AUTH(MERGE) is set. There’s a profile that gives hundreds of users READ access to the volumes that the TSS datasets reside on.
Profile prof1 has:
XA VOLUME = vvv(G)
ACCESS = READ
The user's ACID has:
XA DATASET = xxxx.xx.xx-2.xxxxx
ACCESS = NONE
Profile prof2 has:
XA DATASET = xxxx.xx.**.xxxxx
ACCESS = ALL
When running TSSSIM testing access to the Top Secret security file, it says access is allowed to update it despite these facts:
$DATASET('xxxx.xx.xx-2.
TSS8380I SIMULATED RESOURCE ACCESS GRANTED.
TSS8390I RESOURCE = (00C4) xxxx.xx.xx-2.xxxxx
TSS8391I TSS SVC=82 RC=00 DRC=00 VDRC=77 XSW=00 ALG=80
TSS8392I REQUESTED ACCESS = UPDATE
TSS8392I ALLOWED ACCESS = ALL
TSS8392I VOLUME ACCESS = READ
TSS8393I OVERRIDES = <NONE>
TSS8394I RES ORIGIN = PERMITTED - PROFILE=prof2
TSS8397I ---------------- SECURITY PERMISSION ---------------
TSS8397I DSNAME = xxxx.xx.**.xxxxx
TSS8397I ACCESS = ALL
TSS8397I ------------------------------
TSS8394I VOL ORIGIN = PERMITTED - PROFILE=prof1
TSS8395I VOL RULE # = 2
TSS8397I ---------------- SECURITY PERMISSION ---------------
TSS8397I VOLUME = xxx (G)
TSS8397I ACCESS = READ
Shouldn’t it result in access denied because of the more specific permit with ACCESS(NONE) on the user's ACID overriding the profile permission giving ACCESS(ALL) ?
Release : 16.0
The permit for DSN(SYS2.SS.VF-2.SECFILE) needs to be in single quotes:
TSS REV(acid) DSN(xxxx.xx.xx-2.xxxxx)
TSS PER(acid) DSN('xxxx.xx.VF-2.xxxxx') ACCESS(NONE)
When the permit is in quotes, it will match in TSSSIM and when accessing the dataset.