A User without OPERATIONS attribute was able to run Copycat FILECOPY successfully, although the Tape DSN had a RACF DSN Profile whose access list did not have this user. Why did the job not fail with a security violation and end successfully?
Release : 14.0
Component : CA 1 Tape Management
The user was able to run FILECOPY successfully, since he had READ ACCESS to CLASS=CA@APE and ENTITY=COPYCAT.
This resource check was introduced with PTF SO01325, which adds Copycat to CA 1 and TLMS.
Following the details from the CA 1 documentation about this new Resource:
When using the Copycat Utility to copy files, because standard OPEN processing is performed, the user submitting the job must have ALTER/CREATE authority to the file name(s) being created or copied. However, users can bypass this security validation if they have access to a security resource called COPYCAT defined in the CATAPE (CA@APE or CAT) class. This special COPYCAT resource allows the Copycat utility to bypass external security IF the PREFIX and PREFIX2 control statements were NOT included (see below) and this is a FILECOPY operation.