'Re: RACF DB "Modernization" revisited yet again'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: RACF DB "Modernization" revisited yet again
From:       Walter Farrell <wfarrell () US ! IBM ! COM>
Date:       2008-09-30 16:22:03
Message-ID: OFDD1B2800.BDA934EC-ON852574D4.00516EF3-852574D4.0059E8A4 () us ! ibm ! com
[Download RAW message or body]

On Tuesday, 09/30/2008 at 09:11 EST, "Chase, John" <jchase@USSCO.COM>
wrote:
> I sometimes wonder how many who have gone forward with EGN have later
> had second thoughts.....  I can't see any disadvantages to EGN, but
> likewise can't see any disadvantages to NOEGN either.  I guess "if it
> ain't broke, ..." still applies.

Today EGN gives you some subtle capabilities that NOEGN doesn't have, but
for the most part you can do the same things in a NOEGN environment as in
an EGN environemt.  So, if you don't need those capabilities, then you
don't really need to use EGN.

With EGN you can:
(a) define a profile like ABC.** that will protect single-qualifier data
sets named ABC as well as multi-qualifier data sets beginning with
qualifier ABC.  Do you have any such single-level data sets?  If not, then
this advantage does not apply to you.

(b) define a profile like ABC.* that protects data sets with ABC as the
first qualifier and have exactly two qualifiers in the name.  Or ABC.DEF.*
that protects data sets with exactly 3 qualifiers, etc.  Do you have a
need to protect data sets with exactly "n" qualifiers differently from
data sets with "n+1", "n+2", etc?  If not, then this advantage does not
apply to you.

(c) define a profile like ABC.**.DEF which protects data sets with ABC as
the first qualifier and DEF as the final qualifier, assuming you do not
have any more specific ABC.something profiles that would apply.  If you do
not have this situation, then this advantage does not apply to you.

We have requirements to allow other capabilities in generic profiles for
the DATASET class, such as RACFVARS support, and support for generics in
the first qualifier.  I do not know for sure whether we will implement
those functions, nor when we might do so.  If we do implement them, then
conceivably we might do so only for an EGN environment, if that minimizes
the amount of work we need to do.  So someday EGN environments might have
some more significant differences from NOEGN environments.   But we have
no plans to discontinue NOEGN, and you could always migrate to EGN later
if you find some capability it provides that you need.

--
        Walt
------------------------------
Walt Farrell, CISSP
IBM STSM, z/OS Security Design,
e-mail:  wfarrell@us.ibm.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic