Top Secret Volume vs Data Set Checking
search cancel

Top Secret Volume vs Data Set Checking

book

Article ID: 9618

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

When both volume and data set level access checking are done, Top Secret always performs volume level first. In some cases a request to access a data set is granted or failed strictly on the basis of the ACID's volume access authorizations without checking whether the user is authorized to access that particular data set.

Volume checking is only done when the volume is passed.  If the volume is not passed on the call, then only dataset checking is done and no volume checking occurs.



Environment

Release: TOPSEC00200-16-Top Secret-Security
Component:

Resolution

The following table shows how volume access authorizations affect an ACID's request to access a data set on that volume:

AUTHORIZED          |               ATTEMPTED DATA SET ACCESS
VOLUME ACCESS   |    Read            Update            Create             Scratch   
NONE                       |     FAIL             FAIL                FAIL                FAIL
ALL                           |     OKAY           OKAY             OKAY              OKAY
CREATE                   |     DSNAME     DSNAME        DSNAME        DSNAME
READ                       |     OKAY           DSNAME        FAIL                DSNAME 

Be aware of VSAM datasets where the VOLUME passed is the volume where the catalog resides and NOT where the dataset resides.

If you always want the Data Set access to be checked, issue the following commands:
   TSS ADD(msca) VOL(*ALL*(G)) 
   TSS PERMIT(ALL) VOL(*ALL*(G)) ACCESS(CREATE)
The above will give users access to all volumes and continue with Data Set checking. The data set rule will have the final say as to whether access is granted not.
Powered by Wolken Software