Tom Ambros wrote: >A group is concerned that we have a single RACF database and there is no >'test' RACF database where the organization can implement 'test' rulesets.
Possible good concern. For myself, I have one sysplex-wide RACF DB on prod and another syspex-wide RACF DB on another sandbox RACF db. So, 2 Sysplexes with their own one shared RACF DB. > We have two sysplexes - a systems sandbox with no applications and a mixed > development/production sysplex where all the applications reside. IMHO, I would seperate that development system/sysplex from production sysplex just to get a good start. Thus you have 3 sysplexes (sandbox/dev/prod) each with its own RACF DB. Place all shared RACF DBs on your CFs for better performance. >The only way I see this happening is if non-production partitions refer to one >RACF database and the production partitions refer to the other. However, there >is no binary separation of production and non-production work, and all >resources (datasets etc.) are accessible from every partition. PROTECT-ALL(FAIL) is your friend. Also lock-up all your catalogs. UACC=Read for Master Cat and UACC=UPDATE for User Cats. That alone is a good start. Then having seperate standards for each sysplex will also solve all concerns. Just watch out if you create a dataset on one system, you don't migrate / rename / delete / etc on another system. This is where RACF and Catalog management can help you out here. >Intuitively I think their idea is not good practice, to say the very least. Perhaps, but then I don't know your environment to make any judgement at all. Alternatively, you can use RRSF to synch all RACF DBs. >Does anybody know of IBM documentation that can allow me to back up my >assertion that they are proposing a mistake? See Skip's good reply too. I think you should repeat your question on RACF-L. There are wonderful RACF gurus hovering there. ;-) Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
