View previous topic :: View next topic
|
Author |
Message |
BobGilbert
New User
Joined: 20 Nov 2009 Posts: 6 Location: Northern California
|
|
|
|
We have been cleaning up datasets which have not been referenced for over 10 years in HSM. We have come across a great number which are migrated to ML2 and the RACF rule/profiles have been removed. The question: Is there a way to clean these up without creating RACF rules, sort of find the orphans and clean them up? It will be a lot of work to create the RACF rules, plus creating the documentation for the auditors will be a pain......
Ideas? |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
I don't think that you will get away with it.
To me the problem will be the access required to remove the catalog entries.
I can recall using FIXCDS to delete MCDS records and update / detete OCDS records to cull the duff datasets, but I guess this still leaves you the catalog entries to deal with. |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
On further reflection I do recall one of the sysprogs downloading a catalog and manually deleting incorrect records before reloading the catalog from the updated download data.
I guess another way might be to set up a new catalog, migrate all of the valid HLQ's to the new catalog, and then delete the original catalog and then the alias.
BUT I guess if the auditors are fully aware of what has been done via the correct channels of defining RACF profiles etc., then there will be an audit trail should anything go tits up.
A real PITA, but at least your will be covered |
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
Deleting the entries from the catalog is no problem at all for the sysprog a simple del nscr would do it for him. No idea about the HSM side, have you tried a HDEL to see what error it throws up. |
|
Back to top |
|
|
expat
Global Moderator
Joined: 14 Mar 2007 Posts: 8797 Location: Welsh Wales
|
|
|
|
I think that even the sysprog would have a problem deleting catalog entries for a DSN which has no RACF profile existing. |
|
Back to top |
|
|
Robert Hansel
New User
Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA
|
|
|
|
I believe you can use the HSM administrator DELETE command to delete them and without them being recalled. You need to use the HSENDCMD command to pass the DELETE command to HSM. Unlike the end-user H-prefixed commands such as HDELETE, the administrator commands do not perform RACF dataset access checking. To execute the command, you'll need READ access to the RACF profile protecting FACILITY class resource STGADMIN.ARC.DELETE.
To remove catalog entries for non-SMS managed datasets, ALTER access permission to the catalog should suffice. For SMS-managed datasets, ALTER access lets you delete the datasets. In neither case are the individual dataset profiles checked for access authorization. |
|
Back to top |
|
|
nevilh
Active User
Joined: 01 Sep 2006 Posts: 262
|
|
|
|
Quote: |
I think that even the sysprog would have a problem deleting catalog entries for a DSN which has no RACF profile existing |
If you have the correct level of authorisation it is no problem. We do it on a regular basis. Racf is there to stop you accessing datasets (and other resources) to which you are not authorised, by deleting Catalog entries you are not actually accessing the dataset only the Catalog |
|
Back to top |
|
|
Pete Wilson
Active Member
Joined: 31 Dec 2009 Posts: 581 Location: London
|
|
|
|
Simplest way is to get temporary use of a RACFID with OPERATIONS access so simple IDCAMS DELETE's can be issued. With OPERATIONS it doesn't matter if there is no profile covering the datasets. Any other method will only provide a partial solution where the MCD records are deleted and usercatalog entries remain or vice versa. |
|
Back to top |
|
|
Robert Hansel
New User
Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA
|
|
|
|
Pete,
OPERATIONS won't be sufficient if they have RACF SETROPTS PROTECTALL active in FAIL mode. Only a user with System SPECIAL can access a dataset with no profile when PROTECTALL is active. One option would be to temporarily change PROTECTALL to WARN mode. However, most RACF administrators would probably balk at doing so or giving out OPERATIONS. Personally, I'd go with the HSM administrator authorities as it addresses the current requirement as well as like ones in the future. |
|
Back to top |
|
|
|