On 5/31/2013 1:08 PM, ibmmain wrote:
Well, that the open failed took me by surprise completely. It doesn't fail on
the other system that is (almost) identical. There is certainly no access
allowed on that system for the ZFS userid. In addition, nothing in the IBM
installation docs for z/OS says to authorize the ZFS address space to the data
set profiles for the ZFS that are explicitly defined by their customization
(and their RACF job goes into ridiculous detail to make sure everything is
covered). So it must be something else that causes this 'requirement' on my
current system.
Is the rest of the world routinely defining at least READ access for the ZFS
userid to each and every ZFS dataset that might get mounted?
Barbara,
From (watch the wrap)
http://publib.boulder.ibm.com/infocenter/zos/v1r11/index.jsp?topic=/com.ibm.zos.r11.ioea700/ioea7d0021001588.htm
Note:
The DFS user ID must have at least ALTER authority to all VSAM LDS that
contain zFS aggregates. A user ID other than DFS can be used to run the
zFS started task if it is defined with the same RACF characteristics as
shown for the DFS user ID. As an alternative to PERMIT ALTER authority
to all VSAM LDS that contain zFS aggregates, you can assign the zFS
started task the TRUSTED attribute or you can assign the user ID of the
zFS started task the OPERATIONS attribute. For details, see z/OS
Security Server RACF Security Administrator's Guide.
We chose to go the TRUSTED route.
--
Richard
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
