Correction: A check was added for defining data set aliases:
DEFINE ALIAS(NAME(dataset1) RELATE(dataset2))
...but not for user catalog connector aliases:
DEFINE ALIAS(NAME(hlq) RELATE(usercat))
Note that the new checks are in IDCAMS DEFINE. From the PTF:
"Code is added to require SAF ALTER authority to the entry name when
defining an alias related to a nonVSAM or generation data set, or a VSAM
PATH or AIX. SAF ALTER authority is required to the entry name when
defining an ALIAS when the related name is for a nonVSAM or generation
data set. SAF ALTER authority is required to the entry name when
defining a VSAM PATH or Alternate Index (AIX)."
John Eells wrote:
Your post confused me, so I just verified that my understanding was
correct.
The checks for PATH and AIX were added to the base name check, and do
not replace it. Also, I am told nothing was added for ALIAS.
Pinnacle wrote:
I'm looking at the HOLDDATA for OA49446. RACF was changed to do
authorization checks against ALIAS, PATH, and AIX names instead of the
base names. There was no migration path specified to get to this new
RACF state, except for a chicken switch
STGADMIN.IGG.CATALOG.SECURITY.CHANGE. If you have read access to that
FACILITY class profile, you use the "old" method and not this new
method. Did everybody just define the profile with UACC(READ)? That
seems easier than taking all the ICH408I's that could result the other
way if you use dataset ALIASes and AIX's. What did you guys do for this
--
John Eells
IBM Poughkeepsie
ee...@us.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
