https://m204wiki.rocketsoftware.com/index.php?action=history&feed=atom&title=SirSafe_support_for_read-only_files_under_MVSSirSafe support for read-only files under MVS - Revision history2026-05-14T01:15:46ZRevision history for this page on the wikiMediaWiki 1.43.1https://m204wiki.rocketsoftware.com/index.php?title=SirSafe_support_for_read-only_files_under_MVS&diff=94743&oldid=prevAdmin: 1 revision: SirSafe pages2016-11-30T21:32:41Z<p>1 revision: SirSafe pages</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<tr class="diff-title" lang="en">
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="1" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 21:32, 30 November 2016</td>
</tr><tr><td colspan="2" class="diff-notice" lang="en"><div class="mw-diff-empty">(No difference)</div>
</td></tr></table>Adminhttps://m204wiki.rocketsoftware.com/index.php?title=SirSafe_support_for_read-only_files_under_MVS&diff=94742&oldid=prevJAL: link repair2016-11-30T21:08:37Z<p>link repair</p>
<p><b>New page</b></p><div><var class="product">SirSafe</var> can be configured to provide support for read-only files under<br />
MVS environments &mdash; which can be quite useful for Sarbanes/Oxley auditing.<br />
By default this support is deactivated.<br />
In order to take advantage of read-only files, the system manager<br />
must explicitly activate <var>MVSRO</var> mode with the <var>[[SirSafe command and function reference#AUTHCTL|AUTHCTL]]</var> command.<br />
<br />
When <var class="product">SirSafe</var> is active in <var>MVSRO</var> mode, additional checks are<br />
performed whenever a <var class="product">Model&nbsp;204</var> database file is <b>physically</b> opened.<br />
For each data set comprising the <var class="product">Model&nbsp;204</var> database file, the current security<br />
interface is used to determine if the <var class="product">Model&nbsp;204</var> <i>job</i> is running under a profile that allows WRITE access.<br />
If so, the data set is opened for output, else an attempt is made to open the data set for input.<br />
<br />
If any of the data sets for a <var class="product">Model&nbsp;204</var> database file are opened just<br />
for input, then the <var class="product">Model&nbsp;204</var> database file is forced into read-only mode.<br />
Whatever privileges would have been granted to the opening user are logically And'ed with <code>X'8763'</code>, and the <var class="product">Model&nbsp;204</var> message <code>M204.0620</code> is produced.<br />
If the first (or only) data set for a <var class="product">Model&nbsp;204</var> database file is opened<br />
just for input, the <var class="product">Model&nbsp;204</var> message <code>M204.0590</code> is produced and shared DASD enqueueing is deactivated.<br />
<br />
==Activating read-only mode==<br />
In order to activate read-only file support, the System Manager must use the <var>AUTHCTL</var> command.<br />
If <var class="product">SirSafe</var> is already active, the <code>AUTHCTL LIST</code> command displays the current <var class="product">SirSafe</var> configuration:<br />
<p class="code"><b>authctl list sirsafe</b><br />
AUTHCTL A SIRSAFE REQUIRED MVSRW RACF=M204*<br />
</p><br />
<br />
The keyword <var>MVSRW</var> indicates that read-only support is <b>not</b> active.<br />
Because <var class="product">SirSafe</var> is running in <var>REQUIRED</var> mode, visible password entries may exist in CCASTAT.<br />
Continuing this example, read-only processing is enabled with the following command:<br />
<p class="code">AUTHCTL C SIRSAFE REQUIRED MVSRO RACF=M204*<br />
</p><br />
The keyword <var>MVSRO</var> indicates that read-only support is active.<br />
<br />
For most jobs, the overhead of read-only support should be insignificant,<br />
because most commonly used <var class="product">Model&nbsp;204</var> database files tend to remain<br />
physically open for the life of a job.<br />
However, certain kinds of unusual jobs could experience degradation.<br />
An example is an IFAM host language job that performs many <var>IFOPEN</var> and <var>IFCLOSE</var> calls.<br />
<br />
If <var class="product">Model&nbsp;204</var> attempts to open a database file without <var class="product">SirSafe</var> <var>MVSRO</var><br />
active, and the job has only read access to one or more of the data sets<br />
comprising the file, an IEC150I message is produced, indicating that a 913 abend occurred.<br />
<var class="product">Model&nbsp;204</var> intercepts the open, and the open is rejected with an <code>M204.0454</code> error message.<br />
<br />
<blockquote class="note"><br />
<p><b>Note:</b> As shown below, it is still possible to receive an IEC150I message when <var class="product">SirSafe</var> <var>MVSRO</var><br />
is active, because <var class="product">SirSafe</var> <var>MVSRO</var> processing just checks for <i>update</i> access to each data set of a <var class="product">Model&nbsp;204</var> database file.<br />
An open in read-only mode is always attempted, even if a <var class="product">Model&nbsp;204</var> job has <i>no</i> access to a data set.<br />
</p><br />
<p class="code"><b>AUTHCTL TEST ON<br />
OPEN PROCFIL2</b><br />
<nowiki>*** 2 M204.0454: UNABLE TO OPEN FILE DATASET PROCFIL2<br />
*** 3 M204.0630: FILE OPEN COMMAND REJECTED</nowiki><br />
<br />
<b>VIEW ERRORS</b><br />
13.39.55 1 3: MSIR.0598: SirSafe: R/W access denied<br />
13.39.55 1 3: MSIR.0597: SirSafe: (TOM,SYS1) checking R/W to M204.GARY.PROCFIL2 on MVS204<br />
<br />
JOB05308 ICH408I USER(TOM ) GROUP(SYS1 ) NAME(TOM SWIFT ) 961<br />
961 M204.GARY.PROCFIL2 CL(DATASET ) VOL(MVS204)<br />
961 INSUFFICIENT ACCESS AUTHORITY<br />
961 FROM M204.GARY.PROCFIL2 (G)<br />
961 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )<br />
JOB05308 IEC150I 913-38,IFG0194E,ONLINE,TEST,PROCFIL2,0705,MVS204,M204.GARY.PROCFIL2<br />
</p></blockquote><br />
<br />
==<b id="monro"></b>Monitoring and debugging==<br />
The <code>AUTHCTL TEST ON</code> command can be used to activate the display<br />
of debugging information for SirSafe.<br />
This lasts just for the current job, and it can be cancelled with an<br />
<code>AUTHCTL TEST OFF</code> command.<br />
<br />
When <var>AUTHCTL TEST</var> is activated, two new messages track the <var class="product">SirSafe</var><br />
data set access checking for read-only support:<br />
Message <code>MSIR.0597</code> indicates the data set being checked and the user ID and group for the access.<br />
<code>MSIR.0598</code> indicates the failure or success of the check.<br />
<br />
The following example shows SirSafe <var>MVSRO</var> processing forcing a file to open in read-only mode.<br />
(Remember that <code>VIEW&nbsp;ERRORS</code> output<br />
displays in reverse chronological order, and note that<br />
timestamps are removed from the example to save space.)<br />
<p class="code"><b>LOGFILE PROCFIL2</b><br />
>PROCFIL2 A WRITE X'BFFF' 0, 0, 0, 0, 0, ALL<br />
<b>AUTHCTL TEST ON<br />
O PROCFIL2</b><br />
<nowiki>*** M204.0347: PASSWORD<br />
*** M204.0590: SHARE-DASD ENQUEUEING INACTIVATED, FPL OF FILE PROCFIL2<br />
MVS204.M204.GARY.PROCFIL2 IS ON A READ-ONLY DEVICE<br />
*** M204.0620: FILE PROCFIL2 OPENED -- NO UPDATES ALLOWED </nowiki><br />
<b>V CURPRIV,ERRORS</b><br />
CURPRIV X'8763' PRIVS FOR CURRENT FILE/GROUP<br />
MSIR.0557: SirSafe approved password access<br />
MSIR.0553: GARY (M204USR,M204GRP) read to M204RACF.FILE.PROCFIL2.INDEXA tried by<br />
MSIR.0598: SirSafe: R/W access denied<br />
MSIR.0597: SirSafe: (GARY,SYS1) checking R/W to M204.GARY.PROCFIL2 on MVS204<br />
</p><br />
<br />
==See also==<br />
{{Template:SirSafe topic list}}<br />
<br />
[[Category:SirSafe]]</div>JAL