Tony B. wrote:
> Protecting ADRDSSSU is nonsense.
Why?
There are two ways to protect ADRDSSU in RACF:
1. PROGRAM CLASS
2. FACILITY CLASS profiles:
Example: STGADMIN.ADR.STGADMIN.DUMP - To dump dsn without having
READ access to datasets on condition you use ADMINISTRATOR keyword.
Ted MacNEIL wrote:
>ADRDSSU at least makes sense.
Yup! Here I agree 100.00% with Ted. ;)
Paul Gilmartin wrote:
>Does ADRDSSU allow a programmer to dump data sets lacking READ access,
or to dump a volume containing data sets to which the programmer lacks read
access?
Yes, but with correct FACILITY class profiles and ADMINISTRATOR keyword.
For volumes you need DASDVOL class profiles.
>If so, ADRDSSU sorely needs repair, perhaps by restricting the volume dump
function and by preforming SAF checks for data set dumps. But a blanket
restriction of all ADRDSSU function makes no sense.
No repair is needed at all for this.
Hope this clears up any misunderstandings.
Groete / Greetings
Elardus Engelbrecht
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
