On 9/28/07, Alan Altmark <[EMAIL PROTECTED]> wrote: > While tempting, this creates an inherently unauditable system, with > nothing to stop you from running the guests. But if you choose such a > configuration, do it in a way that doesn't violate security policies.
If I still were the self-nominated weasel of the shop, I would have similar concerns about this. You (i.e. your auditor) do not want to find the system on monday morning running without RACF because an operator decided over the weekend that "it must be something with RACF" and decided to IPL the non-RACF nucleus. At best, the system just does not work because all applications were used to having RACF allow them to link mini disks. And that's also the kind of deliberate stoppers you could implement: just put a link to a mini disk in AUTOLOG1 so that it will not start up the rest of the system. IMHO a much better investment is to use a second level system to train operators and system staff on how to get out of the quicksand when RACF is not there. And when you have that, it's also an easy place to learn how to handle failure of the RACF primary or secondary (just detach that mini disk). I once had a very long stay at the bridge to fix our RACF database after the super-weasel had started with deleting all the RACF profiles where I was the owner... Rob (backup systems get out-of-date much sooner than skills - even at my age)
