On Mon, 21 Apr 2008 04:56:38 -0400, Robert S. Hansel (RSH)
<[EMAIL PROTECTED]> wrote:
>We are removing unnecessary ALTER access permissions to catalogs in a RACF
>protected environment. In investigating why certain users were using ALTER
>access, we noticed that the number of times these users accessed the
>catalogs at ALTER corresponded exactly with the number of times they invoked
>the Catalog Search Interface IGGCSI00. Based on further testing and
>observation, we have surmised that when a user with ALTER access permission
>to a catalog invokes IGGCSI00, the catalog is accessed at the ALTER level.
>Conversely, when a user with less than ALTER access permission invokes
>IGGCSI00, the catalog is accessed at READ.
>
>There doesn't appear to be any difference in behavior or added functionality
>when IGGCSI00 accesses the catalog at ALTER as opposed to READ, so we are
>wondering why it does so.
>
Even LISTCAT will require ALTER to retrieve certain data, Bob. Many
(most?) catalog information retrieval requests determine whether the user
has ALTER, and if not then check for READ. If the user does have ALTER,
then more information may be returned. Catalog processing has always
worked that way, as far as I know, and it's the main reason that using
WARNING on a RACF profile protecting a catalog gives results that most
customers do not like.
--
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
