And once you have all protections in place, remember that someone has to have the key to master catalog. Whoever that is--including you--may occasionally get caught by a missing alias. At every shop I've worked in, userids are defined and managed by a non-sysprog department. If they set up a new user, especially a new sysprog, a missing alias may be caught only after many data sets have gone to master catalog. So it pays to check now and again even with all recommended protections set up.
. . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Elardus Engelbrecht Sent: Tuesday, December 13, 2016 11:46 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Prevent allocation of unknown-HLQ data sets? Way, Richard wrote: >Realize this is a pretty basic question, but my Google-fu isn't working out >today.... Can someone tell me the most common / easiest way to prevent >allocating a data set that doesn't have a catalog alias defined yet? We're >hitting situations where someone creates a data set by the HLQ of "TEST", for >example, and because no one created an ALIAS for TEST to a USERCAT, the >catalog entries for those data sets go straight into the MASTERCAT. >I'm almost certain there's a way to do this, but I am struggling whether it's >usually done by RACF or if there's a better / easier way... You need to do several things. You got answers about ONE thing - MCAT, but that is not enough! 0. Establish naming standards. Do that properly to start with. 1. MCAT - UACC=READ. UPDATE to storage admin and lucky few who will listen to you. READ for RESTRICTED ids. 2. Usercat - UACC=UPDATE. UPDATE to restricted ids for ucats as needed. 3. Use PROTECTALL(FAIL) 4. Fix your RACF profiles. Optional - If you have a sandbox Sysplex and Prod Sysplex - have separate MCATs and perhaps a few shared UCATs. You then need to decide on WHAT ucat you may allow ALTER to certain HLQ on what Sysplex. So for example, you allow ALTER on HLQ ABC on sandbox, but UPDATE on Prod and so on. Talk with your RACF admin. HTH! Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
