On Fri, 2 Apr 2010 19:27:14 +0200, R.S. wrote: >W dniu 2010-04-02 16:19, Paul Gilmartin pisze: >>> >> <Grrr> >> What is becoming of the philosophy, "Protect resources; don't >> restrict access to tools." >> </Grrr> >I agree with the rule. However I would imagine the following scenario: >multiple rules within SMP/E team. I.e. John can receive the service, but >he cannot APPLY, because it's Fred's responsibility. Both need access to >datasets. Think about granularity. Of course it's my guess only, but not >so wild - see latest SAF changes in ICSF - very reasonable and a (very) >little bit similar to those in SMP/E. > I understand the value of role based access control. However, I'd expect such a facility to be introduced as New Function, likely at a release boundary, not as an Integrity APAR designated HIPER.
And the granularity is wrong. Suppose Fred should have ACCEPT permission on GENERAL.CSI, but not on CRITICAL.CSI. What you want is better accomplished by partitioning the CSIs into GLOBAL, TARGET, and DLIB and giving RECEIVErs update permission only to GLOBAL; APPLYers update permission only to TARGET and GLOBAL, and ACCEPTers update permission only to DLIB and GLOBAL. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
