I don't use RACF, but now I know how serious this is,
that it kept you up at 3AM! :-)
Received: from alan_altm...@us.ibm.com
by imo-da01.mx.aol.com (mail_out_v42.9.) id g.e58.1011db48 (0);
Mon, 24 Jan 2011 03:16:38 -0500 (EST)
Wow!!!
On Mon, Jan 24, 2011 at 10:16 AM, Alan Altmark <alan_altm...@us.ibm.com>wrote:
> On Friday, 01/21/2011 at 07:57 EST, Scott Rohling
> <scott.rohl...@gmail.com> wrote:
>
> > The best I can come up with here is that RACF OPERATIONS authority is
> somewhat
> > similar to LNKNOPAS.. is that what you mean?
>
> Please be careful with OPERATIONS. It gives complete access to ANY
> resource in the system that is defined as OPER=YES in the RACF Class
> Descriptor Table (ICHRRCDX and ICHRRCDE). It is meant for things like
> backup/restore programs that may need access to any and all minidisks (and
> SFS files and directories, if you protect SFS with RACF). If sharing a
> RACF DB with z/OS, you are also giving the person access to all DASDVOLs.
>
>
> If I were to audit your system and find OPERATIONS authority assigned in
> lieu of access to a generic profile (say), I would rap your knuckles, once
> for each violation. (Plus an extra one just because I enjoy it.
> Bwaahahahaaaa!)
>
> Alan Altmark
>
> z/VM and Linux on System z Consultant
> IBM System Lab Services and Training
> ibm.com/systems/services/labservices
> office: 607.429.3323
> alan_altm...@us.ibm.com
> IBM Endicott
>
