3

I want to make the dataset 'FULTONM.MY.FILE' read-only to everyone including me.

I issue:

addsd 'FULTONM.MY.FILE' GEN UACC(NONE)"

I then issue:

listdsd dataset('FULTONM.MY.FILE')

which prints out:

INFORMATION FOR DATASET FULTONM.MY.FILE (G)

LEVEL  OWNER    UNIVERSAL ACCESS   WARNING   ERASE
-----  -------- ----------------   -------   -----
 00    FULTONM         NONE          NO      NO

AUDITING
--------
FAILURES(READ)

NOTIFY
--------
NO USER TO BE NOTIFIED

YOUR ACCESS  CREATION GROUP  DATASET TYPE
-----------  --------------  ------------
   ALTER        CDEV           NON-VSAM

NO INSTALLATION DATA

Now I want to restrict everyone's access (including me: FULTONM) to just READ. I issued:

tsocmd "permit 'FULTONM.MY.FILE' ID(*) ACCESS(READ) GENERIC"
tsocmd "listdsd da('FULTONM.MY.FILE') GENERIC"

But I can still update the file, and I see no change in the LISTDSD output?

If I issue:

tsocmd "listdsd da('FULTONM.MY.FILE') GENERIC all"

I do see:

   ID     ACCESS
--------  -------
*          READ

but I am still able to update the dataset.

mike
  • 819
  • 4
  • 14

2 Answers2

4

You cannot limit access to your own data sets, i.e. data sets of which the high level qualifier (HLQ) matches your userid.

From the RACF manual z/OS Security Server RACF - Security Administrator's Guide -> "Debugging problems in the RACF database" -> "Authorizing access to RACF-protected resources":

  1. If users attempt to access their own resources, RACF grants the request. For example:

    o For tape and DASD data sets, if the user ID of the requesting user is the high-level qualifier of the data set name, RACF grants the request.

Note that this describes standard behaviour assuming no RACF exit is doing special things.

phunsoft
  • 2,674
  • 1
  • 11
  • 22
  • 1
    Thanks. That is disappointing that racf does that. I guess if you want a dataset to be read-only you have to use a special HLQ then. – mike Jul 03 '23 at 02:04
  • 1
    What about #8 ICHRCX01 exit, or #30 ICHRCX02 (if we get that far) in the doc phunsoft referenced. Just thinking out of the RACF-command box. Edit: Sorry, I just read your other comment indicating you have no sysprog access. – Tom Brennan Jul 03 '23 at 06:56
  • 1
    @TomBrennan I intentionally didn't mention exits, which allow special behaviour. I thought I'd stay with standard RACF behaviour. But you're right, I should at least mention the possibility. – phunsoft Jul 03 '23 at 07:13
3

My guess is that there is an entry in the global access table that gives you ALTER access to your own datasets.

For example, the following entry allows users to have ALTER access to data sets that begin with their own user IDs. RALTER GLOBAL DATASET ADDMEM('&RACUID.**'/ALTER)

https://www.ibm.com/docs/en/zos/2.4.0?topic=table-creating-global-access-checking-entries

https://www.ibm.com/docs/en/zos/2.4.0?topic=table-how-global-access-checking-works

mfsysprog
  • 31
  • 2
  • 1
    Thank you for the answer - I expect you are right. I am struggling trying to determine if there is a global access table. I thought I would be able to issue: RLIST GLOBAL DATASET but I get back 'ICH13003I DATASET NOT FOUND'. Am I able to understand what is in the global access table, or do I need to ask my systems programmer? – mike Jul 02 '23 at 02:39
  • 1
    I'm not that good with the racf command, normally I would look through consul. The message seems to indicate that there is no global dataset active. Do you perhaps have OPERATIONS authorization on your userid? In that case you have to specifically give your user READ access to the profile, otherwise the OPERATIONS will override the * access if I remeber correctly – mfsysprog Jul 02 '23 at 15:18
  • 1
    On this system I have no sysprog level authority - it is prettt clamped down – mike Jul 02 '23 at 16:16
  • 1
    Only other thing I can think of (If read * is the only access on this profile) is that there exists a discrete profile with the same name and that it precedes the generic profile. – mfsysprog Jul 02 '23 at 17:06