> > GRANT AUTH PUBLIC gives access to anyone who is enrolled in > the filepool. > If you have ENROLL PUBLIC, then all VM users on the system > are enrolled by policy. If it is a GLOBAL filepool, then all > users in the ISFC collection are enrolled.
That is rehashing something already said :-) Since the GRANT AUTH PUBLIC does not apply to every file space in the pool, you can still have both private and public data in the same filepool. In fact, you can have both types of data in the same file space or even in the same subdirectory. SFS provides very flexible control in that regard. > > We have IBMers on our primary VM system who do not have a > Need To Know the information in our development filepool > servers. Therefore we do not ENROLL PUBLIC. But we know > that, by policy, all of the persons enrolled in the filepool > have a Need To Know. We use GRANT AUTH PUBLIC to give the > entire lab access to the information. > That is one possibility - separate the filepools. What if it is desired that a user have access to most PUBLIC data in a filepool but be kept from accessing only a small fraction of it? You have to either keep the user from accessing any public data, which cannot be done given the stated condition, or you have to move the now sensitive data to a non-public location. Moving the sensitive data will cause all other users to change the way that they access the data. This is where a Deny Access capability would be handy. Do not assume that I am asking for the capability, I am not. We have not encountered a situation where it is necessary. We protect access to sensitive data by requiring specific grants of authority; no PUBLIC grants are given unless the data is not sensitive and is needed by a large subset of our users. If we need to keep a user from accessing protected data, we revoke the authorities granted, or we delete the userid from both the filepool and the system. Richard Schuh
