It's been my understanding that a user with the RESTRICTED attribute needs explicit (i.e., userid, not group) authorization to access a protected resource.
Page 85 of the SA Guide reads, "Restricted user IDs cannot be used
to access protected resources they are not specifically authorized to access. Access
authorization for restricted user IDs bypasses global access checking. In addition,
the UACC of a resource and an ID(*) entry on the access list are not used to
enable a restricted user ID to gain access."
We had a restricted user ID generating repeated ICH408I messages and violations attempting to read a dataset profile with UACC(READ).
A colleague enabled access to that profile for a RACF group to which the restricted user is connected. To my surprise the security violations went away.
Has something changed? Or have I been misunderstanding the RESTRICTED attribute all along?
As always, thanks in advance for any assistance.
------------------------------
David Malbuff
------------------------------