----- Original Message -----
From: "R.S." <[email protected]>
Newsgroups: bit.listserv.ibm-main
Sent: Thursday, February 03, 2011 7:13 PM
Subject: Re: STGADMIN.ADR.DUMP.TOLERATE.ENQF
W dniu 2011-02-04 00:33, Frank Swarbrick pisze:
Interesting.
I'm not clear where this is documented, but I'll see what my RACF admin
has to say.
Basically, I tried in our prod LPAR to backup (DUMP) a file that was
currently open to CICS; thus the TOLERATE(ENQF). But I could not perform
it because...
ICH408I USER(DVFJS ) GROUP(DEPT9971) NAME(FRANK SWARBRICK ) 928
STGADMIN.ADR.DUMP.TOLERATE.ENQF CL(FACILITY)
INSUFFICIENT ACCESS AUTHORITY
FROM STGADMIN.ADR.** (G)
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
That's quite obvious.
Some basics: resource is a string STGADMIN.ADR.DUMP.TOLERATE.ENQF
RACF db holds the profiles. In your case your RACF db has no profile equal
to resource name, but it holds *generic* profile STGADMIN.ADR.** which
covers required resource.
In your case this profile is to wide in scope. Your RACF admin should
consider definition of STGADMIN.ADR.STGADMIN.** - this profile is
powerfule and dangerous. The old profile could be defined with UACC(READ)
which means "available to anyone".
In other words, your RACF admin unnecessarily restricted some functions.
I would disagree with the last statement that the RACF admin unnecessarily
restricted some functions. I've seen this construct at a number of sites,
and it makes sense if for no other reason that it covers future additions to
the STGADMIN.ADR FACILITY class profiles. IBM does add new function there
from time to time, and having this rule in place ensures that no one can get
unauthorized access to any new profiles in the future.
Regards,
Tom Conley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
