IDCAMS delete of VSAM Dataset ACF2 validation differences between z/OS 2.3 and 2.4 using the XFACILIT class
search cancel

IDCAMS delete of VSAM Dataset ACF2 validation differences between z/OS 2.3 and 2.4 using the XFACILIT class

book

Article ID: 231901

calendar_today

Updated On:

Products

ACF2 - z/OS ACF2 ACF2 - MISC

Issue/Introduction

What are the differences between the validations to delete a VSAM cluster using IDCAMS on z/OS 2.3 and 2.4? What are the permissions needed in ACF2?

 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

z/OS 2.3 - validations to delete a VSAM cluster
READ and ALLOCATE access to the catalog  
ALLOCATE access to dataset (not required when above access is granted to the catalog)

z/OS 2.4 - validations to delete a VSAM cluster
READ access to XFACILIT resource STGADMIN.IGG.DELAUDIT.catalogname
ALLOCATE access to dataset (not required when XFACILIT access is granted to the catalog)

The XFACILIT validation is new with z/OS 2.4. Here is a description of the new validation process from IBM:

STGADMIN.IGG.DELAUDIT.catalogname

Allows users with read access to this resource the ability to delete a data set cataloged in the specified catalog. 
catalogname is the name of the specified catalog appended to the resource prefix of STGADMIN.IGG.DELAUDIT.
When this authority is exercised and the class is defined with the AUDIT(ALL(READ)) parameter, an SMF type 80 record
is written to document this event.
If the user does not have read access to the resource, the user needs ALTER authority to the data set to delete it.
If the resource is not defined, users need either ALTER authority to the data set or catalog for deletion.
This is behavior before the introduction of this new class.
This resource class applies to all data set types including SMS, non-SMS, VSAM, and non-VSAM.

Here is an example of what this call looks like in an ACF2 SECTRACE:

 JOBNAME= JOB00007   ASID= 012E          PGM= IDCAMS         CURR RB= SVC026
  SFR/RFR= 8/8:0      MODE= TASK          APF= AUTHORIZED     LOCKS= NONE
  SAFDEF= GENAUTH  INTERNAL MODE= GLOBAL

  RACROUTE REQUEST=AUTH,CLASS='XFACILIT',RELEASE=1.9,STATUS=NONE,
           ATTR=READ,DSTYPE=N,
           ENTITY=('STGADMIN.IGG.DELAUDIT.SYSA.CATNAME'),FILESEQ=0,
           GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,WORKA=

It was also noted that the validations for the datasets were all validated for a volume that the catalog was on - not the volume the dataset was on.
This is not a change to z/OS 2.4 and is documented in the IBM documentation for RACROUTE REQUEST=AUTH VOLSER parameter.

Additional Information

A SECTRACE for REQUEST=AUTH for this process on the two different z/OS system levels will show the changes IBM made between z/OS 2.3 and z/OS 2.4.

See Storage Administration (STGADMIN) Profiles in the FACILITY Class or XFACILIT Class in the IBM documentation for z/OS 2.4 for additional information regarding STGADMIN resources.

Powered by Wolken Software