On Friday, 12/07/2007 at 12:19 EST, Rob van der Heij <[EMAIL PROTECTED]> wrote: > Consistency in treating every animal as if it were a pony may be > simple, but still not a good idea. > > When the resource is owned by another user, then it is appropriate > that the other user can control access (so the ESM is involved even > when the LINK comes out of the directory entry). With DIRMAINT the > LINK statement could even be done by the requester himself. Or the > owner may want to change his mind and revoke access at some point in > time. > MDISK statements are done by system staff and don't need that > treatment (and I don't know why RACF even provides that control other > than maybe for completeness of auditing).
You can create a userid that "holds" minidisks to be linked by other users. While revoking the user is probably a better approach, you can simply deny the user access to the minidisks it holds. That's something that requires an ESM. > But VSWITCH is a "system owned" thing. It is sysprog involved in > getting the NIC entries in the directory already. You should not > require the sysprog to put on his other hat and issue the GRANT to > make this work (and whoever came up with the SET GRANT for that should > be put in the corner for an hour). I would agree with a requirement for NICDEF to operate like LINK w.r.t. implicit authorization when an ESM is not present. (But I'm just one of the people you have to convince!) Get those requirements in! Alan Altmark z/VM Development IBM Endicott
