I would think this would apply to a discrete authorization, without an ending .**. I. E. authorize DATA.SET.NAME instead of DATA.SET.NAME.** Define DS(DATA.SET.NAME) would fail because of no authorization for DATA.SET.NAME.DATA (optional DATA.SET.NAME.INDEX, DATA.SET.NAME.PATH, etc) .
On Thu, Apr 28, 2016 at 12:22 PM, Paul Gilmartin <[email protected]> wrote: > On Thu, 28 Apr 2016 12:01:17 -0500, Mark Zelden wrote: > >>I'm applying z/OS 2.1 RSU1603 and came across this PTF. Is anyone running >>with >>it in production and has it caused you any grief? This seems to change a >>behavior >>that has been around "forever", so it concerns me a bit even though there >>is a work around by defining a special RACF profile in the Facility class. >> ... >> Now, with this PTF, the RACF authority check is performed using >> the ALIAS, PATH, or ALTERNATEINDEX name. >> > WTF!? Does this mean that I will be able to DEFINE an ALIAS in a profile > in which I have access, to a dataset to which I have less authority, thereby > escalating my authority? Will DEFINE ALIAS verify and enforce that I > am not so escalating my authority to the RELATED data set? If an > administrator > subsequently revokes my authority to the RELATED data set, will my authority > to the ALIAS be correspondingly adjusted? > > ??? > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
