> By 'disrupt' I mean moving a node to another server...
> I presume renaming the node would preserve the 'set
> access' rules.
>
I checked this out myself, and renaming a node does seem to result in loss
of previously granted access. I have opened up a defect with server
development for this, as this behavior seems incorrect to me.

> No select that I can issue to see what they've done?

Well, you said you were already going after the actlog, so there's that
SELECT you can do (which I figured you were already doing from your
original post). But the table that houses the access rules is not exposed
via SELECT, so there is no direct method for an admin to see who has
granted access to whom.

Regards,

Andy

Andy Raibeck
IBM Software Group
Tivoli Storage Manager Client Development
Internal Notes e-mail: Andrew Raibeck/Tucson/IBM@IBMUS
Internet e-mail: storman AT us.ibm DOT com

The only dumb question is the one that goes unasked.
The command line is your friend.
"Good enough" is the enemy of excellence.