Does TSS ADD(dept) VOL(*ALL*(G)) automatically protect all volumes?
Owning VOL(*ALL*(G)) does not automatically define/protect all volumes. It allows VOL(*ALL*(G)) to be permitted.
Sites that don't want volume checking issue
TSS PERMIT(ALL) VOL(*ALL*(G)) ACC(CREATE)
so security defers to dataset checking regardless of what access the user is trying to get to the dataset.
- Only the MSCA can own VOL(*ALL*(G)).
- For sites that want all volumes protected even if they are not owned, set the DEFPROT attribute on the VOLUME resource class via:
TSS REPLACE(RDT) RESCLASS(VOLUME) ATTR(DEFPROT)
CAUTION: Be very careful about setting DEFPROT on the VOLUME resource class because there may be undefined volumes where access is currently allowed that will fail with DEFPROT set.
Please see chapter 12 of the CA Top Secret User Guide 'Protecting Resources', section titled 'Volume Protection' or more information on volume security.