Explanation and considerations of the ENCOPTBL RACF_TEMPDSN_OPTION

z/OS
Endevor
RACF

1 - What is the purpose of the RACF_TEMPDSN_OPTION in Endevor option table (ENCOPTBL)?

The RACF_TEMPDSN_OPTION was created for RACF users who are using the TEMPDSN class to protect temporary data sets.
Temporary data sets are in normal situations protected against access from anyone but the job or session that created them, but after system failures temporary data sets can become accessible to all users unless the RACF TEMDSN class option is in use.
When activating the RACF TEMPDSN class, temporary datasets are also protected after system failures.

When running processor steps under the Endevor alternate User id (ALTID, RACFUID) context, all temporary data sets defined in the processor will be created by the alternate ID.
If they are not deleted in the processor itself, the temporary data sets will be deleted by the user's ID at the Endevor step termination.

If the TEMPDSN class is activated this will lead to the following symptom: "ICH408I with ACCESS INTENT(ALTER ) ACCESS ALLOWED(NONE )".

To prevent this problem from happening the RACF_TEMPDSN_OPTION can be activated together with a MODHLI value in C1DEFLTS.

2 - What are the consequences of these settings?

If the RACF_TEMPDSN_OPTION is activated, the MODHLI prefix will not only be used for temporary data sets used with DISP=MOD, but for all temporary data sets.
As a result all temporary dataset allocated in processor will be treated as cataloged data sets. Those files will be cataloged and deleted with the alternate-ID.
This will ensure that the ICH408I error no longer occurs.

3 - Limitations.

• The RACF_TEMPDSN_OPTION and MODHLI setting only apply to data sets defined in processor.
• Temporary data sets that are dynamically allocated by processor programs must be unallocated and deleted by these processor programs as RACF requires them to be created and deleted by the same user-id.
• If a processor program is identified that does not clean-up its dynamically allocated data set files (a flaw in the processor program) then the problem can be circumvented by pre-allocating the data set in the processor or by coding ALTID=N on the processor step.

4 - ACF2 and Top Secret:

In ACF2 and Top Secret similar options exist;

• TSS control option TEMPDS(YES).
• ACF2 global system option TEMPDSN

However, no potential conflict, like with the RACF TEMPDSN as outlined above exists and the activation of RACF_TEMPDSN_OPTION is not necessary.

For further details regarding MODHLI, and the resulting naming of the datasets, see the chapter "Defaults Table C1DEFLTS" from Endevor Administrating Guide.
For further details regarding RACF_TEMPDSN_OPTION, see the chapter "Optional Feature Table ENCOPTBL - RACF_TEMPDSN_OPTION" from Endevor Administrating Guide.