TSS7299I For Volume when ACID has Dataset Access

Document ID : KB000126301
Last Modified Date : 06/02/2019
Show Technical Document Details
Question:
Validation of TSS7299I messages. 
The userid is permitted READ access to the dataset and the permit does not have NOTIFY. It appears the notify is coming from a volume rule because the dataset is located on that volume. 
Why does the volume record get involved since the userid has a permit to the data set allowing access? 

TSS7299I J=VINIT A=VRTCS TYPE=DATASET RES=SYS2.MAINV.V33.OPS3092O %Sendit MSN MSG.TSS7299I J=VINIT A=VRTCS TYPE=DATASET RES=SYS2.  
Answer:
Volume access is always checked first and if you do not have access to the volume you will fail. 
But here is the "catch".... Volumes are not passed that often so therefore there are minimal times Volume checking is done and consequently minimal messages seen referring to Volume access.
The bottom line is that if a volume is passed then access to that volume needs to be granted. If no volume is passed on the call then it will go to data set checking.
 The below link explains Dataset and Volume Level Access:
 https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/protecting-resources/data-set-and-volume-level-security 

Many sites do not deal with volume checking. They use data set permits to protect data sets. If a volume is passed and the allowed volume access is CREATE, then it will always defer to data set checking.
A common practice is for sites to put the following permit in the ALL Record: 
TSS PERMIT(ALL) VOLUME(*ALL*(G)) ACCESS(CREATE) 
The above permit will force data set checking and never allow access on volume access alone. You can still grant other volume access levels in acid records or profiles but the above permit will make sure if a call sends a volume the call will not fail if the acid has access to the data set.