> -----Original Message-----
> From: IBM Mainframe Discussion List
> [mailto:[EMAIL PROTECTED] On Behalf Of Perryman, Brian
> Sent: Wednesday, June 07, 2006 6:39 AM
> To: [email protected]
> Subject: 'Rogue' HLQs
>
>
> Hi folks
>
> Some people in our apps support department create test files
> under their own TSO userid HLQ, which get SMS-placed onto the
> 'user' storage pool, but then later they manually rename
> these files to have a production dataset prefix, I have no
> idea why - so they can test some production jobs, perhaps.
> Anyway, these production HLQs would normally go in their own
> catalog and SMS storage pool but, because the files were
> renamed, they're staying in the original catalog and storage pool.
>
> It's playing havoc with my storage policies and DR planning.
>
> Any ideas if there's a quick and easy way (preferably
> something in RACF?) I can stop them doing this?
>
> Cheers
>
> Brian
First, why, oh why, do your programmers have the ability to rename into
a production HLQ? Beat up the RACF administrators to remove this
capability.
Renaming using ALTER ... NEWNAME will move the catalog entry to the
appropriate catalog IF AND ONLY IF the dataset is SMS managed. If it is
not SMS managed, then the entry will stay in the original catalog.
In z/OS 1.6, which is what I am running, the SMS ACS routines for the
MANAGEMENTCLASS are redriven so that a new management class may be
assigned based on the new name. Something like:
IF (&ACSENVIR EQ 'RENAME' AND
&HLQ EQ &PRODHLQ) THEN DO
WRITE 'YOU MAY NOT RENAME THE HLQ OF A DATASET TO BE PRODUCTION'
EXIT CODE(1)
END
Note that the above is way too restrictive. Basically if the HLQ is in
the PRODHLQ filtlist then you cannot rename a dataset to have the HLQ.
Unfortunately(?) this will also stop something like:
RENAME ABC.DEF.PROD ABC.DEF.PROD.BKUP
from occurring. There does not seem to be a way to get the old dataset
name. You could relax the above by testing for &USER to allow it to be
done for specific users, or conversely to be done by anybody other than
specific users. And it would not restrict anybody from renaming AWAY
from production. That is, if the HLQ of ZZZ is not in the PRODHLQ
filtlist, then
RENAME ABC.DEF.PROD ZZZ.DEF.PROD
would work, assuming appropriate RACF authority to the ABC.DEF.PROD
dataset.
Bottom line: I think your RACF definations really need to be looked at!
--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology
This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and its
content is protected by law. If you are not the intended recipient, you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this transmission, or taking any action
based on it, is strictly prohibited.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
