nor ever, which is why the RACF check needs to wait until you show your intentions to ask if the level of access is sufficient. If I were doing security administration I would not want the burden of having to protect a dataset under an ENQ class and under a DATASET class. I think what gil leads to asking for, is having whatever process is going to issue an enqueue, at least check if access is NONE and fail it if true that the user has no access, thereafter wait for the open to see if additional acccess is required. This may help rid the practice of passing around JCL with DD names that do not belong in the step to a friend who does not remove it and passes it to his/her friend who does not remove it. They will for those data sets they do not have any access. Won't catch them all, but it will help. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
