A couple of possibilities come to mind:

- userid is an SFS Administrator, meaning it has authority to access and
update any file and directory in that file pool. ("QUERY ENROLL ADMIN
filepool" will show you the list of SFS Administrators for a file pool)

- SFS directory is DIRCONTROL (QUERY DIRATTR dirid) and the userid has the
directory accessed. When they release the directory, they will be unable to
access it again. (DIRCONTROL directories behave similarly to minidisks)

- If you are doing this from DIRLIST or FILELIST, I have found that in some
cases the REVOKE AUTH command truncates the target userid by one character.
Try putting a trailing "(" on the REVOKE AUTH command to see if this changes
the behavior (and, if so, please report to the support center)

--
John Hall (+1) 727-397-6373 Safe Software, Inc.
JohnHall (at) SafeSoftware.Com
http://www.SafeSoftware.Com<http://www.safesoftware.com/>
JohnBeachFL (at) gmail.com

Thanks for the tips John, unfortunately none of them applied.
See below.
Steve





John Hall <***@gmail.com>
Sent by: VM/ESA and z/VM Discussions <VMESA-***@LISTSERV.UARK.EDU>
01/25/2006 08:48 AM
Please respond to VM/ESA and z/VM Discussions


To: VMESA-***@LISTSERV.UARK.EDU
cc:
Subject: Re: SFS REVOKE command



On 1/25/06, Steve Gentry <***@lafayettelife.com > wrote:

I'm trying to revoke authority for a userid to an SFS directory. My
userid is an SFS administrator. I originally Enrolled the user in this
filepool.
I issue the revoke command and it appears to work successfully. I then
issue a Query Authority and the use I just revoked is still
listed as having access to this specific directory. I issue the revoke
command again and it says that I have already revoked
authority for this user. Why is the user still showing up when I do the
Query Authority command?

A couple of possibilities come to mind:

- userid is an SFS Administrator, meaning it has authority to access and
update any file and directory in that file pool. ("QUERY ENROLL ADMIN
filepool" will show you the list of SFS Administrators for a file pool)
Nope. User is not an administrator.

- SFS directory is DIRCONTROL (QUERY DIRATTR dirid) and the userid has the
directory accessed. When they release the directory, they will be unable
to access it again. (DIRCONTROL directories behave similarly to
minidisks)
Nope, User was not logged on at the time and the (QUERY DIRATTR dirid) returned FILECONTROL.

- If you are doing this from DIRLIST or FILELIST, I have found that in
some cases the REVOKE AUTH command truncates the target userid by one
character. Try putting a trailing "(" on the REVOKE AUTH command to see
if this changes the behavior (and, if so, please report to the support
center)
Nope, was issuing it from the command line.

--
John Hall (+1) 727-397-6373 Safe Software, Inc.
JohnHall (at) SafeSoftware.Com http://www.SafeSoftware.Com
JohnBeachFL (at) gmail.com

Steve,
Another possibility comes to mind, altho it generally only applies to
direct access to the files. (I doubt this applies, b/c you say that
QUERY AUTH still shows the authorization...but it's worth trying) A
FILECONTROL directory has authorizations for the directory and for the
files in the directory. They are completely unrelated. You have to
GRANT or REVOKE auths for both the directory and the files in the
directory.
Try:
REVOKE AUTH * * dirid FROM userid

Here's another possibility: Any chance you have a REVOKE EXEC sitting
around that's mucking up the picture? You might try the following, to
ensure that a REVOKE EXEC isn't messing things up:
SET IMPEX OFF
REVOKE AUTH ...
SET IMPEX ON

John

--
John Hall (+1) 727-397-6373 Safe Software, Inc.
JohnHall (at) SafeSoftware.Com http://www.SafeSoftware.Com
JohnBeachFL (at) gmail.com

John, I had used the REVOKE AUTH * * dirid FROM userid as you suggested. This was also the command
I used before I originally posted my question. For funnies, I tried REVOKE AUTH dirid FROM userid
then issued the QUERY AUTH command and the user disappeared from the list.
My assumption was
based on the way the doc is written, an ITSO CMS Shared File System
Primer, it appears
that '*' (asterisk) are the default. Apparently they are not. The use of
asterisks indicates
that only the files are made unavailable. Using no asterisks revokes your
access to that
directory.
Ya learn somethin' new everyday.
Thanks for your help.
Steve





John Hall <***@gmail.com>
Sent by: VM/ESA and z/VM Discussions <VMESA-***@LISTSERV.UARK.EDU>
01/25/2006 09:13 AM
Please respond to VM/ESA and z/VM Discussions


To: VMESA-***@LISTSERV.UARK.EDU
cc:
Subject: Re: SFS REVOKE command
userid
filepool.
Steve,
Another possibility comes to mind, altho it generally only applies to
direct access to the files. (I doubt this applies, b/c you say that
QUERY AUTH still shows the authorization...but it's worth trying) A
FILECONTROL directory has authorizations for the directory and for the
files in the directory. They are completely unrelated. You have to
GRANT or REVOKE auths for both the directory and the files in the
directory.
Try:
REVOKE AUTH * * dirid FROM userid

Here's another possibility: Any chance you have a REVOKE EXEC sitting
around that's mucking up the picture? You might try the following, to
ensure that a REVOKE EXEC isn't messing things up:
SET IMPEX OFF
REVOKE AUTH ...
SET IMPEX ON

John

--
John Hall (+1) 727-397-6373 Safe Software, Inc.
JohnHall (at) SafeSoftware.Com http://www.SafeSoftware.Com
JohnBeachFL (at) gmail.com

John,

The QUERY AUTH command does not list all administrators of the pool, just the one issuing the query command. It shows that user, the owner, and any explicitly granted authorities. Your first possibility is not it. An owner of a space is always authorized for it. You can only get rid of that authorization via DELETE USER.

Regards,
Richard Schuh

-----Original Message-----
From: VM/ESA and z/VM Discussions [mailto:VMESA-***@LISTSERV.UARK.EDU]On Behalf Of John Hall
Sent: Wednesday, January 25, 2006 5:49 AM
To: VMESA-***@LISTSERV.UARK.EDU
Subject: Re: SFS REVOKE command


On 1/25/06, Steve Gentry < ***@lafayettelife.com > wrote:

I'm trying to revoke authority for a userid to an SFS directory. My userid is an SFS administrator. I originally Enrolled the user in this filepool.
I issue the revoke command and it appears to work successfully. I then issue a Query Authority and the use I just revoked is still
listed as having access to this specific directory. I issue the revoke command again and it says that I have already revoked
authority for this user. Why is the user still showing up when I do the Query Authority command?

A couple of possibilities come to mind:

- userid is an SFS Administrator, meaning it has authority to access and update any file and directory in that file pool. ("QUERY ENROLL ADMIN filepool" will show you the list of SFS Administrators for a file pool)

- SFS directory is DIRCONTROL (QUERY DIRATTR dirid) and the userid has the directory accessed. When they release the directory, they will be unable to access it again. (DIRCONTROL directories behave similarly to minidisks)

- If you are doing this from DIRLIST or FILELIST, I have found that in some cases the REVOKE AUTH command truncates the target userid by one character. Try putting a trailing "(" on the REVOKE AUTH command to see if this changes the behavior (and, if so, please report to the support center)