Top Secret DSN Permit With '-' Not Matching Dataset With '-' In Name
search cancel

Top Secret DSN Permit With '-' Not Matching Dataset With '-' In Name

book

Article ID: 264140

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

AUTH(MERGE) is set. There’s a profile that gives hundreds of users READ access to the volumes that the TSS datasets reside on. 

 

Profile prof1 has:
XA VOLUME  = vvv(G)

   ACCESS  = READ 

 

The user's ACID has:

XA DATASET = xxxx.xx.xx-2.xxxxx

   ACCESS  = NONE               

 

Profile prof2 has:

XA DATASET = xxxx.xx.**.xxxxx

   ACCESS  = ALL              

When running TSSSIM testing access to the Top Secret security file, it says access is allowed to update it despite these facts: 


$DATASET('xxxx.xx.xx-2.xxxxx') ACCESS(UPDATE) TRACE                 

TSS8380I SIMULATED RESOURCE ACCESS GRANTED.                     

                                                                 

TSS8390I RESOURCE = (00C4)  xxxx.xx.xx-2.xxxxx

TSS8391I TSS SVC=82    RC=00   DRC=00   VDRC=77   XSW=00   ALG=80

TSS8392I REQUESTED ACCESS = UPDATE                               

TSS8392I ALLOWED ACCESS   = ALL                                 

TSS8392I VOLUME ACCESS    = READ                                

TSS8393I OVERRIDES  = <NONE>                                    

TSS8394I RES ORIGIN = PERMITTED  -  PROFILE=prof2

TSS8397I ---------------- SECURITY PERMISSION ---------------   

TSS8397I DSNAME    = xxxx.xx.**.xxxxx

TSS8397I  ACCESS   = ALL                                        

TSS8397I ----------------------------------------------------   

TSS8394I VOL ORIGIN = PERMITTED  -  PROFILE=prof1             

TSS8395I VOL RULE # =     2                                     

TSS8397I ---------------- SECURITY PERMISSION ---------------   

TSS8397I VOLUME    = xxx  (G)                                    

TSS8397I  ACCESS   = READ                                       

 

Shouldn’t it result in access denied because of the more specific permit with ACCESS(NONE) on the user's ACID overriding the profile permission giving ACCESS(ALL) ?

Environment

Release : 16.0

Resolution

The permit for DSN(SYS2.SS.VF-2.SECFILE) needs to be in single quotes:

TSS REV(acid) DSN(xxxx.xx.xx-2.xxxxx)
TSS PER(acid) DSN('xxxx.xx.VF-2.xxxxx') ACCESS(NONE)

When the permit is in quotes, it will match in TSSSIM and when accessing the dataset.