How to protect a dataset only on one lpar

All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

How to protect a dataset only on one lpar

Postby arju » Tue Feb 04, 2020 2:11 am

We have 5 lpars in a sysplex using the same racf database. We have a requirement to protect one product dataset only in one lpar but to make it available on other 4 lpars.
Any suggestions?
Thanks in advance
Posts: 1
Joined: Tue Sep 09, 2008 1:32 am
Has thanked: 0 time
Been thanked: 0 time

Re: How to protect a dataset only on one lpar

Postby steve-myers » Tue Feb 04, 2020 6:27 am

You have a confused notion about "protecting" data sets.

Since you are using one RACF data base for all systems, you "protect" the data set on all systems, possibly by using UACC(READ), which allows all users the ability to read, but not update the data set, possibly by defining a data set profile using the ADDSD command:


You then determine the users that need to update the data set, and you add access permissions with the PERMIT command :

PERMIT 'dataset' GENRIC ACCESS(access-level) ID(user)

In the PERMIT command a user can be an actual user, or the group of users in which the user is defined. There is no way (nor, in my opinion, is it desirable) to restrict access by LPAR.
Global moderator
Posts: 2105
Joined: Thu Jun 03, 2010 6:21 pm
Has thanked: 4 times
Been thanked: 243 times

Re: How to protect a dataset only on one lpar

Postby willy jensen » Tue Feb 04, 2020 1:02 pm

The PERMIT command has a WHEN( SYSID( system-identifier ... ) ) parameter, perhaps that will do it?
willy jensen
Posts: 455
Joined: Thu Mar 10, 2016 5:03 pm
Has thanked: 0 time
Been thanked: 69 times

Re: How to protect a dataset only on one lpar

Postby Robert Sample » Wed Feb 05, 2020 3:45 am

PERMIT WHEN(SYSID(…)) only applies to PROGRAM class resources.

As far as I know, as long as you have one RACF database for all five LPARs it is not possible to restrict dataset access by LPAR -- if the dataset is accessible in one LPAR, it has the same access in all the LPARs. If you segregate the one LPAR's RACF database so you can do the restriction, that introduces a number of other problems.
Robert Sample
Global moderator
Posts: 3719
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Return to Mainframe Security


  • Related topics
    Last post