Hi Bob,
If you issue:
TSS WHOOWNS DSN (SYS1.ENDEVOR.PRODSRCE)
TSS WHOOWNS DSN(*****)
does the same acid own both of these?
The WHOHAS command does the equivalent of a WHOOWNS command, and then, for each ownership found, does the equivalent of the original WHOHAS command. When a TSS WHOHAS command is issued, TSS does not search every owned mask, however, if the mask ownership is owned by the same acid as the dataset requested (ie SYS1.ENDEVOR.PRODSRCE), then the masked entry will show up in the output. In other words, if the acid that owned SYS1.ENDEVOR.PRODSRCE also owned *****, then the DSN(*****) permit would show up in the
TSS WHOHAS output.
I suspect the acid that owns DSN(SYS1.ENDEVOR.PRODSRCE) is not the same as the acid that owns DSN(*****), in which case this is not an error condition.
I did not see this in the documentation.
If the auditor needs to know every acid that has access to DSN(SYS1.ENDEVOR.PRODSRCE), you will need to find acids that have NODSNCHK, SYS1.ENDEVOR.PRODSRCE permits, and all dataset permits with masking characters that match. Also, if a volume is passed on the dataset call for the SYS1.ENDEVOR.PRODSRCE dataset, you will need to find all acids that have volume access (either to the specific volume or a generic volume permit such as VOLUME(*ALL*(G)) or VOLUME(***) where '***' is a volume prefix for the volume where the dataset resides.) When a dataset is accessed, if a volume is passed on the security call, TSS checks the volume access first and based on the volume access, it allows the access, denies it, or goes to dataset checking. For example, if an acid has UPDATE access to the volume where SYS1.ENDEVOR.PRODSRCE resides and the volume is passed on the security call, the acid can READ or UPDATE SYS1.ENDEVOR.PRODSRCE regardless of what access the acid has to DSN(SYS1.ENDEVOR.PRODSRCE).
If you need assistance with how to find these, please let me know.
Best regards,
Bob Boerum