On 5/15/2007 10:04 AM, Paul Gilmartin wrote:
On Tue, 15 May 2007 07:05:19 -0400, Lizette Koehler wrote:
Note: If it is not a TSO user holding the dataset (it is either a batch job
or STC) then you need to deterimine if the JCL has DISP=OLD and then handle
it appropriately.
Why does RACF not support rules restricting the set of users who may ENQ
on protected data set names?
RACF does not own the SYSDSN ENQ (Allocation does), and therefore it is
not RACF's job to protect who can issue those ENQs. If it is anyone's
job, it is Allocation's. Allocation could, perhaps, issue a RACROUTE
REQUEST=AUTH to see if the user is authorized to read the data set,
assuming it is an existing data set. Things get more tricky if it is a
new data set, however.
I can't tell for sure, but are you suggesting that a user should need
higher authority (such as UPDATE) before ENQing a data set with
DISP=OLD? I'm not sure I agree with that. And, of course, the OP's
problem could come from a user who has it ENQed SHR, if the OP is trying
to get it exclusively.
By the way, gil, I don't recall seeing anything in this thread
suggesting that an inappropriate user has the data set ENQed, though I
suppose that is possible.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
