ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Scheduler Job Deleted Production Dataset With Only READ Access In Top Secret

book

Article ID: 212654

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

CA Scheduler deleted a production dataset but the ACID only had READ access to the dataset. The job was submitted via CA-Scheduler. It successfully deleted the production file but the job failed to redefine the cluster, since the CA-Scheduler ACID did not have the authority to create the production data set.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

The security trace on the ACID showed a check for XFACILIT(STGADMIN.IGG.DELAUDIT.catalogname) which is successful because one of the profiles had NORESCHK. The following IBM link:

https://www.ibm.com/docs/en/zos/2.4.0?topic=class-command-keyword-related-profiles

documents this check:

**
STGADMIN.IGG.DELAUDIT.catalogname
allows users with read access to this resource the ability to delete a data set cataloged in the specified catalog. catalogname is the name of the specified catalog appended to the resource prefix of STGADMIN.IGG.DELAUDIT. When this authority is exercised and the class is defined with the AUDIT(ALL(READ)) parameter, an SMF type 80 record is written to document this event. If the user does not have read access to the resource, the user will need ALTER authority to the data set in order to delete it. If the resource is not defined, users will need either ALTER authority to the data set or catalog for deletion. This is behavior prior to the introduction of this new class. This resource class applies to all data set types including SMS, non-SMS, VSAM and non-VSAM.

If a user issues the ‘DELETE USERCATALOG FORCE’ command to delete a catalog and the resource is defined for the catalog being deleted, the deletion rules described apply to the data sets within the catalog. The command will delete the catalog, however data sets to which the user does not have authority will remain and will not be accessible until they are recataloged.
**

This check is new in z/OS 2.4. The Summary of changes for z/OS® Version 2 Release 4 (V2R4) contains an item in the ‘Prior to June 2020 refresh’ section which states:

The new STGADMIN.IGG.DELAUDIT.catalogname profile has been added to Command and keyword related profiles. Storage administration (STGADMIN) profiles in the FACILITY class or XFACILIT class has been updated.