On Monday, 01/22/2007 at 10:05 CST, "Huegel, Thomas" <[EMAIL PROTECTED]> wrote: > I was recently coding some execs that set up things like mdisk links and
> certain 'privlages' for users within thier 'groups of responsibilty' ie > programmers can do programmer type functions supervisors can do programming > functions plus certain other supervisor functions etc. > > As I was doing this I was thinking 'How many times over the past 30+ years have > I done this same type of coding? There must be a better way to identify these > different groups than to have tables or files with lists of names.' Then I had > an idea this would be a lot easier if there was a z/VM directory entry called > USERDATA that would be freeform and queryable ie Q UDATA. That way one could id > a user any way he wanted to and use or not use the values. > > Does that make sense to anyone else? > Or is there something similiar already there that I have missed? Use your ESM? You DO have an ESM, don't you? "IBM recommends the use of an external security manager to provide additional security functionality, more granular access controls, and a complete audit trail of resource access and user activities." RACF, for example, lets you put a user in a group, then permit groups to access various resources (e.g. minidisks). Then, when their responsibility changes, their group association is changed, et voila!, they have access to the resources they need. Further, groups can contain other groups, so you can maintain a hierarchical access model if you want. Alan Altmark z/VM Development IBM Endicott
