Top Secret Volume vs Dataset Checking
search cancel

Top Secret Volume vs Dataset Checking

book

Article ID: 9618

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

In an environment when both volumes and datasets are secured, when is the dataset check bypassed and when is it not?



Environment

Release: Top Secret 16.0

Cause

When both volume and data set level access checking are done, Top Secret always performs volume level first. In some cases a request to access a data set is granted or failed strictly on the basis of the ACID's volume access authorizations without checking whether the user is authorized to access that particular data set.

If the ACID is authorized for any volume level access other than CREATE and the request does not exceed this access level, Top Secret allows access to the volume and the data set without checking for DSNAME authorizations. If the ACID owns the volume, access is allowed without any data set validation.


Resolution

The following table shows how volume access authorizations affect an ACID's request to access a data set on that volume:

Ac

Access Permitted/Access Attempt  Read Update Create Scratch
NONE FAIL FAIL FAIL FAIL
ALL OKAY OKAY OKAY OKAY
CREATE DSNAME CHECK DSNAME CHECK DSNAME CHECK DSNAME CHECK
READ OKAY DSNAME CHECK FAIL  DSNAME CHECK

Note: VSAM datasets where the VOLUME check passed is the volume where the catalog resides and NOT where the dataset resides.

To make sure that the dataset check is always done, ACCESS(CREATE) should be permitted to the volumes:
   TSS ADD(msca) VOL(*ALL*(G)) 
   TSS PERMIT(ALL) VOL(*ALL*(G)) ACCESS(CREATE)
The above will give access to all volumes and continue with dataset checking. The data set rule will have the final say as to whether access is granted not.

Additional Information

Powered by Wolken Software