Getting Top Secret TSS7299I messages. The userid is permitted READ access to the dataset and the permit does not have NOTIFY. It appears the notify is coming from a volume rule because the dataset is located on that volume. 

Why does the volume record get involved since the userid has a permit to the data set allowing access? 

TSS7299I J=VINIT A=VRTCS TYPE=DATASET RES=SYS2.MAINV.V33.OPS3092O %Sendit MSN MSG.TSS7299I J=VINIT A=VRTCS TYPE=DATASET RES=SYS2.  

Release:
Component: TSSMVS

Volume access is always checked first and if access to the volume is not allowed the access will fail. But here is the "catch".... Volumes are not passed that often so therefore there are minimal times Volume checking is done and consequently minimal messages seen referring to Volume access.

The bottom line is that if a volume is passed then access to that volume needs to be granted. If no volume is passed on the call then it will go to data set checking.

Details regarding Dataset and Volume Level Access can be found in section "Data Set and Volume Level Security".

Many sites do not deal with volume checking. They use data set permits to protect data sets. If a volume is passed and the allowed volume access is CREATE, then it will always defer to data set checking.

A common practice is for sites to put the following permit in the ALL Record: 

TSS PERMIT(ALL) VOLUME(*ALL*(G)) ACCESS(CREATE) 

The above permit will force data set checking and never allow access on volume access alone. Other volume access levels can be granted in acid records or profiles but the above permit will make sure if a call sends a volume the call will not fail if the acid has access to the data set.