Security and VLS Libraries

Document ID : KB000027955
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

What access should we give the users when accessing ADRLIB, ADRPNL and ADROUT?

Environment:

z/OS, z/VSE

Answer:

VLSUTIL and the VLS service routines used by other products always open the libraries for UPDATE. This is because member and library access is date/time stamped in the index of the library. Sites using a security package to control access, who want to restrict who can update a VLS library, will not want to grant UPDATE access at the library level. Top Secret allows a restricted form of UPDATE that will be useful for these situations:

TSS PERMIT(acids) DSN(vlsfile.dsname) -
PRIVPGM(IDBATCH IDUTSTRN IDUTOTRN IDUTILTY VLSUTIL) -
LIB(ideal.loadlib.dsname) ACCESS(UPDATE)

This restricts update accesses of the VLS file to those performed through the programs named in PRIVPGM. Any attempt to overwrite a VLS library with IEBGENER, for example, would be prevented.

The ACF2 equivalent is quite similar:
$KEY(hlq)

  rest.of.dsn UID(user UID string) PGM(IDBATCH) LIB(ideal.loadlib.dsname) W(A) R(A)

  rest.of.dsn UID(user UID string) PGM(IDUTSTRN) LIB(ideal.loadlib.dsname) W(A)R(A)

  rest.of.dsn UID(user UID string) PGM(IDUTOTRN) LIB(ideal.loadlib.dsname) W(A)R(A)

  rest.of.dsn UID(user UID string) PGM(IDUTILTY) LIB(ideal.loadlib.dsname) W(A) R(A)

  rest.of.dsn UID(user UID string) PGM(VLSUTIL) LIB(ideal.loadlib.dsname) W(A) R(A)