> RACF use the best match principle. If it can't find a matching > profile/member, it will move on to profiles with wildcards: > > So, for example, it will move from profile XYZ to XY* to X* to *. > > If no match are found, a default return code for PROGRAM is used.
Well, the RACF admin guide (chapter 9.2.1 Simple program protection in BASIC or ENHANCED mode) states: If you have two PROGRAM profiles named ABC* and ABC, and both profiles specify the name of the library where the ABC program resides, RACF uses the ABC* profile for authorization checking of program ABC, not the ABC profile. >From this I infered that * would be used instead of the specific name. (By the >way, all those specific names are long gone from sys1.linklib, so they could >have been cleaned up ages ago.) > You can safely delete those profiles where the member really does not exist > in the library. Already done. One profile is left (*), with 0503 * PROGRAM CEE.SCEERUN2 0503 * PROGRAM TCPIP.SEZALOAD 0503 * PROGRAM SYS1.SIEALNKE 0503 * PROGRAM SYS1.CSSLIB 0503 * PROGRAM TCPIP.SEZALPA 0503 * PROGRAM TCPIP.SEZALINK 0503 * PROGRAM SYS1.LINKLIB 0503 * PROGRAM CBC.SCLBDLL 0503 * PROGRAM CEE.SCEERUN 0503 * PROGRAM SYS1.SCEERUN So class PROGRAM is active even though it isn't shown as an active class. What libraries have others defined under this * profile (those that are also in basic mode?) Thanks and best regards, Barbara ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
