On Fri, 7 Dec 2012 12:08:32 +0100, ibmmain <[email protected]> wrote: >> RACF use the best match principle. If it can't find a matching >> profile/member, it will move on to profiles with wildcards: >> >> So, for example, it will move from profile XYZ to XY* to X* to *. >> >> If no match are found, a default return code for PROGRAM is used. > >Well, the RACF admin guide (chapter 9.2.1 Simple program protection in BASIC >or ENHANCED mode) states: > >If you have two PROGRAM profiles named ABC* and ABC, and both profiles specify >the name of the library where the ABC program resides, RACF uses the ABC* >profile for authorization checking of program ABC, not the ABC profile. > >From this I infered that * would be used instead of the specific name. (By the >way, all those specific names are long gone >from sys1.linklib, so they could have been cleaned up ages ago.)
I believe that is an incorrect inference, Barbara. As I remember, that documentation is specific to the case it describes, having an exactly matching name (ABC) and that same exactly matching name but extended by the * (ABC*). For the case of ABC and * RACF should still use ABC if the library specification is appropriate. Of course, you can easily confirm that by using some unimportant program and running the experiment to see. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
