Thanks List, The problem was that my dataset was not a fully qualified generic profile (no (G) when I did a LISTDSD. So I deleted the dataset and defined it as a generic profile and now my developers are able to access it without any problems.
Thanks, Ron McCabe Mutual of Enumclaw -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Robert S. Hansel (RSH) Sent: Friday, March 16, 2018 2:56 AM To: [email protected] Subject: Re: Problem with dataset authorization Hi Keith, No REFRESH should be necessary. The developers are running batch jobs, and every job will get a fresh copy of the Generic dataset profiles. Others raised the issue of Enhanced Generic Naming (EGN). It appears Ron's system has NOEGN. I don't believe this is a factor in this case as it has no effect on the behavior of a fully-qualified Generic dataset profile. Regards, Bob -----Original Message----- Date: Thu, 15 Mar 2018 07:00:31 -0400 From: Keith Smith <[email protected]> Subject: Re: Problem with dataset authorization Replies are, of course, assuming that a REFRESH was done. If you are new to RACF some changes require the "in memory" copy to be refreshed before the change takes effect. On Thu, Mar 15, 2018 at 6:05 AM, Robert S. Hansel (RSH) < [email protected]> wrote: > Hi Ron, > > Here are a couple of thoughts. > > When you created the profile MAC.JSF40.TEMP.JOBHIST, did you define it > as a Discrete profile (protects a single dataset by this name on a > specific > VOLSER) or as a full-qualified Generic profile (protects any dataset > by this name on any VOLSER)? If the later, a (G) will appear next to > the profile when you list it. If it's a Discrete, try deleting and > recreating it as a Generic. To do so, you'll need to add the keyword > GENERIC to the ADDSD command. > > Are the developers attempting to access the dataset via a z/OS system > that has a different RACF database than the one where you created the profile? > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. *** Celebrating our 25th Year *** > 617-969-8211 > https://na01.safelinks.protection.outlook.com/?url=www.linkedin.com%2F > in%2Froberthansel&data=02%7C01%7Crmccabe%40MUTUALOFENUMCLAW.COM%7C62f6 > e8f324c64c5a205708d58b242f9e%7C5a381f7dcc3d4a93b2cbd2fd072e535a%7C1%7C > 0%7C636567909919289287&sdata=HvyvQ9qATl2KhAidUcQjPQ9tvs2NGYrclc7jIJEqk > UU%3D&reserved=0 > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Furlde > fense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__&data=02%7C01%7Crmccab > e%40MUTUALOFENUMCLAW.COM%7C62f6e8f324c64c5a205708d58b242f9e%7C5a381f7d > cc3d4a93b2cbd2fd072e535a%7C1%7C0%7C636567909919289287&sdata=Ccl9b161iD > Cc25UCUc3LYjVJXvTqyh0CzyhXa2hPvHQ%3D&reserved=0 > twitter.com_RSH-5FRACF&d=DwIFaQ&c=7f1YSuqIGbgL_Gzm5POfng&r=unuy1IauTT8 > _ BnXaEWJu99tLgShEyROqbi1xNCvlPGQ&m=hGjSKRhcHOylV0rl6qrThdZRFx_ > nQ2nWkFuOU9yUkw4&s=_4bxIlGFU_Xdqti9jvaqNq_hqTjXZRWgB_JGyAyeYts&e= > https://na01.safelinks.protection.outlook.com/?url=www.rshconsulting.c > om&data=02%7C01%7Crmccabe%40MUTUALOFENUMCLAW.COM%7C62f6e8f324c64c5a205 > 708d58b242f9e%7C5a381f7dcc3d4a93b2cbd2fd072e535a%7C1%7C0%7C63656790991 > 9289287&sdata=h%2FdA7qSw9wRG5hVEEi0oRednuBaDcPtS1ojROHOFu%2F4%3D&reser > ved=0 > ------------------------------------------------------------ > -------------------- > Upcoming RSH RACF Training - WebEx > - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 > - RACF Level I Administration - APR 10-13, 2018 ** Date Change ** > - RACF Level II Administration - JUN 4-8, 2018 > - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 > - RACF - Securing z/OS UNIX - APR 23-27, 2018 > ------------------------------------------------------------ > -------------------- > > -----Original Message----- > Date: Wed, 14 Mar 2018 23:32:49 +0000 > From: "McCabe, Ron" <[email protected]> > Subject: Problem with dataset authorization > > Hello List, > > I'm having a problem where one of my developers is getting > "INSUFFICIENT ACCESS AUTHORITY" on a dataset that I have defined in > RACF and the issue is that it is reporting on the generic definition. > > I have defined in RACF a generic dataset definition of MAC.* (this > definition has a UACC of READ and only a couple of groups have update > access), I also have defined a complete dataset name of > MAC.JSF40.TEMP.JOBHIST (this definition has a UACC of READ and allows > update access for my developers). When my developers run a job that > wants to update the MAC.JSF40.TEMP.JOBHIST dataset they get the > "INSUFFICIENT ACCESS AUTHORITY" FROM MAC.* (G). > > Why isn't the system checking for the complete dataset which is the > way I thought RACF was supposed to work? > > Thanks, > Ron McCabe > Mutual of Enumclaw > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > -- Keith Smith Engineer-Enterprise Sys Sr.-IT Capacity & Performance Shaw Industries Inc. Subsidiary of Berkshire Hathaway 616 E Walnut Ave Mail Drop 072-04 Dalton, GA 30721 Email: [email protected] Office: 706.532.3244 Please consider the environment before printing. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN Confidentiality Notice: This e- mail and all attachments may contain CONFIDENTIAL information and are meant solely for the intended recipient. It may contain controlled, privileged, or proprietary information that is protected under applicable law and shall not be disclosed to any unauthorized third party. If you are not the intended recipient, you are hereby notified that any unauthorized review, action, disclosure, distribution, or reproduction of any information contained in this e- mail and any attachments is strictly PROHIBITED. If you received this e- mail in error, please reply to the sender immediately stating that this transmission was misdirected, and delete or destroy all electronic and paper copies of this e-mail and attachments without disclosing the contents. This e- mail does not grant or assign rights of ownership in the proprietary subject matter herein, nor shall it be construed as a joint venture, partnership, teaming agreement, or any other formal business relationship. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
