Walt Farrell wrote: >>On two different RACF plexes, we have these two profiles in the SDSF class: >>ISFCMD.ODSP.* (G) >>ISFCMD.ODSP.** (G) >>I'm confounded to explain the difference between one or two asterisks. Help?
>The two differences: >(1) ISFCMD.ODSP.** will protect ISFCMD.ODSP, if that resource exists, bt >ISFCMD.ODSP.* won't. >(2) When both exist, ISFCMD.ODSP.* will (if I remember correctly) be found >first by RACF, and will supercede any specifications in ISFCMD.ODSP.** if both >profiles match the supplied resource name (but I may not remember correctly). True. You have remembered correctly! For 'both profiles match the resource name', in SAG it is stated "If one has an * and the other has a **, the one with * wins." (Look for the URL I listed below) >I'm reasonably sure the RACF Security Administrators Guide discusses this, as >I think I wrote that section of the book at some time. Look in the URL for the SAG: https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.icha700/gpcgr.htm There is an excellent table showing most specific to more generic profiles. When in doubt, create different profiles and use a SEARCH to test them out. >Ideally, if only to avoid confusing the security administrators and/or >auditors, one of those profiles should be deleted. I would keep the one with **. In this way I can protect more resources with fewer profiles. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
