Why can user run FILECOPY without READ access to the Data Sets
search cancel

Why can user run FILECOPY without READ access to the Data Sets


Article ID: 139944


Updated On:


CA 1 Flexible Storage CA 1 Tape Management - Copycat Utility CA 1 Tape Management - Add-On Options


A User without OPERATIONS attribute was able to run Copycat FILECOPY successfully, although the Tape DSN had a RACF DSN Profile whose access list did not have this user. Why did the job not fail with a security violation and end successfully?




Release : 14.0

Component : CA 1 Tape Management


The user was able to run FILECOPY successfully, since he had READ ACCESS to CLASS=CA@APE and ENTITY=COPYCAT.
This resource check was introduced with PTF SO01325, which adds Copycat to CA 1 and TLMS.
Following the details from the CA 1 documentation about this new Resource:

When using the Copycat Utility to copy files, because standard OPEN processing is performed, the user submitting the job must have ALTER/CREATE authority to the file name(s) being created or copied. However, users can bypass this security validation if they have access to a security resource called COPYCAT defined in the CATAPE (CA@APE or CAT) class. This special COPYCAT resource allows the Copycat utility to bypass external security IF the PREFIX and PREFIX2 control statements were NOT included (see below) and this is a FILECOPY operation.