One PROCLIB is protected and allowed for READ access for all users. However, this PROCLIB contains members that need to be updated by some users.
To enable PDS Level Member Protection set PDSPROT CA Top Secret control options to ON. Example:
The following permission was given to a PROFILE:
TSS ADD(DeptOwner) PDSMEM1(ABC,D)
TSS PERMIT(ProfileName) PDSMEM1(ABC,D) ACCESS(UPDATE)
which means all members starting with either ABC or D are protected PDS members.
When trying to testing the implementation:
An acid belonging to that PROFILE (ProfileName) tries to update member DEFGHI (Staring with letter " D") will fail with a S913 abend.
TSSUTIL report claims DRC66, which means access not granted to dataset. This is correct, because the profile only has READ access to that PROCLIB, SYS1.SYSZ.PROCLIB.
If UPDATE access is allowed for these acids, they will be able to update any member in the PROCLIB and not necessarily the ones allowed.
This behavior may confuse administrators wondering why any member can be updated.
Release: Top Secret r16.0
The behavior reported here is correct. It is due to the PDSMEMx resource classes NOT being protected by default. In other words the DEFPROT attribute is NOT set on the resource class.
If an acid has UPDATE access to a PROCLIB, it will be able to update any member (belonging to that PROCLIB) which has not been defined to TSS (Not owned).
All defined members will be protected accordingly.
To avoid such behavior, you have to add the DEFPROT attribute to the PDSMEM1 class:
TSS REP(RDT) RESCLASS(PDSMEM1) ATTR(DEFPROT)
The class will be displayed as follows:
ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS
RESOURCE CLASS = PDSMEM1
RESOURCE CODE = X'043'
ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(008),ACCESS,PRIVPGM,DEFPROT
ACCESS = NONE(0000),UPDATE(6000),READ(4000),ALL(FFFF)
DEFACC = READ
TSS0300I LIST FUNCTION SUCCESSFUL
All members will be protected as soon as a PROCLIB is added to the PDSMEMx resource class.
You will have to authorize the member at the required access level:
TSS ADD(DeptOwner) PDSMEM1(member) ==> If not already owned.
TSS PERMIT(acid or ProfileName) PDSMEM1(member) ACCESS(access)
Adding the DEFPROT ATTRIBUTE is NOT a requirement. Please refer to your site security standards to determine how you want to implement PDS Member Level Protection.