Thankyou Alan - that succinctly lifts my understanding to the level of, "It's physically possible but really, really inadvisable because ..." followed by exactly the concerns that I would have felt compelled to raise here had the consensus been that it really was as easy as the manual appears to suggest.
I instinctively feel that the, 'right' way to do shared security is via a single logical server that is consulted and which pronounces on all access requests that arise within its domain of influence - in other words, within z/VM, an ESM that acts as a channel between CP and the True Lord of Security, simply passing requests in one direction and decisions in the other direction. Shared datasets were good in their day, but that day has now passed. Many thanks to all for the excellent responses - I am now content that, when asked, I can honestly deliver an accurate picture of RACF's capabilities and limitations in this area. Cheers folks. Jeff :-)
