Ah, of course you're right, I'd forgotten that. In ACF2 and Top Secret you can have UPDATE without READ, for example - it's needed only rarely, but it's possible with those two - not in RACF.
--- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Lord, before I commit a sin, it seems to me so shallow that I may wade through it dry-shod from any guiltiness; but when I have committed it, it often seems so deep that I cannot escape without drowning. -Thomas Fuller (1608-1661) */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Thursday, July 9, 2020 06:44 That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. --- On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges <robhbrid...@gmail.com> wrote: > I've been doing mainframe security for a few decades now, but I've never > learned IBM's version of assembler (I still have ambitions of doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might look > like this: "About resource HLQ.XYZ in class DATASET, does ABC have > UPDATE access to it?" In other words, the question specifies the class, > the resource name, the user's ID and the level of access (READ or > whatever), and the answer is a simple Yes or No (or in rare cases "I can't > tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC has > to HLQ.XYZ without asking once for READ, once for UPDATE and so on? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
