Dana's answer is syntactically correct, but there's a gotcha involved that you
might need to be aware of. The rule(s) that are applied to ALL are inspected
by TSS only after it checks the rules for individual IDs and profiles. (You
can think of a TSS profile as being a group rule, where "profile" is not not
definitely not the same as what RACF means by "profile".) So if USERA has the
permission then he'll have the access even though the ALL record says
otherwise. And if PROFILEB has the permission, and USERC, -D and E have
PROFILEB, they'll have the access too. The ALL record is mostly useful for
granting mass access to some resource; if you try to forbid access in ALL, it's
not safe to assume there's nothing more to worry about.
Nevertheless, Dana's answer isn't wrong. Just don't think that's all there is
to it.
In TSS (unlike in RACF) you can find out fairly easily who has access to a
resource. You can try this:
'tss whohas dsname('netrc_dsn')'
That'll get you a list of all the permissions - well, most of them - that refer
to the particular dataset you're interested in. You can examine that list and
see what permissions are out there that might preƫmpt the ALL record.
Oh, by the way, if your DSN isn't quoted in that command, then it refers to any
DS that ~starts~ with that string. So, for example, if netrc_dsn is "ABC.DEF"
- if, in other words, your TSS permission evaluates to:
tss per(usera) dsn(abc.def) acc(all)
...then the permission will be used to grant access to 'ABC.DEF', and also to
'ABC.DEFGH' and 'ABC.DEF.GHI.JKL(MEMBER)'. I'm just sayin'. If you want the
permission to apply to only that one dataset, make sure singe quotes are part
of the name.
I also discovered, a few years ago, that the WHOHAS command I mentioned above
doesn't think to mention really broad-based permissions like this:
tss per(userb) dsn(*****) acc(read)
I have to issue a special WHOHAS to catch those and add them to my list.
At this point, my expert at CA would remind me that there's also the NODSNCHK
attribute and probably a few other gotchas too, but maybe I've already muddied
the waters more than enough.
---
Bob Bridges, [email protected], cell 336 382-7313
/* Politicians are wonderful people as long as they stay away from things they
don't understand, such as working for a living. -P J O'Rourke */
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Dana Mitchell
Sent: Friday, November 4, 2022 13:23
TSS:
"tss permit(all) dsname("netrc_dsn") acc(none)"
"tss permit("sysvar('sysuid')" dsname("netrc_dsn") access(all)"
--- On Fri, 4 Nov 2022 11:59:23 -0500, Lionel B. Dyck <[email protected]> wrote:
>I have this code to secure a dataset so only the user has access to it:
>
>"Addsd '"netrc_dsn"' UACC(none)"
> "Permit '"netrc_dsn"' Access(alter) ID("sysvar('sysuid')")"
>
>Can anyone help me with equivalent command(s) for ACF2 and TSS?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
