Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

command for restriciting datasets in read mode

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> TSO/ISPF
View previous topic :: :: View next topic  
Author Message
Avinash_Gupta

New User


Joined: 11 May 2005
Posts: 26
Location: Hyderabad

PostPosted: Tue Sep 12, 2006 12:30 am    Post subject: command for restriciting datasets in read mode
Reply with quote

Hi All,
can anybody tell me the RACF command that is required to give to restrict datasets in read mode for all the users.

I guess ALTER can be used but i want to know how can that command invoke for all the existing users at once.
Back to top
View user's profile Send private message

kgumraj

Active User


Joined: 01 May 2006
Posts: 151
Location: Hyderabad

PostPosted: Tue Sep 12, 2006 9:19 pm    Post subject: Re: command for restriciting datasets in read mode
Reply with quote

Alter is for the person to change the code, you need to give browse access.
For setting for entire group you need to give UserID*, I suppose the team you are working will start with a common prefix, see for it and give prefix*
Back to top
View user's profile Send private message
cpuhawg

Active User


Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL

PostPosted: Wed Sep 13, 2006 1:07 am    Post subject: Re: command for restriciting datasets in read mode
Reply with quote

You will need the SPECIAL or AUDITOR attribute to do the following command:

Code:

TSO RL GLOBAL DATASET


This command generates a list of datasets that have global READ/UPDATE/ALTER access meaning if you access a dataset in the global list, you get immediate access without doing any additional RACF checking.

Code:

CLASS      NAME                                     
-----      ----                                     
GLOBAL     DATASET                                 
                                                   
MEMBER CLASS NAME                                   
------ ----- ----                                   
GMBR                                               
                                                   
RESOURCES IN GROUP                                 
--------- -- -----                                 
&RACUID.**/ALTER (G)                               
HLQ1.&RACUID.**/ALTER (G)


Here?s the command to add a global dataset if you have the SPECIAL attribute:

Code:

RALT GLOBAL DATASET ADDMEM(?HLQ1.MYPDS.LIBRARY?/READ)


The READ paremeter may also be ALTER, UPDATE, CONTROL, or READ.

If you are referring to a dataset profile and not the GLOBAL access list, you can do the following.

You can add the dataset with a UACC of READ.

Code:

AD   'HLQ1.MYPDS.LIBRARY.**' GEN UACC(READ) OWNER(SYSADM)


If the dataset profile already exist, you can alter it using:

Code:

ALTDSD   'HLQ1.MYPDS.LIBRARY.**' GEN UACC(READ)


In the access list for the dataset, you can give all users READ to your dataset by using:

Code:

PE   'HLQ1.MYPDS.LIBRARY.**' ID(*) ACCESS(READ) GEN


The * (asterisk) will let all users READ the dataset except ones with a RESTRICTED attribute.

If there are persons with the OPERATIONS attribute, they can ALTER any dataset on the system (even if your dataset has READ). The only method of limiting them is to connect every person with the OPERATION attribute to a specific RACF group (let's say OPER), and adding it to the access list with READ:

Code:

PE   'HLQ1.MYPDS.LIBRARY.**' ID(OPER) ACCESS(READ) GEN

Back to top
View user's profile Send private message
Avinash_Gupta

New User


Joined: 11 May 2005
Posts: 26
Location: Hyderabad

PostPosted: Wed Sep 13, 2006 2:06 pm    Post subject: A dobut
Reply with quote

Thank you for the response. Actually i tried the command
PE 'HLQ1.MYPDS.LIBRARY.**' ID(*) ACCESS(READ) GEN

In the place of ID(*) we can give the id or the group name. I had found that all the users were assigned to only two groups. So i gave the ID(group name) and tried restricting all the ALTER/UPDATE access to READ by executing the command. But it did not happen. Hence I had to change the ALTER/UPDATE acess to read by individually executing for all the users.

Can this command below as you mentioned above restrict the access for all the users to read even for those who have ALTER/UPATE access. Please clarify:
RALT GLOBAL DATASET ADDMEM(?HLQ1.MYPDS.LIBRARY?/READ)

Thank you.
Back to top
View user's profile Send private message
cpuhawg

Active User


Joined: 14 Jun 2006
Posts: 331
Location: Jacksonville, FL

PostPosted: Wed Sep 13, 2006 6:54 pm    Post subject:
Reply with quote

GLOBAL access works this way. A dataset or dataset pattern is coded in the GLOBAL list with READ. When a user logs in and tries to READ the dataset, RACF first checks GLOBAL. If a match is found, the user can READ the dataset and RACF stops checking.

If the user then tries to SAVE the file in edit mode (UPDATE access needed), RACF starts checking again. It finds the GLOBAL list only has READ. It then checks for the best match to the RACF dataset profiles. If it does not locate a matching profile, it fails the SAVE attempt with a S913-38. If it does find a matching profile, it checks the UACC (univeral access). If the UACC is READ or NONE, it check the access list for the dataset profile. If the user's ID or group (the user is connected to) is in the access list with either UPDATE, CONTROL, or ALTER, it allows the user to save the file. If not, it fails the SAVE with a S913-38.

GLOBAL datasets should be comprised of only those datasets that are access repeatedly. All the PDS datasets in your TSO proc would fall under this catagory. GLOBAL datasets allow RACF to do the least amount of checking before allowing access is allowed.

It sound like you should avoid using GLOBAL and just use a dataset profile. So don't use the RALT GLOBAL command.

Persons with the OPERATIONS attribute can ALTER/UPDATE/READ any dataset unless they are in the access list (as a user or a group) with READ or NONE.

You can give a GROUP READ in the access list and give a user (connect to that GROUP) ALTER in the access list and the user will have ALTER. If the userid is not in the access list, they will only have READ because they are connected to the GROUP.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> TSO/ISPF All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts READ A PACKED "NEGATIVE" FI... jdesouza CA Products 3 Tue May 02, 2017 11:43 pm
This topic is locked: you cannot edit posts or make replies. SDSF multiple spool datasets extracte... PJAlarcon CLIST & REXX 1 Fri Apr 21, 2017 10:50 pm
No new posts Read of TDQ fails in LENGERR Tracy Hansen CICS 10 Wed Apr 05, 2017 12:10 am
No new posts Edit large number of datasets (QSAM) zh_lad TSO/ISPF 3 Tue Apr 04, 2017 6:08 pm
No new posts TSO or command line utility to genera... kishpra JCL & VSAM 3 Thu Mar 09, 2017 1:11 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us