I'm taking seriously the advice of one poster that *no one* should have ALTER access to the RACF data base. That's to minimize the chance that someone might casually make a fatal mistake. On the rare occasion where a configuration needs to be altered, the requirement for intervention of a SPECIAL user is one more speed bump on a one-way road to hell.
SYSRACF as a phantom user cannot do anything. Furthermore, SYSRACF will never leave the company or cede identity to someone else who may be totally clueless. (Ooh, how could that happen?) I'm not totally sold on this strategy, but I've seen the consequences of too much power in hands of real, even high-minded, users. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Robert S. Hansel (RSH) Sent: Thursday, May 25, 2017 2:28 AM To: [email protected] Subject: (External):Re: RACF Database Hi Skip, I usually assign a group as the owner of a profile. In the case of datasets, I typically assign the user or group matching the dataset's high level qualifier as the owner. There are exceptions such as when you specifically want a user to be able to administer a particular profile or you want to exclude groups or users from a Group-SPECIAL administrator's scope-of-groups. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- Date: Wed, 24 May 2017 19:22:23 +0000 From: Jesse 1 Robinson <[email protected]> Subject: Re: RACF Database A fallout of this thread is that we're looking to assign a new owner to profiles that cover the RACF data sets. I'd like something truly permanent. The RACF STC runs with user SYSRACF, which is a valid userid that no one could log on to. Does that seem reasonable? Then only someone with RACF SPECIAL could make profile changes. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
