DFSMSdfp: Define a security profile for VSAM exception exits
Description
VSAM users can
specify an exit to receive control for physical I/O errors that might
occur against a VSAM data set, through either of the following methods:
- EXCEPTIONEXIT keyword of the IDCAMS define function
- SYNAD= sub-parameter of the AMP= keyword of the DDNAME JCL statement.
As of APAR OA46090, the exit name that can be specified on these keywords is controlled through a FACILITY class profile. The FACILITY class profile is named IDA.VSAMEXIT.exitname where exitname identifies the exit to be invoked.
You must ensure that the exit name is protected through a FACILITY class profile, and that callers of the exit have at least READ authority.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
Element or feature: | DFSMSdfp. |
---|---|
When change was introduced: | z/OS V2R1 and z/OS V1R13, both with APAR OA46090 applied. |
Applies to migration from: | z/OS V2R1 and z/OS V1R13, both without APAR OA46090 applied. |
Timing: | Before the first IPL of z/OS V2R2. |
Is the migration action required? | Yes, if your installation has VSAM exception exits that are specified through the AMP or EXCEPTIONEXIT parameters. |
Target system hardware requirements: | None. |
Target system software requirements: | None. |
Other system (coexistence or fallback) requirements: | None. |
Restrictions: | None. |
System impacts: | If you have programs that specify VSAM exception
exits in this manner and you do not take the necessary migration action,
the programs will encounter the following open errors:
|
Related IBM® Health Checker for z/OS® check: | None. |
Steps to take
Follow these steps:
- Define a FACILITY class profile with the resource name IDA.VSAMEXIT.exitname, where exitname is the EXCEPTIONEXIT or SYNAD parameter value.
- Ensure that callers of the exit have at least READ authority to the FACILITY class resource name.
Use caution if you choose to use a generic RACF profile to ensure that you do not allow unintended modules to be used as VSAM exception exits.
Note: This action must be taken even if the exits
do not actually exist, unless you choose to remove the EXCEPTIONEXIT
or SYNAD parameter.
Reference information
For more information, see z/OS DFSMS Using Data Sets .