SirSafe support for read-only files under MVS
SirSafe can be configured to provide support for read-only files under MVS environments — which can be quite useful for Sarbanes/Oxley auditing. By default this support is deactivated. In order to take advantage of read-only files, the system manager must explicitly activate MVSRO mode with the AUTHCTL command.
When SirSafe is active in MVSRO mode, additional checks are performed whenever a Model 204 database file is physically opened. For each data set comprising the Model 204 database file, the current security interface is used to determine if the Model 204 job is running under a profile that allows WRITE access. If so, the data set is opened for output, else an attempt is made to open the data set for input.
If any of the data sets for a Model 204 database file are opened just
for input, then the Model 204 database file is forced into read-only mode.
Whatever privileges would have been granted to the opening user are logically And'ed with X'8763', and the Model 204 message M204.0620 is produced.
If the first (or only) data set for a Model 204 database file is opened
just for input, the Model 204 message M204.0590 is produced and shared DASD enqueueing is deactivated.
Activating read-only mode
In order to activate read-only file support, the System Manager must use the AUTHCTL command.
If SirSafe is already active, the AUTHCTL LIST command displays the current SirSafe configuration:
authctl list sirsafe AUTHCTL A SIRSAFE REQUIRED MVSRW RACF=M204*
The keyword MVSRW indicates that read-only support is not active. Because SirSafe is running in REQUIRED mode, visible password entries may exist in CCASTAT. Continuing this example, read-only processing is enabled with the following command:
AUTHCTL C SIRSAFE REQUIRED MVSRO RACF=M204*
The keyword MVSRO indicates that read-only support is active.
For most jobs, the overhead of read-only support should be insignificant, because most commonly used Model 204 database files tend to remain physically open for the life of a job. However, certain kinds of unusual jobs could experience degradation. An example is an IFAM host language job that performs many IFOPEN and IFCLOSE calls.
If Model 204 attempts to open a database file without SirSafe MVSRO
active, and the job has only read access to one or more of the data sets
comprising the file, an IEC150I message is produced, indicating that a 913 abend occurred.
Model 204 intercepts the open, and the open is rejected with an M204.0454 error message.
Note: As shown below, it is still possible to receive an IEC150I message when SirSafe MVSRO is active, because SirSafe MVSRO processing just checks for update access to each data set of a Model 204 database file. An open in read-only mode is always attempted, even if a Model 204 job has no access to a data set.
AUTHCTL TEST ON OPEN PROCFIL2 *** 2 M204.0454: UNABLE TO OPEN FILE DATASET PROCFIL2 *** 3 M204.0630: FILE OPEN COMMAND REJECTED VIEW ERRORS 13.39.55 1 3: MSIR.0598: SirSafe: R/W access denied 13.39.55 1 3: MSIR.0597: SirSafe: (TOM,SYS1) checking R/W to M204.GARY.PROCFIL2 on MVS204 JOB05308 ICH408I USER(TOM ) GROUP(SYS1 ) NAME(TOM SWIFT ) 961 961 M204.GARY.PROCFIL2 CL(DATASET ) VOL(MVS204) 961 INSUFFICIENT ACCESS AUTHORITY 961 FROM M204.GARY.PROCFIL2 (G) 961 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) JOB05308 IEC150I 913-38,IFG0194E,ONLINE,TEST,PROCFIL2,0705,MVS204,M204.GARY.PROCFIL2
Monitoring and debugging
The AUTHCTL TEST ON command can be used to activate the display
of debugging information for SirSafe.
This lasts just for the current job, and it can be cancelled with an
AUTHCTL TEST OFF command.
When AUTHCTL TEST is activated, two new messages track the SirSafe
data set access checking for read-only support:
Message MSIR.0597 indicates the data set being checked and the user ID and group for the access.
MSIR.0598 indicates the failure or success of the check.
The following example shows SirSafe MVSRO processing forcing a file to open in read-only mode.
(Remember that VIEW ERRORS output
displays in reverse chronological order, and note that
timestamps are removed from the example to save space.)
LOGFILE PROCFIL2 >PROCFIL2 A WRITE X'BFFF' 0, 0, 0, 0, 0, ALL AUTHCTL TEST ON O PROCFIL2 *** M204.0347: PASSWORD *** M204.0590: SHARE-DASD ENQUEUEING INACTIVATED, FPL OF FILE PROCFIL2 MVS204.M204.GARY.PROCFIL2 IS ON A READ-ONLY DEVICE *** M204.0620: FILE PROCFIL2 OPENED -- NO UPDATES ALLOWED V CURPRIV,ERRORS CURPRIV X'8763' PRIVS FOR CURRENT FILE/GROUP MSIR.0557: SirSafe approved password access MSIR.0553: GARY (M204USR,M204GRP) read to M204RACF.FILE.PROCFIL2.INDEXA tried by MSIR.0598: SirSafe: R/W access denied MSIR.0597: SirSafe: (GARY,SYS1) checking R/W to M204.GARY.PROCFIL2 on MVS204