Why am I allowed to catalog/uncatalog a data set when I have no access or only READ access.

Document ID : KB000020575
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

With OCEOV set to YES, what security checks are made as you create a tape data set and then catalog or uncatalog it?

Solution:

Using the following DD in a job: //XXXXXX DD DSN=SYS3.PROD.ACCT(+1),DISP=(NEW,CATLG,CATLG)........

The user submitting the job does not have UPDATE or ALTER access to SYS3.PROD.ACCT

If you have OCEOV set to YES then the following security calls will be made.

At open, CA 1 will check your CREATE option to see if it is set to UPDATE, or ALTER and then make a security call for the data set name and the access specified in the CREATE option.

If you don't have the access the job is failed with a security error.

At end of job, the system sees the DISP of (NEW,CATLG,CATLG) so even though the tape was not created it will attempt to catalog the DSN.

At this point CA 1 will check to see if you have ALTER access to the catalog where the data set will reside. If you do have ALTER access to the catalog the tape data set will be cataloged even though you did not have ALTER access to the DSN.

If you don't have ALTER access to the catalog, CA 1 will check to see if you have ALTER access to the DSN. If you don't have the required access then the data set is not cataloged.