When both volume and data set level access checking are being done, CA Top Secret always performs volume level first. In some cases a request to access a data set is granted or failed strictly on the basis of the ACID's volume access authorizations without checking whether he has specific authorization to access that particular data set.
Volumes checking is only done when the volume is passed. If the volume is not passed on the call then only dataset checking is done and no volume checking occurs.
The following table shows how volume access authorizations affect an ACID's request to access a data set on that volume:
Authorized Volume Data Set Data Set Data Set Data Set
Access: Read: Update: Create: Scratch:
NONE FAIL FAIL FAIL FAIL
ALL OKAY OKAY OKAY OKAY
CREATE DSNAME DSNAME DSNAME DSNAME
READ OKAY DSNAME FAIL DSNAME
Be aware of VSAM datasets where the VOLUME passed is the volume where the catalog resides and NOT where the dataset resides.
If you always want the Data Set access to be checked then you can issue the following commands:
TSS ADD(msca) VOL(*ALL*(G))
TSS PERMIT(ALL) VOL(*ALL*(G)) ACCESS(CREATE)
The above will give users access to all volumes and continue to do Data Set checking. The data set rule will have the final say as to whether to grant access or not.