IBM Mainframe Forum

hi,

I have a few issues grasping some of the concepts behind protecting data sets.
For example, if for a group, say 'shop', i want all the data to be protected, I would say ADDSD SHOP.** UACC(NONE)
But then I want a group of users to be able to access/modify a part of the dataset. So I would do PERMIT SHOP.TEAMS.DEV.** ID(DEV) ACCESS(UPDATE)
now what i don't understand:
a) to be able to issue the second command I also need to do ADDSD SHOP.TEAMS.DEV.** UACC(NONE). Why is this since I already assigned UACC(NONE) to the SHOP?
b) is there an easy way to see who is on the PERMIT access list?

thanks

Before you can insert an access list for a profile (using PERMIT) you have to create the profile using ADDSD. SHOP.** is a separate profile. It would cover the data sets covered by SHOP.TEAMS.DEV.** if the profile didn't exist, but since it does exist it's as though SHOP.** no longer exists.

You can list the profile with the LISTSDS command:

LISTDSD DATASET('SHOP.TEAMS.DEV.**') AUTHUSER GENERIC

Since the profile contains a wild card character you don't have to specify the GENERIC keyword, which you would have to specify if it were a complete data set name:

LISTDSD DATASET('SHOP.TEAMS.DEV.SOURCE') AUTHUSER

would not work because there is no profile for SHOP.TEAMS.DEV.SOURCE, but if you specified GENERIC in the command it would list the SHOP.TEAMS.DEV.** profile.

Hope this helps,

Hi,

Thanks, that helped a lot!

One more issue:

I am trying to give a user (supposed to be an admin) the permission to change passwords, revoke and resume user ids. If I get this right, group-special attribute should do it (and for revoking the only way I know). However, this would give him other rights that he shouldn't have. So I was thinking about using IRR.PASSWORD.RESET for this user, however I get the error 'not authorized to use IRR.PASSWORD.RESET' (or something like that). I cannot find anywhere in the manual what attributes you need to have to be able to use this (I have group-special).

Thanks again!

Well, I did find a manual. My first thought when I read its description is IRR.PASSWORD.RESET gives too much authority, but after some thought I realized that you probably have to be able to "resume" a user when you change their password since the user was probably revoked when they need help.

The problem isn't too much authority, it's the authority is too wide. IRR.PASSWORD.RESET appears to allow any user to reset any other user.

Your immediate problem is you can't authorize its use. I think your problem is group-special can't PERMIT it, but the problem may also be that the profile was never established. You might also check if alternates might be more useful, though I think system-special might be required for any of them. See this topic.

Hi,

In the end (and largely due to time constraints) I decided to give that user group-special and I will limit his data set access with a Permit command. I think this should be fine.

Thanks!

I agree that group-special is probably your better choice. That user can do password resets and resume only the users in the group.

Hi,

I believe the user should be granted access over facility class profile IRR.PAASWORD.RESET

FACILITY/IRR.PASSWORD.RESET is a useful tool for help desk people to reset passwords. That's its intended use! However, it has nothing to do with protecting datasets.

You can control the scope of the IRR.PASSWORD.RESET facility profiles to certain groups so it's not system-wide.

If link doesnt work google the full URI and they have a cached copy...

ftp://ftp.software.ibm.com/eserver/zser ... larity.pdf