Data set protection

How do I protect a resource?

There are two ways to protect data sets:

Using explicit data set names
Using data set patterns

How do I protect multiple explicit data sets?

The following statements protect 3 data sets while specifying LOCK=NO. The EXPLICIT commands build the list of data sets in memory. The PROTECT command protects all data sets in the LIST.

//CYGIN DD *
 LOGCOMMENT='PROTECT A LIST OF EXPLICIT DSN - CICS GROUP'
*
 EXPLICIT=CICS.PROCLIB
 EXPLICIT=CICS.PARMLIB
 EXPLICIT=CICS.LOADLIB
*
 SHOW=LIST
*
 PROTECT=(LIST,
 LOCK=NO,
 INITIAL=NO,
 COPIES=20)
//*

Refer to the sample job CYGA1PRO in the Sample jobs.

How do I protect a pattern of data sets?

The following statements protect a pattern of data sets. The PATTERN commands resolve data sets from the catalog. The EXCLUDE commands exclude the data sets from the resolved list. The SHOW=LIST command shows the list of data sets to be protected. Finally, the PROTECT command operates on all data sets in the LIST.

//CYGIN DD *
 LOGCOMMENT='PROTECT A PATTERN OF DATA SETS'
*
 PATTERN=SYS1.*
 PATTERN=SYS2.*
 EXCLUDE=SYS1.DUMP*
 EXCLUDE=SYS1.BRODCAST
*
 SHOW=LIST
*
 PROTECT=(LIST,
 LOCK=NO,
 INITIAL=NO,
 COPIES=20)
//*

Refer to the sample job CYGA1PRO in the Sample jobs.

What is the difference between LOCK=YES and LOCK=NO?

Protecting a data set with LOCK=NO provides a freehand mode operation. All members of the resource can be updated by any user observing the rules of RACF. z/OS Change Tracker monitors member-level activities of such a resource, records the changes, and automatically backs up the changed members to its repository.

LOCK=YES prevents users from updating members of a protected resource until a checkout is performed. This member-level update prevention is performed by the z/OS Change Tracker started task.

How does NOTIFY=Y work for documenting changes during an EDIT session?

When a data set is protected with NOTIFY=Y, the user will be reminded to use the CSAVE command when the edit of the member is finished. This feature is important for critical libraries such as SYS1.PARMLIB and SYS1.PROCLIB where everyone is supposed to use the CSAVE command. To implement this feature refer to Configuration and implementation.

PROTECT=(DSN=SYS1.PARMLIB,
 NOTIFY=Y,
 CSAVE=Y,
 LOCK=NO,
 INITIAL=NO,
 COPIES=20)

NOTIFY=Y will not work for a PDSE when enforced CSAVE or LOCK=Y is set. If either are specified with NOTIFY=Y, NOTIFY=Y will be ignored.

How do I generate a report of change activities in a protected resource?

The following statements report all change activities in SYS1.PARMLIB and SYS1.PROCLIB protected resources.

//CYGIN DD *
 SHOW=ACTIONS=(DSN=SYS1.PARMLIB,MEM=*)
 SHOW=ACTIONS=(DSN=SYS1.PROCLIB,MEM=*)
//*

How do I generate a report of DELETE activities in any of the protected data sets?

In the following statements, the first SHOW=PROTECTIONS command generates a list of all protected resources in memory. The second SHOW=ACTIONS=LIST command examines all data sets in the list to report the change activities. The change activities are filtered to only show the DELETE activities since the OPTION=DEL is specified.

//CYGIN DD *
 OPTIONS=DEL (other options are: ADD, UPD, REN, ALL)
*
 SHOW=PROTECTIONS
 SHOW=ACTIONS=LIST
//*

Can I generate a report of all changes that occurred yesterday?

Yes. Using the DATE command you may request for the change activities of a specific day in the past.

//CYGIN DD *
 DATE=TODAY-1
*
 SHOW=PROTECTIONS
 SHOW=ACTIONS=LIST
//*

Can I generate a report of all changes that occurred in the past 7 days?

Yes. Using the SINCE command you may request for the change activities since N days ago.

//CYGIN DD *
 SINCE=TODAY-7
*
 SHOW=PROTECTIONS
 SHOW=ACTIONS=LIST
//*

Can I generate a report of all changes that occurred within a date range?

Yes. You can use BEGINDATE and ENDDATE commands. In the following example all change activities from midnight of January 1, 2022 until midnight of May 10, 2022 will be reported.

//CYGIN DD *
 BEGINDATE=2022/01/01_00:00
 ENDDATE=2022/05/10_23:59
 SHOW=PROTECTIONS
 SHOW=ACTIONS=LIST
//*

Can I back up a specific member of a data set with my own documentation?

Yes. Once a data set has become a protected resource by z/OS Change Tracker, the started task automatically backs up any changed members immediately after it has been saved. Users can initiate their own member backups with appropriate documentation for the backed-up member.

//CYGIN DD *
 MEMBERBACKUP=(DSN=SYS1.PARMLIB,VOL=RES001,
 MEM=MEM1,
 COMMENT='Backup created by John before vacation')
//*

Refer to the sample job CYGA2BKP in the samples library.

How can I recover a previous version of a member?

To recover a version in batch, run the following statements:

...
//DD1 DD DISP=SHR,DSN=IBMU11.RECOVERY.PDS01
//CYGIN DD *
 MEMBERRECOVER=(DSN=SYS1.PARMLIB,VOL=RES001,
 MEM=MEM1,
 VER=-1, RECOVERS THE PREVIOUS VERSION
 OUTDD=DD1)

Refer to the sample job CYGA3REC in the samples library.

Can I recover all previous versions of a member?

Yes. To recover all versions of a specific member, run the following statements:

...
//DD1 DD DISP=SHR,DSN=IBMU11.RECOVERY.PDS01
//CYGIN DD *
MEMBERRECOVER=(DSN=SYS1.PARMLIB,VOL=RES001,
 MEM=MEM1,
 VER=*, RECOVERS ALL VERSIONS
 OUTDD=DD1)

Refer to the sample job CYGA3REC in the samples library.

Can I recover a specific version of a member backup using ISPF?

Yes. Use option 3 Recover from the z/OS Change Tracker ISPF main menu to list all versions of a specific member. You can then select one version for recovery or view the contents online without recovering it. Pairs of versions can be selected to report the individual lines of difference. For load modules, the differences between versions are reported on a byte level.

Can I generate a list of all available backups for all members?

Yes. To obtain a list of all versions available in the z/OS Change Tracker repository, the following sample job may be run:

//CYGIN DD *
 SHOW=BACKUPS=(DSN=SYS1.PARMLIB,
 MEM=*)
//*

Refer to the sample job CYGA4DEL in the samples library.

How do I remove a data set from the z/OS Change Tracker protection list?

To remove a data set from being protected by z/OS Change Tracker, use the following statements:

//CYGIN DD *
 UNPROTECT=(DSN=SYS1.PARMLIB,VOL=RES001)
//*

In this example the VOL parameter has been specified to refer to an uncataloged protected resource. Refer to the sample job CYGA5REM in the samples library.

How do I update a member in a locked (LOCK=YES) data set?

A member of a locked data set must be checked out to a user or group before it can be updated. It can then be updated only by that user or members of that group. The started task will prevent any update attempt by other users. The CHECKOUT command performs this function and may only be run by the administrator.

//CYGIN DD *
 CHECKOUT=(DSN=SYS1.PROCLIB,
 MEMBER=IPCS,
 COMMENT=('CHECKOUT TO IBMU11'),
 USERID=IBMU11)
 ENDCHECK
//*

Refer to the sample job CYGA6CKO in the samples library.

Can I check out a member to a RACF group?

Yes. The administrator can use the following statements to check out a member to a predefined RACF group. Multiple users in the RACF group will have update access to the checked out member.

//CYGIN DD *
 CHECKOUT=(DSN=SYS1.PROCLIB,
 MEMBER=IPCS,
 COMMENT=('CHECKOUT to multiple users in a RACF group'),
 RACFGROUP=CICSTEAM)
 *
 ENDCHECK
 SHOW=UNIVERSE
//*

How do I relinquish ownership of a member?

When you no longer need the member for your exclusive control, an Administrator can check in that member using the following statements:

//CYGIN DD *
 CHECKIN=(DSN=SYS1.PROCLIB,
 MEM=IPCS,
 COMMENT='MODIFY WAS APPROVED BY CICS TEAM LEADER')
*
 ENDCHECK
//*

Refer to the sample job CYGA7CKI in the samples library.

Can I see which members have already been checked out from a library?

Yes. To view which members have been checked out from a specific resource, use the Check In option from the Administration ISPF menu. In batch, you can use the SHOW=CHECKOUT command to list all checked out members in all protected libraries.

//CYGIN DD *
 SHOW=CHECKOUT
//*

Can I change the LOCK status of a resource which has already been protected?

Yes. Using the following job an Administrator can change the lock status of a resource. If it has already been protected with LOCK=NO, this job will change it to LOCK=YES. Keep in mind that by setting the LOCK status to YES, none of the members in the library can be updated by any user unless a checkout is performed by an Administrator.

//CYGIN DD *
 REPROTECT=(DSN=SYS1.PROCLIB,
 LOCK=YES)
//*

Refer to the sample job CYGA8REP in the samples library.

What would happen if the started task is stopped? Will introduced changes be lost if the started task is not active?

No, the Surveillance feature will capture changes that occur while the started task is inactive. The next time the task restarts all changes introduced will be picked up and the changed members are backed up. Such recorded changes collected by the SURV function are identified in the change report as being collected by the CYGMAIN program. The z/OSMF supplied started task job and procedure have a Surveillance step which runs before the started task is started. It is recommended that they not be modified.

//STEPSURV
//CYGIN DD *
 SHOW=PROTECTIONS
 SURV=(LIST,CHG=YES)
//*
//STEPREP
//CYGIN DD *
 SHOW=PROTECTIONS
 SHOW=ACTIONS=LIST
//*

Refer to the sample job CYGA9SRV in the samples library.

Can I generate a list of protected data sets being controlled by z/OS Change Tracker?

Yes. Using the statements below, an Administrator can generate a list of currently protected resources.

//CYGIN DD *
SHOW=PROTECTIONS
//*

What needs to be done if an already protected resource is moved to a different DASD volume?

If a cataloged data set is already protected by z/OS Change Tracker, and it is moved to a DASD volume other than the one already known by the started task, either the task must be recycled, or the TRIGGERREFRESH command must run by an Administrator to trigger a protection list refresh.

//CYGIN DD *
 TRIGGERREFRESH
//*