On 6/8/2006 12:57 PM, Mark Thomen wrote:
On Jun 7, 2006, at 6:38 AM, Perryman, Brian wrote:
Some people in our apps support department create test files under
their own TSO userid HLQ, which get SMS-placed onto the 'user'
storage pool, but then later they manually rename these files to
have a production dataset prefix, I have no idea why - so they can
test some production jobs, perhaps. Anyway, these production HLQs
would normally go in their own catalog and SMS storage pool but,
because the files were renamed, they're staying in the original
catalog and storage pool.
It's playing havoc with my storage policies and DR planning.
Any ideas if there's a quick and easy way (preferably something in
RACF?) I can stop them doing this?
You might be able to write a RACF exit that disallows the changes...
The more usual approach is to simply not give them CREATE in the groups
that match the HLQs, or not give them ALTER to the production HLQ.* or
HLQ.** profiles. Then they cannot do the renames, nor directly create
new production data sets. Someone mentioned that upstream in this thread.
Of course, as someone else mentioned, that won't be viewed favorably if
the users really need the ability to do those renames or create such
data sets directly. In that case a RACROUTE REQUEST=DEFINE exit
(ICHRDX01) could prevent such renames, as could (I think) a RACF naming
conventions table.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
