HI Mike, (replying on both RACF-L and IBM-MAIN) I misunderstood what you were proposing in your initial reply on IBM-MAIN. I thought you were advocating setting default access of NONE on all Linklist libraries. I now understand you are advocating setting default access to READ, which I generally agree with. "Default access", as I use the term, can either be UACC(READ) or ID(*) READ. I generally favor the latter.
That said, this does need to be evaluated on a case-by-case basis as there can be exceptions. Consider ISMF. It does not run APF-authorized. If you want all users to use ISMF but also want to lock down certain functions, which can only be done with PROGRAM profiles, you put the ISMF libraries in the Linklist but set default access on the libraries to NONE. If default access is READ, users can copy the programs to their own libraries and execute them, thus bypassing PROGRAM profile protection which is tied to specific libraries. Radoslaw also mentioned blocking JOBLIB/STEPLIB to the libraries as allowing this may not always be desirable to certain libraries; although in most cases, its fine. Regards, Bob -----Original Message----- Date: Sun, 23 Jun 2024 14:15:53 +0200 From: Radoslaw Skorupka <[email protected]> Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority W dniu 23.06.2024 o 10:51, Mike Cairns pisze: > No Bob - I meant UACC(READ) or its equivalent. I just don't see what gate is > being closed by insisting that LinkList or LPA libraries must have > UACC(NONE), when, as you confirm, they cannot be fetch protected and > therefore the content is available to anyone on the system anyway. I met the following justification: when you have UACC(NONE) for linklisted library then you enforce use LNKLST instead of STEPLIB/JOBLIB. While I understand the above, I don't agree with the goal as being worth such configuration. And there is another approach: UACC above NONE should not be used at all. Just because mama (auditor) said so. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
