What are the differences between the validations to delete a VSAM cluster using IDCAMS on z/OS 2.3 and 2.4? What are the permissions needed in ACF2?
Release : 16.0
Component : ACF2 for z/OS
z/OS 2.3 - validations to delete a VSAM cluster
READ and ALLOCATE access to the catalog
ALLOCATE access to dataset (not required when above access is granted to the catalog)
z/OS 2.4 - validations to delete a VSAM cluster
READ access to XFACILIT resource STGADMIN.IGG.DELAUDIT.catalogname
ALLOCATE access to dataset (not required when XFACILIT access is granted to the catalog)
The XFACILIT validation is new with z/OS 2.4. Here is a description of the new validation process from IBM:
STGADMIN.IGG.DELAUDIT.catalogname
Allows users with read access to this resource the ability to delete a data set cataloged in the specified catalog.
catalogname is the name of the specified catalog appended to the resource prefix of STGADMIN.IGG.DELAUDIT.
When this authority is exercised and the class is defined with the AUDIT(ALL(READ)) parameter, an SMF type 80 record
is written to document this event.
If the user does not have read access to the resource, the user needs ALTER authority to the data set to delete it.
If the resource is not defined, users need either ALTER authority to the data set or catalog for deletion.
This is behavior before the introduction of this new class.
This resource class applies to all data set types including SMS, non-SMS, VSAM, and non-VSAM.
Here is an example of what this call looks like in an ACF2 SECTRACE:
JOBNAME= JOB00007 ASID= 012E PGM= IDCAMS CURR RB= SVC026
SFR/RFR= 8/8:0 MODE= TASK APF= AUTHORIZED LOCKS= NONE
SAFDEF= GENAUTH INTERNAL MODE= GLOBAL
RACROUTE REQUEST=AUTH,CLASS='XFACILIT',RELEASE=1.9,STATUS=NONE,
ATTR=READ,DSTYPE=N,
ENTITY=('STGADMIN.IGG.DELAUDIT.SYSA.CATNAME'),FILESEQ=0,
GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,TAPELBL=STD,WORKA=
It was also noted that the validations for the datasets were all validated for a volume that the catalog was on - not the volume the dataset was on.
This is not a change to z/OS 2.4 and is documented in the IBM documentation for RACROUTE REQUEST=AUTH VOLSER parameter.
A SECTRACE for REQUEST=AUTH for this process on the two different z/OS system levels will show the changes IBM made between z/OS 2.3 and z/OS 2.4.
See Storage Administration (STGADMIN) Profiles in the FACILITY Class or XFACILIT Class in the IBM documentation for z/OS 2.4 for additional information regarding STGADMIN resources.