|
View previous topic :: View next topic
|
| Author |
Message |
Avinash_Gupta
New User
Joined: 11 May 2005
Posts: 26
Location: Hyderabad
|
|
|
|
Hi All,
can anybody tell me the RACF command that is required to give to restrict datasets in read mode for all the users.
I guess ALTER can be used but i want to know how can that command invoke for all the existing users at once. |
|
| Back to top |
|
 |
kgumraj
Active User
Joined: 01 May 2006
Posts: 151
Location: Hyderabad
|
|
|
|
Alter is for the person to change the code, you need to give browse access.
For setting for entire group you need to give UserID*, I suppose the team you are working will start with a common prefix, see for it and give prefix* |
|
| Back to top |
|
|
cpuhawg
Active User
Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL
|
|
|
|
You will need the SPECIAL or AUDITOR attribute to do the following command:
| Code: |
TSO RL GLOBAL DATASET
|
This command generates a list of datasets that have global READ/UPDATE/ALTER access meaning if you access a dataset in the global list, you get immediate access without doing any additional RACF checking.
| Code: |
CLASS NAME
----- ----
GLOBAL DATASET
MEMBER CLASS NAME
------ ----- ----
GMBR
RESOURCES IN GROUP
--------- -- -----
&RACUID.**/ALTER (G)
HLQ1.&RACUID.**/ALTER (G)
|
Here?s the command to add a global dataset if you have the SPECIAL attribute:
| Code: |
RALT GLOBAL DATASET ADDMEM(?HLQ1.MYPDS.LIBRARY?/READ)
|
The READ paremeter may also be ALTER, UPDATE, CONTROL, or READ.
If you are referring to a dataset profile and not the GLOBAL access list, you can do the following.
You can add the dataset with a UACC of READ.
| Code: |
AD 'HLQ1.MYPDS.LIBRARY.**' GEN UACC(READ) OWNER(SYSADM)
|
If the dataset profile already exist, you can alter it using:
| Code: |
ALTDSD 'HLQ1.MYPDS.LIBRARY.**' GEN UACC(READ)
|
In the access list for the dataset, you can give all users READ to your dataset by using:
| Code: |
PE 'HLQ1.MYPDS.LIBRARY.**' ID(*) ACCESS(READ) GEN
|
The * (asterisk) will let all users READ the dataset except ones with a RESTRICTED attribute.
If there are persons with the OPERATIONS attribute, they can ALTER any dataset on the system (even if your dataset has READ). The only method of limiting them is to connect every person with the OPERATION attribute to a specific RACF group (let's say OPER), and adding it to the access list with READ:
| Code: |
PE 'HLQ1.MYPDS.LIBRARY.**' ID(OPER) ACCESS(READ) GEN
|
|
|
| Back to top |
|
|
Avinash_Gupta
New User
Joined: 11 May 2005
Posts: 26
Location: Hyderabad
|
|
|
|
Thank you for the response. Actually i tried the command
PE 'HLQ1.MYPDS.LIBRARY.**' ID(*) ACCESS(READ) GEN
In the place of ID(*) we can give the id or the group name. I had found that all the users were assigned to only two groups. So i gave the ID(group name) and tried restricting all the ALTER/UPDATE access to READ by executing the command. But it did not happen. Hence I had to change the ALTER/UPDATE acess to read by individually executing for all the users.
Can this command below as you mentioned above restrict the access for all the users to read even for those who have ALTER/UPATE access. Please clarify:
RALT GLOBAL DATASET ADDMEM(?HLQ1.MYPDS.LIBRARY?/READ)
Thank you. |
|
| Back to top |
|
|
cpuhawg
Active User
Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL
|
|
|
|
GLOBAL access works this way. A dataset or dataset pattern is coded in the GLOBAL list with READ. When a user logs in and tries to READ the dataset, RACF first checks GLOBAL. If a match is found, the user can READ the dataset and RACF stops checking.
If the user then tries to SAVE the file in edit mode (UPDATE access needed), RACF starts checking again. It finds the GLOBAL list only has READ. It then checks for the best match to the RACF dataset profiles. If it does not locate a matching profile, it fails the SAVE attempt with a S913-38. If it does find a matching profile, it checks the UACC (univeral access). If the UACC is READ or NONE, it check the access list for the dataset profile. If the user's ID or group (the user is connected to) is in the access list with either UPDATE, CONTROL, or ALTER, it allows the user to save the file. If not, it fails the SAVE with a S913-38.
GLOBAL datasets should be comprised of only those datasets that are access repeatedly. All the PDS datasets in your TSO proc would fall under this catagory. GLOBAL datasets allow RACF to do the least amount of checking before allowing access is allowed.
It sound like you should avoid using GLOBAL and just use a dataset profile. So don't use the RALT GLOBAL command.
Persons with the OPERATIONS attribute can ALTER/UPDATE/READ any dataset unless they are in the access list (as a user or a group) with READ or NONE.
You can give a GROUP READ in the access list and give a user (connect to that GROUP) ALTER in the access list and the user will have ALTER. If the userid is not in the access list, they will only have READ because they are connected to the GROUP. |
|
| Back to top |
|
|
|
|
