Client protects the master catalog. They have regular users that are deleting user alias from the master catalog. ACF2 documentation indicates that access to STGADMIN.IGG.DEFDEL.UALIAS will allow the access. Client checked the rules and everyone is denied this access. When SECTRACE is run there is a FACILITY call for STGADMIN.IGG.DEFDEL.UALIAS that gets a return code 8 denying the access. But the users are still deleting the alias. Why?
If a user has ALLOCATE access to the alias name in the dataset rules, then they can delete the alias.
If a site has rules for all TSO users with a rule line of:
- UID(-) READ(A) WRITE(A) ALLOC(A) EXEC(A).
This will allow anyone to delete the alias. To allow the users to create/delete datasets under the high-level qualifier, but prevent the alias from being deleted, change the generic rule line to:
*-.- UID(-) READ(A) WRITE(A) ALLOC(A) EXEC(A).
This will mean that there has to be something besides the high-level qualifier, or a second level, before it would be allowed.