Users are deleting the alias from the master catalog with out authority to the master catalog. How can this be controlled?
search cancel

Users are deleting the alias from the master catalog with out authority to the master catalog. How can this be controlled?

book

Article ID: 10970

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC ACF2 - DB2 Option ACF2 for zVM PanApt PanAudit

Issue/Introduction



Client protects the master catalog. They have regular users that are deleting user alias from the master catalog. ACF2 documentation indicates that access to STGADMIN.IGG.DEFDEL.UALIAS will allow the access. Client checked the rules and everyone is denied this access. When SECTRACE is run there is a FACILITY call for STGADMIN.IGG.DEFDEL.UALIAS that gets a return code 8 denying the access. But the users are still deleting the alias. Why?

Environment

Release:
Component: ACF2MS

Resolution

If a user has ALLOCATE access to the alias name in the dataset rules, then they can delete the alias.

 

If a site has rules for all TSO users with a rule line of:

 

   - UID(-) READ(A) WRITE(A) ALLOC(A) EXEC(A).  

 

This will allow anyone to delete the alias. To allow the users to create/delete datasets under the high-level qualifier, but prevent the alias from being deleted, change the generic rule line to:

 

   *-.- UID(-) READ(A) WRITE(A) ALLOC(A) EXEC(A).  

 

This will mean that there has to be something besides the high-level qualifier, or a second level, before it would be allowed.