Some ACIDs have NODSNCHK in order to do their jobs. An audit is mandating that these ACIDs do not have access to production datasets which primarily begin with PAxx – PZxx and tape dsn’s PAxxT – PZxxT. Is there a way to override the NODSNCHK to these production dataset to satisfy the audit requirement?
Release : 16.0
Component : CA Top Secret for z/OS
There is no way to exclude the production datasets from NODSNCHK. The following can be done:
1. TSS WHOO DSN(**) to make sure this is owned. (If not already owned, this can be owned via TSS ADD(msca) DSN(**) ).
2. TSS PER(acid) DSN(**) ACCESS(ALL) ACTION(AUDIT) for the ACIDs that have NODSNCHK.
3. For each production dataset prefix: TSS PER(acid) DSN(PAxx) ACCESS(NONE)
4. TSS REM(acid) NODSNCHK for the ACIDs that have NODSNCHK.
If there is a profile common to the ACIDs with NODSNCHK, the permits in steps 2 and 3 can be done to that profile.
If AUTH(OVERRIDE,ALLOVER) is set, make sure there aren’t any dataset permits on any of the user records or attached profiles that are ahead of this profile that could limit the dataset access.
If AUTH(MERGE,ALLMERGE) is set, make sure there aren’t any other dataset permits in profiles, the ALL record, and the user record. When multiple matching permits are found, the longest one is used. If it is longer than DSN(**) and is not for ALL access, the user's access will be limited.