Is there a way to give a user OP$MVS.OPSAOF UPDATE access for one Rule Set but not another?
In other words, I want to grant the user the ability to use the read only commands for AOFin RULESETA but not the update only commands. Then on RULESETB, I want the same user to haveupdate access. Basically I want the user to have authority to ENABLE/DISABLE/RESETAUTO rulesin RULESETB but not have that authority in RULESETA or any other RULESET.
Caveat: I would like to do this with RACF only. No security rules involved.
To secure your rule sets libraries based on the read/update levels you want to implement, please consider using the standard Dataset Resource Class your security product provides. Calls using the SAF Resource Name OP$MVS.OPSAOF does not provide with what you are looking for. Read level provides access to subcommands (INDEX, LISTINST, LIST, LISTSRC, LISTCOMP) and update allows the use of (SETAUTO, DISABLE, ENABLE, COMPILE, DELCOMP, RESETAUTO) subcommands as documented in this URL link:
Hope this helps Travis.
I agree, the resource OPSAOF does not have the granularity that I need. I do have the user set up with the appropriate access levels in the Dataset profile for each of the rule sets. It does restrict the user from saving any changes to the rule but it does not prevent them from using the UPDATE commands for the OPSAOF resource because the commands don't rely on the data set profile, they are bound to the OP$MVS.OPSAOF.
I was able to set up PLAN B which was to code up a security rule which handled the extra level of security I needed but I would really prefer a method that was centered on RACF instead of relying on Security Rules. I originally set it up to use a separate resource but as I pondered your response, Cesar, I realized I could just use the data set access to do the same thing so that is what I did. So right now I have a security rule monitoring AOF events and checking the data set access based on the command issued.
Sounds good Travis
Thanks for participating in this forum.
We appreciate your support.