Re: To know how a data set is protected by RACF
Luo Johnny wrote:
Sorry for the late feedback.I've tested all your suggestions in my sytem and
really appreciate your kind help.
Finally my personal conclusion is:For a data set named 'aaa.bbb',
first issue
LD ALL DA('aaa.bbb')
If you got message like 'no racf definition found',then you must issue
another command
LD ALL DA('aaa.bbb') GEN
If the result is the same,then finally you can say this data set is really
a
not-racf-protected one.
Yes. And it is bad.
A rule of thumb is that all dataset should be RACF-protected. An option
PROTECTALL should be set on.
--
Radoslaw Skorupka
Lodz, Poland
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
Yes.At this time I use 'setr protectall(warning)' to let system notify me when a data set is not-racf-protected. Perhaps another question which puzzles me for long is how to make an ordinary user can only create data sets which HLQ is his user-id? Say,on my system ,now user 'md0006' can create data sets with HLQ=MD0007 while 'md0007' is another user-id.I want to forbid this ,but don't know how to do. Johnny Yes. And it is bad. A rule of thumb is that all dataset should be RACF-protected. An option PROTECTALL should be set on. -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- Best Regards, Johnny Luo -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
Luo Johnny wrote: Yes.At this time I use 'setr protectall(warning)' to let system notify me when a data set is not-racf-protected. Perhaps another question which puzzles me for long is how to make an ordinary user can only create data sets which HLQ is his user-id? Say,on my system ,now user 'md0006' can create data sets with HLQ=MD0007 while 'md0007' is another user-id.I want to forbid this ,but don't know how to do. It is quite simple. Just create dataset profiles. You should create profiles for all datasets you have and switch to PROTECTALL(FAILURE). Now start with the following: (I assume, that MD0007 is existing user) AD 'MD0007.**' UACC(N) OW(MD0007) Now (after refresh) only (*) user MD0007 can create MD0007.some.thing datasets. In general, you should create at least HLQ.** for every HLQ in your system. (*) There are some exceptions, like OPERATIONS users or PRIVILEGED/TRUSTED started tasks. HTH -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
R.S. wrote: It is quite simple. Just create dataset profiles. You should create profiles for all datasets you have and switch to PROTECTALL(FAILURE). Now start with the following: (I assume, that MD0007 is existing user) AD 'MD0007.**' UACC(N) OW(MD0007) Now (after refresh) only (*) user MD0007 can create MD0007.some.thing datasets. In general, you should create at least HLQ.** for every HLQ in your system. (*) There are some exceptions, like OPERATIONS users or PRIVILEGED/TRUSTED started tasks. HTH Thank you very much,R.S. I really appreciate your answer. Best Regards Johnny -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
In [EMAIL PROTECTED], on 11/18/2005 at 09:37 PM, Johnny Luo [EMAIL PROTECTED] said: However,I don't know if this is just enough to draw the conclusion that this data set is not RACF-protected. No; it might[1] be protected by generic profiles. [1] It definitely is if the installation follows best practices. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see http://patriot.net/~shmuel/resume/brief.html We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
Sorry for the late feedback.I've tested all your suggestions in my sytem and
really appreciate your kind help.
Finally my personal conclusion is:For a data set named 'aaa.bbb',
first issue
LD ALL DA('aaa.bbb')
If you got message like 'no racf definition found',then you must issue
another command
LD ALL DA('aaa.bbb') GEN
If the result is the same,then finally you can say this data set is really
a
not-racf-protected one.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
Johnny, First you may also wish to join the RACF-L list for racf questions RACF Discussion List: [EMAIL PROTECTED] You can search the archives and/or join. Second under TSO (READY prompt or ISPF OPT 6) issue the command - H LD This will provide the syntax of the Listdsd command. In it you will find that it also has a PREFIX function. Sometimes you will not get a profile from an explicit request. Instead you need to use a PREFIX option to see what is really there. Usually I will go to option 3.4 under ISPF and issue the command from there LD PREFIX(/) g on the line for the data set I am interested in. Or issue LD PREFIX(md0006.tools) g This will attempt to list any generic profiles Of course you may not have necessary racf authority for listing everything. Lizette Koehler -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: To know how a data set is protected by RACF
Johnny Luo wrote:
[...]
Take a data set named 'md0006.tools.jcl' for example,I want to know
all of its definition in RACF,that is:
1,Whether it is RACF-protected?
2,If true,how RACF protect it?
I issued the command 'LISTDSD DA(md0006.tools.jcl) ALL' and received
the message that there is no RACE definition for it.
However,I don't know if this is just enough to draw the conclusion that
this
data set is not RACF-protected.
Johny,
There are two kinds of DATASET profiles, discrete and generic. If you
want to check what profile protects my dataset issue TWO commands:
LD DA('HLQ.MY.FILE') ALL
and then
LD DA('HLQ.MY.FILE') GEN ALL
First command lists discrete profile - if any exists.
Second command lists generic profile actually protecting the dataset.
Note1: Discrete profiles are rather obsolete not very popular nowadays.
Note2: It is possible to exist many fitting generic profiles, but only
one of them is best fitting and this one actually protects the file
(in case of absence of discrete profile).
Example:
HLQ.**
HLQ.MY.**
HLQ.MY.F*
HLQ.MY.FIL%
The best fitting is the last ons.
You don't need to worry what is best fitting, RACF will tell you.
Note3: Caution! Dataset names used in LD command should be enclosed in
apostrophes, otherwise TSO prefixing will take place.
HTH
--
Radoslaw Skorupka
Lodz, Poland
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
