I don't use RACF, but now I know how serious this is, that it kept you up at 3AM! :-)
Received: from alan_altm...@us.ibm.com by imo-da01.mx.aol.com (mail_out_v42.9.) id g.e58.1011db48 (0); Mon, 24 Jan 2011 03:16:38 -0500 (EST) Wow!!! On Mon, Jan 24, 2011 at 10:16 AM, Alan Altmark <alan_altm...@us.ibm.com>wrote: > On Friday, 01/21/2011 at 07:57 EST, Scott Rohling > <scott.rohl...@gmail.com> wrote: > > > The best I can come up with here is that RACF OPERATIONS authority is > somewhat > > similar to LNKNOPAS.. is that what you mean? > > Please be careful with OPERATIONS. It gives complete access to ANY > resource in the system that is defined as OPER=YES in the RACF Class > Descriptor Table (ICHRRCDX and ICHRRCDE). It is meant for things like > backup/restore programs that may need access to any and all minidisks (and > SFS files and directories, if you protect SFS with RACF). If sharing a > RACF DB with z/OS, you are also giving the person access to all DASDVOLs. > > > If I were to audit your system and find OPERATIONS authority assigned in > lieu of access to a generic profile (say), I would rap your knuckles, once > for each violation. (Plus an extra one just because I enjoy it. > Bwaahahahaaaa!) > > Alan Altmark > > z/VM and Linux on System z Consultant > IBM System Lab Services and Training > ibm.com/systems/services/labservices > office: 607.429.3323 > alan_altm...@us.ibm.com > IBM Endicott >