I've never tried what you're looking to do. We don't share data across sysplex boundaries. It might annoy your users, but you might try giving them a different userid on each system. Each userid would have its own unique access rights even though it represents the same person.
Now that I write it down, sounds pretty lame. ;-( . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Brian Westerman Sent: Thursday, July 19, 2018 6:29 PM To: [email protected] Subject: (External):RACF DATASET protection WHEN(SYSID) Hi, I was hit with a question that I don't know the answer to. Previously (until today) I had thought, but never tried, that you could have a shared RACF database between two LPARs and that you could protect datasets differently based on the DATASET class rule such that if you had a dataset "TESTCASE.MY.DATASET" specified as UAC of NONE, the you could set up two dataset permits as follows: PERMIT 'TESTCASE.**' ACCESS(READ) ID(userid) WHEN(SYSID(SYSP)) and PERMIT 'TESTCASE.**' ACCESS(ALTER) ID(userid) WHEN(SYSID(SYST)) And that it would make it so that if the user were to log onto the test LPAR (SYST), they could update the TESTCASE.MY.DATASET all they wanted, but if they logged onto the production LPAR (SYSP) that they were limited to only READ access. Well, apparently the SYSID subparameter of WHEN is not valid for DATASET rules. So how do people protect the same dataset differently on various LPAR's, or is it just not possible? Any help or pointers would be appreciated. What I would like is just a simple way to make it so that people in the production LPAR can see and look at the TEST datasets, but if they actually want to change them, they have to actually log onto that LPAR to do it. I know that seems like a silly way to operate, but in this case there is actually a good reason for it. I just can't think of how to do it without the WHEN(SYSID) parm. Does anyone have any ideas? Thanks, Brian ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
