Commands to define dataset access with PDSPROT(ON)
Release : 16.0
Component : Top Secret for z/OS
..
Here is a sample setup for PDS member level security:
TSS MODI PDSPROT(ON)
TSS MODI PDSPROT(DSN(data.set.name),VOL(volser),CLASS(PDSMEM1))
(The VOL(volser) is optional and identifies the disk volume serial (volser)
of the PDS data set named on the same statement. The VOL() operand may be
omitted and is only recommended when needed to distinguish between
identically named PDS data sets. If coded, specify a complete six-character
volser without masking.)
To make these changes permanent, you will need to put the following
in the TSS parmfile:
PDSPROT(ON)
PDSPROT(DSN(data.set.name),VOL(volser),CLASS(PDSMEM1))
There are 5 different classes you can use. These are PDSMEM1, PDSMEM2,
PDSMEM3, PDSMEM4, and PDSMEM5. You can have additional PDSPROT statements
for each PDS you want member level protection.
The above will turn on PDS member level protection for 'data.set.name'.
To setup the PDSMEM1 permits to accomplish what you want:
1) allow READ access to a select few members for everyone
TSS REPLACE(RDT) RESCLASS(PDSMEM1) ATTR(DEFPROT)
DEFPROT in the RDT for the PDSMEM1 resource class will protect all the
members in the PDSMEM1 resource class. This way you don't have to add every
member that is in the PDS or could be in the PDS at some future point.
TSS ADD(dept) PDSMEM1(mem1,mem2,etc) ACC(READ)
For the few members you want to allow READ access for everyone. Up
to 5 member prefixes can be specified per TSS ADD command. For example, for
all members starting with ABC, use: TSS ADD(dept) PDSMEM1(ABC)
TSS PER(ALL) PDSMEM1(mem1,mem2,etc) ACC(READ)
Up to 5 member prefixes can be specified per TSS PER command.
All users will need at least READ access to the PDS dataset.
2) READ access to all members to a select group of users
TSS ADD(dept) PDSMEM(*ALL*)
TSS PER(acid) PDSMEM1(*ALL*) ACC(READ)
where 'acid' is the user's acid or an attached profile.
These users will need at least READ access to the PDS dataset.
3) and ALL access to all members to a select few users.
TSS PER(acid) PDSMEM1(*ALL*) ACC(ALL)
where 'acid' is the user's acid or an attached profile.
These users will need at least UPDATE access to the PDS dataset.
(READ and UPDATE are the only 2 access levels (besides ALL and NONE) for
PDSMEMn resource classes. In order to READ a protected member, the
user needs at least READ access at the dataset level in addition to
READ access to the PDSMEMn resource. The same is true for UPDATE.
To UPDATE a protected member, the user needs at least UPDATE access
at the datase level in addition to UPDATE access to the PDSMEMn resource.)