This is the kind of change that I hope WILL NOT be the default and will actually take some effort on my part to implement. It is too dramatic a change, with too many installations depending upon the current behavior.
As to the serialization of control of a target user, what if there were a 'lock' setting that could be set before executing these new commands on behalf of a target user and unset when the administrator is finished fiddling with the target user. If done in an ESM, I would hope that rules could be written to require that the 'lock' be set by the same requestor. /Tom Kern /301-903-2211 --- Colin Allinson <[EMAIL PROTECTED]> wrote: > I want to wind back a bit on this one:- > > We do use RACF as an ESM and we do use LOGONBY (controlled by RACF > profiles) extensively. > > I understand that any user with LOGONBY authority can log on and give any > of the commands mentioned but we would be extremely unhappy about these > users being able to give those commands on behalf of that user without > logging on. This should not be the assumption and, if it becomes so, then > there should be an easy way to revert to the current status :- > > There are 2 issues here :- > > 1. Visibility > Searching RACF audit record is no substitute for seeing the > commands entered on the console of the user. > > 2. Serialisation > Insisting the user logs on (LOGONBY) ensures that they (and only > they) have control of that user at that time.\ > > I would be OK with the ability to enable the behaviour suggested but I > would be very unhappy for it to be the default that we had to find a > workaround for. > > Colin G Allinson > Technical Manager VM > Amadeus Data Processing GmbH > T +49 (0) 8122-43 49 75 > F +49 (0) 8122-43 32 60 > [EMAIL PROTECTED] > http://www.amadeus.com ____________________________________________________________________________________ Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433