On Thursday, 06/19/2008 at 12:54 EDT, "Schuh, Richard" <[EMAIL PROTECTED]> wrote: > Like I said, I have never witnessed such a situation. Your case is > hypothetical, and I admit there may be other hypothetical cases where it > is necessary to enroll all but a few users in a filepool and then using > the grant public mechanism without public being enrolled. What happens > if one of those who is denied access need to see other files in the > filepool? It is better to not authorize public if you want to deny > access to anyone. > > Without having a Deny Access capability in SFS, there probably is no > really good answer to the various cases that can be conjured.
GRANT AUTH PUBLIC gives access to anyone who is enrolled in the filepool. If you have ENROLL PUBLIC, then all VM users on the system are enrolled by policy. If it is a GLOBAL filepool, then all users in the ISFC collection are enrolled. We have IBMers on our primary VM system who do not have a Need To Know the information in our development filepool servers. Therefore we do not ENROLL PUBLIC. But we know that, by policy, all of the persons enrolled in the filepool have a Need To Know. We use GRANT AUTH PUBLIC to give the entire lab access to the information. Alan Altmark z/VM Development IBM Endicott
