Mark: The RACF AUDITOR attribute is more than a READONLY ability. A RACF user holding the AUDITOR attribute at system level can change any AUDIT setting, both at SETROPTS and PROFILES levels. And those changes can be dangerous. He can, for instance, turn on an audit option that floods your SMF datasets, or turn off auditing options for sensible resources causing an audit hole.
AFAIK, IBM has received requirements for a READONLY attribute (same as AUDITOR, but lacking the ability to make ANY change to AUDIT options), but i do not know whether it will be implemented or not. JUAN MAUTALEN <<<... I myself have the AUDITOR attribute in RACF to help diagnose problems that may be security related that aren't obvious. But not all the "MVS" sysprogs have it. All AUDITOR does is give me READ access to profiles and doesn't let me circumvent security in any way, but every year during audit my manager and the security manager have to sign off on the access and explain it>>> Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group: G-ITO mailto:[EMAIL PROTECTED] z/OS and OS390 expert at http://searchDataCenter.com/ateExperts/ Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
