z/OS Protecting Master Catalog from AdHoc updates

Question

I have a development system that multiple developers are working on. The current configuration allows any request for a new dataset to be catalogued in the Master catalog. To protect the master catalog from writes apart from authorized system personnel it appears that SAF is the suggested and best option. My security manager is RACF.

In looking through the IBM manuals there is a lot of academic information but no practical solution that describes all of the elements required to implement the solution.

One of the manuals I've been referencing is z/OS Security Server for RACF

Here is the summary from this section:

RDEFINE GLOBAL DATASET
RALTER GLOBAL DATASET ADDMEM('CATALOG.MASTER'/READ)   
ADDGROUP CATALOG # Defines the hlq of the dataset                       
ADDSD  'CATALOG.MASTER' UACC(READ)

This approach does not yield any positive results and the system continues to allow anyone to catalog new datasets in the Master catalog.

My plan was to lock and unlock the default access since this is a test system but perhaps I need to create a separate User for catalog administration.

I expect that there are a variety of required elements from DFSMS, RACF, and perhaps other areas that need to be configured to make this work. Unfortunately the IBM manuals, although quite detailed, yield little in the way of practical / complete examples.

Did you SETROPTS GLOBAL REFRESH? I’m currently at FL320 otherwise I’d do some deeper diving. — zarchasmpgmr, Dec 09 '19 at 02:40

score 1 · Accepted Answer · edited Apr 02 '22 at 07:55

Below is from manual: z/OS Security Server RACF Security Administrator's Guide

With the exception of a very select group, users should only be allowed to READ the master catalog. To allow this, enter:
RALTER GLOBAL DATASET ADDMEM('CATALOG.MASTER.**'/READ)
ADDSD  'CATALOG.MASTER.**' UACC(READ)

PERMIT 'CATALOG.MASTER.**' ID(SYSGROUP) ACCESS(CONTROL)

Suggest getting with your RACF administrator and setting something like this up

score 0 · Answer 2 · answered May 17 '21 at 21:43

0

You can get a look on zos supplied resource in racf language reference manual. You can see also addsd and adduser commands in the same document.

answered May 17 '21 at 21:43

raymondleroux

1

score 0 · Answer 3 · answered Dec 09 '19 at 02:40

0

A cheap way to do it is by using a prior-to-SAF method: set a password on the master catalog. Anyone creating a data set with a high level qualifier not matching an alias entry will generate a WTOR asking for the password. It wouldn’t pass auditor muster, but in a development ADCD/ADLT environment I’ve found this very effective.

answered Dec 09 '19 at 02:40

zarchasmpgmr

103
3

Interesting .. my reading indicated that passwords are not supported anymore. ... still studying – Hogstrom Dec 09 '19 at 02:43
Catalogs are weird. IDCAMS will still allow you to set a password, especially if your security administrator mucks the SAF database. – zarchasmpgmr Dec 09 '19 at 02:45

z/OS Protecting Master Catalog from AdHoc updates

3 Answers3