DFSMSdfp: Accommodate new authorization requirements for users of the IDCAMS DEFINE command
Description
IDCAMS APAR OA47269 introduces changes to the RACF authorization checking of data set aliases, VSAM cluster paths, and alternate indexes (AIXs). As a result of this change, users of the IDCAMS DEFINE command might require additional security authorizations for defining these objects.
In
previous releases:
- For a DEFINE ALIAS request, if the alias was for a generation data set or a non-VSAM data set, the generation data set name or the non-VSAM data set name was used for RACF authorization checking
- For a DEFINE ALTERNATEINDEX or DEFINE PATH request, the associated cluster name was used for RACF authorization checking.
With IDCAMS APAR OA47269 applied, the user of the IDCAMS
DEFINE command requires SAF ALTER authority:
- To the target data set when defining an alias for the data set. This requirement is added to the existing requirement that users have SAF UPDATE authority to the catalog that is to contain the alias, if the associated data set is non-SMS-managed. If the associated data set is SMS-managed, no SAF authority is required.
- To the VSAM cluster, when defining a VSAM path or alternate index name (AIX) for the cluster. This requirement is added to the existing requirement that users have SAF UPDATE authority to the catalog, if the related cluster is not SMS-managed.
Table 1 summarizes
the changes to authorization requirements for defining data set aliases,
VSAM cluster paths, and alternate indexes.
| IDCAMS command | Function performed | Authorization that is required for the related data set or cluster (without APAR OA47269 applied) | Authorization that is required for the related data set or cluster (with APAR OA47269 applied) |
|---|---|---|---|
| DEFINE ALIAS | Defines an alternate name for a non-VSAM data set or a user catalog. | NONE | ALTER See Note 1. |
| DEFINE PATH | Defines a path directly over a base cluster or over an alternate index and its related base cluster. | NONE | ALTER See Note 2. |
| DEFINE ALTERNATEINDEX | Defines an alternate index. | NONE | ALTER See Note 2. |
Notes:
- The user requires ALTER authority to the alias name, unless the user has READ authority to resource name STGADMIN.IGG.CATALOG.SECURITY.CHANGE. If so, the user does not require authorization to the data set name.
- The user requires ALTER authority to the entry name, unless the user has READ authority to resource name STGADMIN.IGG.CATALOG.SECURITY.CHANGE. If so, the user requires ALTER authority to the cluster name.
Table 2 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | DFSMSdfp. |
|---|---|
| When change was introduced: | z/OS V2R1 and z/OS V1R13, both with APAR OA47269 applied. |
| Applies to migration from: | z/OS V2R1 and z/OS V1R13, both without APAR OA47269 applied. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes, if your installation has data sets with aliases, paths, or alternate indexes (AIXs) that are not covered by existing security profiles. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | If you do define the required security profiles, authorization errors might occur, due to insufficient authority. |
| Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Follow these steps:
- Review the security profiles for data sets that use aliases, paths,
and alternate indexes. For any alias, path, or alternate index (AIX)
that is not covered by an existing security profile, add or change
security profiles for alias, path, or AIX to grant the appropriate
authority.
Depending on your installation’s naming conventions, you might find that your existing security profiles do not require any changes. For example, if the user ID of the user is the data set high-level qualifier.
- If your installation cannot immediately tolerate the change in
authorization checking, you can reinstate the previous method of authorization
checking by doing the following:
- Defining a FACILITY class profile with the resource name of STGADMIN.IGG.CATALOG.SECURITY.CHANGE
- Ensuring that users have at least READ authority to the FACILITY class resource name.
Reference information
For more information about creating authorizations for IDCAMS commands, see z/OS DFSMS Access Method Services Commands.
