Mike Wood, We have been taking a careful look at RACF protection for RMM resources, specifically those protected by FACILITY class resources prefixed with STGADMIN.EDG. Based on our review of the z/OS 1.10 manuals and limited observed access activity, we've come to the following understanding as to how it works. We are hoping you can confirm or correct our interpretation of its functionality.
1) If a user has CONTROL access to STGADMIN.EDG.MASTER, the user automatically has CONTROL access to all of the following resources (and no others). Access permission to STGADMIN.EDG.MASTER is checked first, and if CONTROL has been granted, no further access checking is performed for these specific functions. STGADMIN.EDG.ACTIONS.action STGADMIN.EDG.AV.status.volser STGADMIN.EDG.CMOVE.location.destination STGADMIN.EDG.CRLSE.action STGADMIN.EDG.DV.SCRATCH.volser STGADMIN.EDG.INIT STGADMIN.EDG.LIST STGADMIN.EDG.MOVES.location.destination STGADMIN.EDG.MASTER STGADMIN.EDG.OWNER.userid STGADMIN.EDG.RELEASE 2) If a user has less than CONTROL access to STGADMIN.EDG.MASTER and attempts to access one of the resources listed above for which there is _no_ protecting RACF profile, the manuals seems to suggest RMM looks again at the user's level of access permission to STGADMIN.EDG.MASTER to decide whether to grant access. For instance, if a user attempts to perform a function governed by resource STGADMIN.EDG.ACTIONS.RETURN which would ordinarily require UPDATE permission and there is no RACF profile covering this resource, RMM will see if the user has UPDATE access to STGADMIN.EDG.MASTER and will allow the action if the user has this permission. Conversely, if the user only had READ access to STGADMIN.EDG.MASTER, the user wouldn't be allowed to perform the function. 3) Contrary to 2) above, if the user attempts to use CHANGEVOLUME on a volume the user does _not_ own, and the corresponding resource STGADMIN.EDG.OWNER.userid is _not_ defined to RACF, access is denied. UPDATE to STGADMIN.EDG.MASTER alone is insufficient. 4) If STGADMIN.EDG.LISTCONTROL is protected by a profile, the profile governs access. If not, the user requires CONTROL access to STGADMIN.EDG.MASTER to use it. 5) If the user attempts to use the FORCE operand and has UPDATE access to STGADMIN.EDG.FORCE, the user also needs CONTROL access to STGADMIN.EDG.MASTER to perform the function. 6) What is meant by "Based on STGADMIN.EDG.MASTER access." for access level of NONE to resource STGADMIN.EDG.OWNER.userid as stated in the DFSMSrmm Implementation and Customization Guide. Thank you for your time in helping us better understand RMM. Regards, Bob --------------------------------------------------------------------- Robert S. Hansel | 2009 RACF Training Lead RACF Specialist | > Intro & Basic Admin - Boston - SEPT 22-24 RSH Consulting, Inc. | > Audit for Results - Boston - NOV 3-5 www.rshconsulting.com | Visit our website for registration & details 617-969-8211 | --------------------------------------------------------------------- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
