IBM Mainframe Forum

by **arju** » Tue Feb 04, 2020 2:11 am

Hi
We have 5 lpars in a sysplex using the same racf database. We have a requirement to protect one product dataset only in one lpar but to make it available on other 4 lpars.
Any suggestions?
Thanks in advance
Arju

by **steve-myers** » Tue Feb 04, 2020 6:27 am

You have a confused notion about "protecting" data sets.

Since you are using one RACF data base for all systems, you "protect" the data set on all systems, possibly by using UACC(READ), which allows all users the ability to read, but not update the data set, possibly by defining a data set profile using the ADDSD command:

ADDSD 'data set' GENERIC UACC(READ)

You then determine the users that need to update the data set, and you add access permissions with the PERMIT command :

PERMIT 'dataset' GENRIC ACCESS(access-level) ID(user)

In the PERMIT command a user can be an actual user, or the group of users in which the user is defined. There is no way (nor, in my opinion, is it desirable) to restrict access by LPAR.

by **willy jensen** » Tue Feb 04, 2020 1:02 pm

The PERMIT command has a WHEN( SYSID( system-identifier ... ) ) parameter, perhaps that will do it?

by **Robert Sample** » Wed Feb 05, 2020 3:45 am

PERMIT WHEN(SYSID(…)) only applies to PROGRAM class resources.

As far as I know, as long as you have one RACF database for all five LPARs it is not possible to restrict dataset access by LPAR -- if the dataset is accessible in one LPAR, it has the same access in all the LPARs. If you segregate the one LPAR's RACF database so you can do the restriction, that introduces a number of other problems.

IBM Mainframe Forum

How to protect a dataset only on one lpar

How to protect a dataset only on one lpar

Re: How to protect a dataset only on one lpar

Re: How to protect a dataset only on one lpar

Re: How to protect a dataset only on one lpar