As a novice sysprog, I was asked to write an app (CLIST in those days) that would enable a user to update a file but not read it. (!) Easy peasy in ASM2.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Bob Bridges Sent: Thursday, July 9, 2020 8:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: ISPF 3.4 DSLIST questions CAUTION EXTERNAL EMAIL Ah, of course you're right, I'd forgotten that. In ACF2 and Top Secret you can have UPDATE without READ, for example - it's needed only rarely, but it's possible with those two - not in RACF. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Lord, before I commit a sin, it seems to me so shallow that I may wade through it dry-shod from any guiltiness; but when I have committed it, it often seems so deep that I cannot escape without drowning. -Thomas Fuller (1608-1661) */ -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Thursday, July 9, 2020 06:44 That's close. But the access is "hierarchical" ALTER access implies CONTROL access implies UPDATE access implies READ access. So if you want to know a person's access, you'd start at the most powerful and go downward. --- On Wed, Jul 8, 2020 at 6:04 PM Bob Bridges <robhbrid...@gmail.com> wrote: > I've been doing mainframe security for a few decades now, but I've > never learned IBM's version of assembler (I still have ambitions of > doing that > eventually) so I may be mistaken about how RACROUTE works. But my > impression is that the question the OS asks the security system might > look like this: "About resource HLQ.XYZ in class DATASET, does ABC > have UPDATE access to it?" In other words, the question specifies the > class, the resource name, the user's ID and the level of access (READ > or whatever), and the answer is a simple Yes or No (or in rare cases > "I can't tell"). > > Am I mistaken in that? If not, then how do you learn what access ABC > has to HLQ.XYZ without asking once for READ, once for UPDATE and so on? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN