How to protect a dataset only on one lpar



All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

How to protect a dataset only on one lpar

Postby arju » Tue Feb 04, 2020 2:11 am

Hi
We have 5 lpars in a sysplex using the same racf database. We have a requirement to protect one product dataset only in one lpar but to make it available on other 4 lpars.
Any suggestions?
Thanks in advance
Arju
arju
 
Posts: 1
Joined: Tue Sep 09, 2008 1:32 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to protect a dataset only on one lpar

 

Re: How to protect a dataset only on one lpar

Postby steve-myers » Tue Feb 04, 2020 6:27 am

You have a confused notion about "protecting" data sets.

Since you are using one RACF data base for all systems, you "protect" the data set on all systems, possibly by using UACC(READ), which allows all users the ability to read, but not update the data set, possibly by defining a data set profile using the ADDSD command:

ADDSD 'data set' GENERIC UACC(READ)

You then determine the users that need to update the data set, and you add access permissions with the PERMIT command :

PERMIT 'dataset' GENRIC ACCESS(access-level) ID(user)

In the PERMIT command a user can be an actual user, or the group of users in which the user is defined. There is no way (nor, in my opinion, is it desirable) to restrict access by LPAR.
steve-myers
Global moderator
 
Posts: 2047
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 223 times

Re: How to protect a dataset only on one lpar

Postby willy jensen » Tue Feb 04, 2020 1:02 pm

The PERMIT command has a WHEN( SYSID( system-identifier ... ) ) parameter, perhaps that will do it?
willy jensen
 
Posts: 282
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 40 times

Re: How to protect a dataset only on one lpar

Postby Robert Sample » Wed Feb 05, 2020 3:45 am

PERMIT WHEN(SYSID(…)) only applies to PROGRAM class resources.

As far as I know, as long as you have one RACF database for all five LPARs it is not possible to restrict dataset access by LPAR -- if the dataset is accessible in one LPAR, it has the same access in all the LPARs. If you segregate the one LPAR's RACF database so you can do the restriction, that introduces a number of other problems.
Robert Sample
Global moderator
 
Posts: 3629
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 267 times


Return to Mainframe Security

 


  • Related topics
    Replies
    Views
    Last post