On 7/3/2007 6:24 AM, R.S. wrote:
What about CATDSNS in RACF ? Does it work for tape datasets ?
BTW: This option can be misleading: a job step which created the dataset
can access it despite of catalog disposition. The dataset will be
unavailable later.
The SETROPTS CATDSNS option in RACF would not prevent writing to an
uncataloged tape data set, though it would prevent reading except for
those cases covered in the RACF books (see the RACF Security
Administrator's Guide and RACF Command Language Reference). For
example, as you note, the job (not simply job step) that creates the
data set can both read/write.
z/OS R8 and DFSMSrmm added another exception, with the TAPEAUTHF1 option
in PARMLIB(DEVSUPxx), which would allow reading of file 2, 3, etc. if
you have access to the cataloged data set in file 1.
Walt Farrell, CISSP
IBM STSM, z/OS Security Design
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
