On Dec 7, 2007 5:08 PM, Alan Altmark <[EMAIL PROTECTED]> wrote: > It is my philosophy that directory entries are *desired* configurations. > If authorization has not been given to achieve that, so be it. If the > person setting up the directory entry also has authority to confer > authority upon others, that works, too (e.g. the COMMAND SET above). That > CP has been inconsistent in that behavior over the years isn't a > particularly good reason (IMO) to continue it.
Consistency in treating every animal as if it were a pony may be simple, but still not a good idea. When the resource is owned by another user, then it is appropriate that the other user can control access (so the ESM is involved even when the LINK comes out of the directory entry). With DIRMAINT the LINK statement could even be done by the requester himself. Or the owner may want to change his mind and revoke access at some point in time. MDISK statements are done by system staff and don't need that treatment (and I don't know why RACF even provides that control other than maybe for completeness of auditing). But VSWITCH is a "system owned" thing. It is sysprog involved in getting the NIC entries in the directory already. You should not require the sysprog to put on his other hat and issue the GRANT to make this work (and whoever came up with the SET GRANT for that should be put in the corner for an hour). -Rob - waiting for the European Union to force Endicott to unbundle this ;-)
