Hi Peter, Radoslaw and I probably spend more time over on the RACF_L list than here on IBM-MAIN, but I still like to keep an eye open here.
The use of ID(*) ACCESS(READ) is well known among the RACF community as the 'preferred' option to UACC nowadays, and the reason you cite is indeed mentioned in the literature. Though I'm not sure about the NJE port of entry still being able to actually get a batch job running under the JES UNDEFINEDUSER, I have a recollection that the RACF SETROPTS setting BATCHALLRACF(YES) should prevent a batch job from initiating with the UNDEFINEDUSER value, though I have a vague recollection that BATCHALLRACF itself has been redundant also for many years now as well. I'm intrigued generally to ask of this community, just how often does anyone observe work executing on their system *without* a valid RACF (or ACF2 or TopSecret) identity associated with it? I think there might still be one or two started tasks, probably running as TRUSTED or PRIVILEGED, that are initiated in nucleus initialisation that may still run with traditionally either the 8 plusses or the 8 question marks as their ID, we can see them in SDSF, but realistically I don't believe that we see work running under the UNDEFINEDUSER in modern systems for a long time nowadays. I'd be keen to hear otherwise if there is though. Cheers - Mike ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
