On 05/18/2016 05:16 AM, Elardus Engelbrecht wrote: > Robert S. Hansel (RSH) wrote: > >> OPERATIONS users actually can grant privileges because they can create >> dataset profiles for any group. And if they own a profile they create, they >> can permit access to it. > RACF by default will allow that OPERATIONS stunt. IRREVX01 can be used to > block those acrobats. > > I needed to block them, because 'they' created profiles causing outages. No > Production STCs are going to use users own datasets. > > Groete / Greetings > Elardus Engelbrecht > > Even a non-OPERATIONS user can potentially create RACF profiles for data sets under their authority that might cause problems in an installation where data set qualifiers and generic profiles are intended to control default access and exceptions require justification.
At some point it makes sense to rely on installation standards, some user education that the foot they shoot may be their own, and maybe some blocked ISPF panel options to not make it easy for someone not properly trained in installation RACF conventions to create RACF profiles, even on their own data sets. -- Joel C. Ewing, Bentonville, AR [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
