Any idea how many TSS shops there are, and how large they are?
Just a curiosity thing, because I know TSS exists, I just hadn't run in to one (knowingly) while supporting customers.
Regards, Steve Thompson On 11/4/22 17:14, Bob Bridges wrote:
Dana's answer is syntactically correct, but there's a gotcha involved that you might need to be aware of. The rule(s) that are applied to ALL are inspected by TSS only after it checks the rules for individual IDs and profiles. (You can think of a TSS profile as being a group rule, where "profile" is not not definitely not the same as what RACF means by "profile".) So if USERA has the permission then he'll have the access even though the ALL record says otherwise. And if PROFILEB has the permission, and USERC, -D and E have PROFILEB, they'll have the access too. The ALL record is mostly useful for granting mass access to some resource; if you try to forbid access in ALL, it's not safe to assume there's nothing more to worry about. Nevertheless, Dana's answer isn't wrong. Just don't think that's all there is to it. In TSS (unlike in RACF) you can find out fairly easily who has access to a resource. You can try this: 'tss whohas dsname('netrc_dsn')' That'll get you a list of all the permissions - well, most of them - that refer to the particular dataset you're interested in. You can examine that list and see what permissions are out there that might preƫmpt the ALL record. Oh, by the way, if your DSN isn't quoted in that command, then it refers to any DS that ~starts~ with that string. So, for example, if netrc_dsn is "ABC.DEF" - if, in other words, your TSS permission evaluates to: tss per(usera) dsn(abc.def) acc(all) ...then the permission will be used to grant access to 'ABC.DEF', and also to 'ABC.DEFGH' and 'ABC.DEF.GHI.JKL(MEMBER)'. I'm just sayin'. If you want the permission to apply to only that one dataset, make sure singe quotes are part of the name. I also discovered, a few years ago, that the WHOHAS command I mentioned above doesn't think to mention really broad-based permissions like this: tss per(userb) dsn(*****) acc(read) I have to issue a special WHOHAS to catch those and add them to my list. At this point, my expert at CA would remind me that there's also the NODSNCHK attribute and probably a few other gotchas too, but maybe I've already muddied the waters more than enough. --- Bob Bridges, [email protected], cell 336 382-7313 /* Politicians are wonderful people as long as they stay away from things they don't understand, such as working for a living. -P J O'Rourke */ -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Dana Mitchell Sent: Friday, November 4, 2022 13:23 TSS: "tss permit(all) dsname("netrc_dsn") acc(none)" "tss permit("sysvar('sysuid')" dsname("netrc_dsn") access(all)" --- On Fri, 4 Nov 2022 11:59:23 -0500, Lionel B. Dyck <[email protected]> wrote:I have this code to secure a dataset so only the user has access to it: "Addsd '"netrc_dsn"' UACC(none)" "Permit '"netrc_dsn"' Access(alter) ID("sysvar('sysuid')")" Can anyone help me with equivalent command(s) for ACF2 and TSS?---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
-- Regards, Steve Thompson ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
