Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

SMS ML2 deletitions - RACF rules non-existant

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM
View previous topic :: :: View next topic  
Author Message
BobGilbert

New User


Joined: 20 Nov 2009
Posts: 6
Location: Northern California

PostPosted: Fri Feb 19, 2010 9:42 am    Post subject: SMS ML2 deletitions - RACF rules non-existant
Reply with quote

We have been cleaning up datasets which have not been referenced for over 10 years in HSM. We have come across a great number which are migrated to ML2 and the RACF rule/profiles have been removed. The question: Is there a way to clean these up without creating RACF rules, sort of find the orphans and clean them up? It will be a lot of work to create the RACF rules, plus creating the documentation for the auditors will be a pain......
Ideas?
Back to top
View user's profile Send private message

expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Fri Feb 19, 2010 12:51 pm    Post subject:
Reply with quote

I don't think that you will get away with it.

To me the problem will be the access required to remove the catalog entries.

I can recall using FIXCDS to delete MCDS records and update / detete OCDS records to cull the duff datasets, but I guess this still leaves you the catalog entries to deal with.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Fri Feb 19, 2010 4:31 pm    Post subject:
Reply with quote

On further reflection I do recall one of the sysprogs downloading a catalog and manually deleting incorrect records before reloading the catalog from the updated download data.

I guess another way might be to set up a new catalog, migrate all of the valid HLQ's to the new catalog, and then delete the original catalog and then the alias.

BUT I guess if the auditors are fully aware of what has been done via the correct channels of defining RACF profiles etc., then there will be an audit trail should anything go tits up.

A real PITA, but at least your will be covered icon_lol.gif
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Fri Feb 19, 2010 10:23 pm    Post subject:
Reply with quote

Deleting the entries from the catalog is no problem at all for the sysprog a simple del nscr would do it for him. No idea about the HSM side, have you tried a HDEL to see what error it throws up.
Back to top
View user's profile Send private message
expat

Global Moderator


Joined: 14 Mar 2007
Posts: 8593
Location: Back in jolly old England

PostPosted: Sat Feb 20, 2010 5:08 pm    Post subject:
Reply with quote

I think that even the sysprog would have a problem deleting catalog entries for a DSN which has no RACF profile existing.
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Sat Feb 20, 2010 9:37 pm    Post subject: Reply to: SMS ML2 deletitions - RACF rules non-existant
Reply with quote

I believe you can use the HSM administrator DELETE command to delete them and without them being recalled. You need to use the HSENDCMD command to pass the DELETE command to HSM. Unlike the end-user H-prefixed commands such as HDELETE, the administrator commands do not perform RACF dataset access checking. To execute the command, you'll need READ access to the RACF profile protecting FACILITY class resource STGADMIN.ARC.DELETE.

To remove catalog entries for non-SMS managed datasets, ALTER access permission to the catalog should suffice. For SMS-managed datasets, ALTER access lets you delete the datasets. In neither case are the individual dataset profiles checked for access authorization.
Back to top
View user's profile Send private message
nevilh

Active User


Joined: 01 Sep 2006
Posts: 258

PostPosted: Sat Feb 20, 2010 9:40 pm    Post subject:
Reply with quote

Quote:
I think that even the sysprog would have a problem deleting catalog entries for a DSN which has no RACF profile existing

If you have the correct level of authorisation it is no problem. We do it on a regular basis. Racf is there to stop you accessing datasets (and other resources) to which you are not authorised, by deleting Catalog entries you are not actually accessing the dataset only the Catalog
Back to top
View user's profile Send private message
Pete Wilson

Active User


Joined: 31 Dec 2009
Posts: 440
Location: London

PostPosted: Wed Feb 24, 2010 3:44 pm    Post subject:
Reply with quote

Simplest way is to get temporary use of a RACFID with OPERATIONS access so simple IDCAMS DELETE's can be issued. With OPERATIONS it doesn't matter if there is no profile covering the datasets. Any other method will only provide a partial solution where the MCD records are deleted and usercatalog entries remain or vice versa.
Back to top
View user's profile Send private message
Robert Hansel

New User


Joined: 19 Feb 2010
Posts: 8
Location: Newton, MA

PostPosted: Wed Feb 24, 2010 7:03 pm    Post subject: Reply to: SMS ML2 deletitions - RACF rules non-existant
Reply with quote

Pete,

OPERATIONS won't be sufficient if they have RACF SETROPTS PROTECTALL active in FAIL mode. Only a user with System SPECIAL can access a dataset with no profile when PROTECTALL is active. One option would be to temporarily change PROTECTALL to WARN mode. However, most RACF administrators would probably balk at doing so or giving out OPERATIONS. Personally, I'd go with the HSM administrator authorities as it addresses the current requirement as well as like ones in the future.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts find RACF group for access to spooled... jzhardy JCL & VSAM 1 Mon May 08, 2017 11:46 am
No new posts Liberty Angel Server using RACF Keyring martin9 CICS 0 Tue May 02, 2017 5:49 pm
No new posts RULES(NOEVENPACK) in cobol jackzhang75 COBOL Programming 5 Wed Mar 29, 2017 12:47 am
No new posts RACF profile access vasanthz All Other Mainframe Topics 11 Fri Sep 23, 2016 5:51 am
No new posts RACF Easytrieve Plus macro Susan Jackson CA Products 0 Fri Jun 03, 2016 8:25 pm


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us