On Fri, 17 Apr 2009 09:14:45 -0400, Jousma, David <[email protected]> wrote:
>Thanks Mark. I did as you suggested, and used one of our already defined
high >level qualifiers(OMVSU) for this. I was thinking long term, that if I
treated the >physical dataset like the other user datasets that they would
get cleaned up >automatically when people quit, etc.
It's okay to use a userid HLQ if your automount policy has "setuid no".
>
>Giving OMVS the permission did the trick.
>
I think these days it is recommended to set up OMVS as trusted in
RACF, and then I don't think you have to worry about this. But that wasn't
the case years ago since it didn't exist when most shops implemented
OMVS. I think it is now on some of our systems, but I know I've run into
issues a few times over the last few years occasionally when naming standards
changed for HFS / zFS.
I took a quick look at automount in the planning manual and commands,
and it isn't documented to make sure OMVS has ALTER access if you use
allocuser. It would be nice if there was a note in there I guess or if it
referred you to something specific in the planning manual (I'm not even
sure if there is a note in there about making sure you give OMVS "all"
access to HFS / zFS data sets).
I ran into a problem with zFS after an enhancement was made (1.8?)
to create a ZFS entry (bit?) in the catalog and the ZFS address space
wanted to alter the catalog for those data sets that didn't have the
bit on. Prior to that I don't think our zFS userid had alter to all zFS
data sets. I see a note about this in the zFS admin guide now, but
I don't think it was there originally.
"NOTE: The DFS user ID must have at least ALTER authority to
all VSAM LDS that contain zFS aggregates. A user ID other
than DFS can be used to run the zFS started task if it is
defined with the same RACF characteristics as shown for the
DFS user ID. As an alternative to PERMIT ALTER authority to
all VSAM LDS that contain zFS aggregates, you can assign the
zFS started task the TRUSTED attribute or you can assign the
user ID of the zFS started task the OPERATIONS attribute.
For details, see z/OS Security Server RACF Security
Administrator's Guide."
Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group - ZFUS G-ITO
mailto:[email protected]
z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
