CA Top Secret

CL RESTART Violations. 

Sep 25, 2015 09:36 AM

Normally, when RESTART=<stepname> is used in Jobcards, Steps before <stepname> are skipped and execution begins with Step <stepname>.  But, security failures occur on skipped steps and the Userid, running the Job, is suspended due to excess violations.

 

This situation can occur if a Programmer copies production JCL, and updates just the Steps they intend to rerun, using RESTART=<stepname> to skip to those steps.  So, the question here is: Is there an option to check security only on the Steps that are actually being run?

 

The answer to this question is:

==========================================================================================================

For an SMS Dataset, SMS attempts to PRE-VALIDATE security access to create a Dataset before a Job Step runs, even in the case where a

Step is not actually run due to 'RESTART=******' in the Jobcard.  Top Secret has no control over it, or the option to bypass security checking

for Steps that are not actually run, i.e. working as designed.

==========================================================================================================

 

Now for further details, into resolving this Case, from the Joblog:

===================================================

1 //SS010BCT JOB (0,0,0,0,0,PRODUCTION),ICOMS, JOB05134

// MSGCLASS=R,NOTIFY=SS010BC,

// class="A",RESTART=STEP040

 

18 //STEP020 EXEC PGM=STMR620,COND=(0,NE)

 

26 //ITEMEXT DD DSN=PICSQ.ICMR625.STEP020.EXTRACT,

// DISP=(NEW,CATLG,DELETE),

// RECFM=FB,LRECL=1200,

// SPACE=(TRK,(600,150),RLSE),

// UNIT=SYSWRK

 

27 //STEP030 EXEC SORTD,COND=(0,NE)

 

37 //SORTOUT DD DSN=PICSQ.ICMR625.STEP030.EXTRACT.SORTED,

// DISP=(NEW,CATLG,DELETE),

// RECFM=FB,LRECL=1200,

// SPACE=(TRK,(600,150),RLSE),

// UNIT=SYSWRK

 

39 //STEP040 EXEC PGM=STMR625,COND=(0,NE)

...

 

TSS7227E CREATE Access Not Granted to Dataset

PICSQ.ICMR625.STEP020.EXTRACT

 

TSS7227E CREATE Access Not Granted to Dataset

PICSQ.ICMR625.STEP030.EXTRACT.SORTED

 

26 IGD308I DATA SET ALLOCATION REQUEST FAILED -

RACF FUNCTION: RACDEF FOR

DATA SET: PICSQ.ICMR625.STEP020.EXTRACT WITH

RETURN CODE 08 REASON CODE 00

 

37 IGD308I DATA SET ALLOCATION REQUEST FAILED -

RACF FUNCTION: RACDEF FOR

DATA SET: PICSQ.ICMR625.STEP030.EXTRACT.SORTED WITH

RETURN CODE 08 REASON CODE 00

===================================================

 

With RACF, instead of the TSS7227E message, you would get:

=========================================

** ICH408I USER(ADCDA ) GROUP(TEST ) NAME(ADCDA )

** ADCDB.BR14 CL(DATASET ) VOL(*BLANK)

** DEFINE - INSUFFICIENT AUTHORITY

=========================================

...and the Job would fail the same way.

 

SMS will get involved for any DD Cards that shows 'DISP=NEW' or 'DISP=MOD', even if they are not going to be used, as documented in IBM APAR OY44270:

=======================================================

COMMENTS:

IT IS THE CURRENT DESIGN OF DFSMS THAT AUTHORIZATION CHECKING

IS DONE DURING CONVERTER/INTERPRETER TIME. ALL THE STEPS IN A

JOB WILL BE EXAMINED. THE RESTART KEYWORD HAS NO MEANING AT

THIS TIME. SOME USERS IN FACT UTILIZE THIS DESIGN

SPECIFICATION TO 'PRE-SCAN' THEIR JCL FOR AUTHORIZATION ERRORS

WHILE NOT ACTUALLY RUNNING THE STEPS. THIS APAR IS BEING

CLOSED SUG SO THAT SOME ACCOMMODATION OF THESE TWO USER GROUPS

MAY BE CONSIDERED FOR INCLUSION IN A FUTURE RELEASE OF THE

PRODUCT.

=======================================================

 

If required, you can replace the 'DISP=NEW' or 'DISP=MOD' with 'DISP=OLD' in the earlier Steps.  This should allow the Job to execute from the RESTART Step.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.