SMS ML2 deletitions - RACF rules non-existant

BobGilbert · Posted: Fri Feb 19, 2010 9:42 am

We have been cleaning up datasets which have not been referenced for over 10 years in HSM. We have come across a great number which are migrated to ML2 and the RACF rule/profiles have been removed. The question: Is there a way to clean these up without creating RACF rules, sort of find the orphans and clean them up? It will be a lot of work to create the RACF rules, plus creating the documentation for the auditors will be a pain......
Ideas?

expat · Posted: Fri Feb 19, 2010 12:51 pm

I don't think that you will get away with it.

To me the problem will be the access required to remove the catalog entries.

I can recall using FIXCDS to delete MCDS records and update / detete OCDS records to cull the duff datasets, but I guess this still leaves you the catalog entries to deal with.

expat · Posted: Fri Feb 19, 2010 4:31 pm

On further reflection I do recall one of the sysprogs downloading a catalog and manually deleting incorrect records before reloading the catalog from the updated download data.

I guess another way might be to set up a new catalog, migrate all of the valid HLQ's to the new catalog, and then delete the original catalog and then the alias.

BUT I guess if the auditors are fully aware of what has been done via the correct channels of defining RACF profiles etc., then there will be an audit trail should anything go tits up.

A real PITA, but at least your will be covered

nevilh · Active User Joined: 01 Sep 2006 Posts: 262

Deleting the entries from the catalog is no problem at all for the sysprog a simple del nscr would do it for him. No idea about the HSM side, have you tried a HDEL to see what error it throws up.

expat · Posted: Sat Feb 20, 2010 5:08 pm

I think that even the sysprog would have a problem deleting catalog entries for a DSN which has no RACF profile existing.

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

I believe you can use the HSM administrator DELETE command to delete them and without them being recalled. You need to use the HSENDCMD command to pass the DELETE command to HSM. Unlike the end-user H-prefixed commands such as HDELETE, the administrator commands do not perform RACF dataset access checking. To execute the command, you'll need READ access to the RACF profile protecting FACILITY class resource STGADMIN.ARC.DELETE.

To remove catalog entries for non-SMS managed datasets, ALTER access permission to the catalog should suffice. For SMS-managed datasets, ALTER access lets you delete the datasets. In neither case are the individual dataset profiles checked for access authorization.

nevilh · Active User Joined: 01 Sep 2006 Posts: 262

Pete Wilson · Posted: Wed Feb 24, 2010 3:44 pm

Simplest way is to get temporary use of a RACFID with OPERATIONS access so simple IDCAMS DELETE's can be issued. With OPERATIONS it doesn't matter if there is no profile covering the datasets. Any other method will only provide a partial solution where the MCD records are deleted and usercatalog entries remain or vice versa.

Robert Hansel · New User Joined: 19 Feb 2010 Posts: 8 Location: Newton, MA

Pete,

OPERATIONS won't be sufficient if they have RACF SETROPTS PROTECTALL active in FAIL mode. Only a user with System SPECIAL can access a dataset with no profile when PROTECTALL is active. One option would be to temporarily change PROTECTALL to WARN mode. However, most RACF administrators would probably balk at doing so or giving out OPERATIONS. Personally, I'd go with the HSM administrator authorities as it addresses the current requirement as well as like ones in the future.