Hi, Eileen; Bob Bridges again, just using the ARC ID. First, I apologize: I see that in my first post I botched the fourth rule, the one I added late. Apparently I cut-and-pasted it and then forgot to modify it properly, which confused the issue considerably. I'll go back and edit the first post. The below four rules are what I was using, and what I think should work. About your questions:
1) "PRIVATE" is just part of the DSN; it has no special meaning except to make the example clearer, and in fact it's not the actual DSN used by my client.
2) You say "The first permit should allow read access to HLQ.USERA.PRIVATE", but I'm pretty sure you're mistaken; the first permit in the original, uncorrected post isn't the one that TSS would use, since the others are more specific, ie better matches. It seems to me that TSS should use the first one below (ARC.%.PRIVATE) and grant ACCESS(ALL), but in fact it's using ARC.*.PRIVATE and granting ACCESS(NONE).
3) Yes, I used TSSSIM to verify what's happening. Here's the combined rule set, listed (as I understand it) from most specific to least:
PER(profile) DATASET(HLQ.%.PRIVATE) ACC(ALL)
PER(profile) DATASET(HLQ.*.PRIVATE) ACC(NONE)
PER(profile) DATASET(HLQ.%.) ACC(ALL)
PER(profile) DATASET(HLQ.) ACC(READ)
At least, that's what ~I~ think should be the order. When I have USERA try to access HLQ.USERA.PRIVATE, I think TSS should use the first rule and grant ACCESS(ALL); but TSSSIM says that the second rule mandates ACCESS(NONE).
I thought maybe someone here would explain what I was missing, but I'll go open a case.