Page 1 of 1

How to protect a dataset only on one lpar

PostPosted: Tue Feb 04, 2020 2:11 am
by arju
Hi
We have 5 lpars in a sysplex using the same racf database. We have a requirement to protect one product dataset only in one lpar but to make it available on other 4 lpars.
Any suggestions?
Thanks in advance
Arju

Re: How to protect a dataset only on one lpar

PostPosted: Tue Feb 04, 2020 6:27 am
by steve-myers
You have a confused notion about "protecting" data sets.

Since you are using one RACF data base for all systems, you "protect" the data set on all systems, possibly by using UACC(READ), which allows all users the ability to read, but not update the data set, possibly by defining a data set profile using the ADDSD command:

ADDSD 'data set' GENERIC UACC(READ)

You then determine the users that need to update the data set, and you add access permissions with the PERMIT command :

PERMIT 'dataset' GENRIC ACCESS(access-level) ID(user)

In the PERMIT command a user can be an actual user, or the group of users in which the user is defined. There is no way (nor, in my opinion, is it desirable) to restrict access by LPAR.

Re: How to protect a dataset only on one lpar

PostPosted: Tue Feb 04, 2020 1:02 pm
by willy jensen
The PERMIT command has a WHEN( SYSID( system-identifier ... ) ) parameter, perhaps that will do it?

Re: How to protect a dataset only on one lpar

PostPosted: Wed Feb 05, 2020 3:45 am
by Robert Sample
PERMIT WHEN(SYSID(…)) only applies to PROGRAM class resources.

As far as I know, as long as you have one RACF database for all five LPARs it is not possible to restrict dataset access by LPAR -- if the dataset is accessible in one LPAR, it has the same access in all the LPARs. If you segregate the one LPAR's RACF database so you can do the restriction, that introduces a number of other problems.