Brian, Do any of the other WHEN options work in lieu of SYSID? For example, WHEN (TERMINAL...) seems like it might be viable, provided of course the test LPAR user is coming in through one of a set of named terminal IDs and that those terminal IDs are only available in/to the test LPAR -- no leapfrogging over to the prod LPAR allowed. Then some due diligence is required to make sure that's all bulletproof, of course.
Another possibility that occurs to me is whether the permission(s) can be granted automatically at login to the test LPAR and revoked at login to the production LPAR. Or whether the user could temporarily escalate permission (s) in the test LPAR in a safe way, with some sort of user action, like tapping some sort of "test buddy" on the shoulder to effect a change. But I have to think those ideas through some more. Yet another possibility is not to share RACF databases between production and test LPARs but rather to keep them in sync selectively. I believe RRSF might do that in the way(s) you want. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z & LinuxONE E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN