>It used to be the case that a root user, or a user with access to root, might >be able to gain access to any >resource, if there happened to be another user, >with an OMVS segment, who had access to the resource.
This is the reason BPX.DAEMON exists. What you wrote is true *if* BPX.DAEMON is *not* defined at all. When BPX.DAEMON is defined, which is higly recommended, then a process running with (e)uid=0 needs to also have READ access to BPX.DAEMON to be able to make an (MVS) identity switch to anyone (having an OMVS segment). -- Peter Hunkeler ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN