>So how do people protect the same dataset differently on various LPAR's, or is >it just not possible? We had to make sure that the compilers do not run on a system that doesn't have licence=z/OS. We used when(sysid) in class PROGRAM, for the names of the compilers as the program name to be protected. The downside is that the data set name must be specified (that the program is loaded from), and every data set name must be mentioned in the rule in PROGRAM. So if anyone copies the full compiler data set to their own HLQ and calls it from there, it would work on *any* system in the sysplex. The upside is that most of those calling the compiler would not have a clue how to do that. We have an additional safeguard: The jobclass canned compile jobs run in only exists on one system.
How IBM expects a customer to make sure the compilers are only called on a licence=z/OS system is beyond me - RACF certainly doesn't have the appropriate instrumentation for it that I can see. As for having prod and test in the same sysplex - we are still a MIM shop, and we have a devil of a time stopping that type of data set sharing between prod and test. I think that you would have to duplicate your RACF data base and use different data set rules on the prod system(s) than on the test system(s). Which would not be easy to implement. Barbara ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
