Resource ID "IGG.CATLOCK" in resource class ID "FACILITY" (RACF Security
Server) or "IBMFAC" (CA Top Secret Security) is used to control the ability
to lock and unlock user catalogs.
This is normally accomplished via the Access Method Services "ALTER
{usercatalog-dataset-id-44} [UN]LOCK" command.
However, it can also be accomplished via a "MODIFY
CATALOG,RECOVER,[UN]LOCK({usercatalog-dataset-id-44})" command.
However, it is unclear if resource ID "IGG.CATLOCK" is checked in the latter
scenario.
Furthermore, if resource ID "IGG.CATLOCK" is checked in this scenario, is
the access checked using the accessor ID associated with the CATALOG address
space, or with the accessor ID associated with the MODIFY command?
Finally, IBM Publication SC23-6853-30 DFSMS Managing Catalogs suggests
permitting critical STC accessor IDs access to resource ID "IGG.CATLOCK"
prior to locking any user catalog, with the supporting logic being that if a
dataset required during the IPL is contained in a locked user catalog, then
the IPL will fail.
The clear implication here would seem to be that access to resource ID
"IGG.CATLOCK" not only permits the accessor ID to lock and unlock user
catalogs, but to also access locked user catalogs.
In summary, my questions are -
* Is resource ID "IGG.CATLOCK" checked when a user catalog is locked
or unlocked via a "MODIFY CATALOG" command?
* If so, then -
* Is the resource access check performed using the accessor ID
associated with the CATALOG address?
* Is the resource access check performed using the accessor ID
associated with the MODIFY CATALOG command?
* Does access to resource ID "IGG.CATLOCK" provide access to locked
user catalogs?
John P. Baker
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
