Managing copied SDUMP data set access

When moving or copying fault entries with an associated tightly coupled SDUMP data set, Z Abend Investigator creates a copy of the original SDUMP data set and links the copied fault entry and copied SDUMP data set together.

Z Abend Investigator permits control of copied SDUMP data sets with an XFACILIT security profile.

If the process described in this topic is used to control copied SDUMP data sets, the actual copied SDUMP data set cannot be read or deleted by a normal end user, except through analysis or deletion of the fault entry it is linked to. For example, where the payroll application has its own history file that general users do not have READ access to, this XFACILIT process means that any copied SDUMP data sets for payroll are restricted from general users because they cannot access the fault entries.

To prevent the possibility of security exposures, use UACC(NONE) as the general data set profile access level for copied SDUMP data sets. An exposure would exist if ALTER access was granted to all users on the copied SDUMP data set profile to permit creation, instead of UACC(NONE) and the following XFACILIT setup. If, on a given system, all end users have similar access privileges, then the copied SDUMP data sets are still created if you choose to not set up the XFACILIT access, and instead give all users ALTER access to the copied SDUMP data set profile. This environment would probably have all users with equal access to the history files on that system. However, if some users do not have READ access to all history files, consider using the XFACILIT profile with UACC(NONE) on the data set profile to extend the protection to any copied SDUMP data sets linked to fault entries.

Using the XFACILIT resource class for copied SDUMP data sets

Set up an XFACILIT class profile with the name HFZSDUMP_HLQ.hlq.**. Replace hlq with one or more qualifiers of the data set name pattern specified using the SDUMPDSN option in the HFZOPTLM load module. (For details, see Specifying the copied SDUMP data set name pattern (SDUMPDSN).)

If the high-level qualifier includes a symbol name such as SDUMP&SYSCLONE., it might be necessary to set up more than one profile, depending on the expected symbol substitution values.

Having defined the XFACILIT profile (or profiles, if there is more than one due to symbol substitution), then provide the appropriate level (ALTER or NONE) for the users concerned. Users with ALTER access to the XFACILIT class implicitly have create capability through Z Abend Investigator to the copied SDUMP data set whose high-level qualifier, after any symbol substitution, matches the XFACILIT profile name hlq value.

General ALTER access to an XFACILIT profile does not override any normal data set profile protecting a copied SDUMP data set. It only permits the necessary access authorization to the copied SDUMP data set linked with a fault entry when performing actions through Z Abend Investigator such as:
  • Reading the data set during reanalysis
  • Deleting the data set when the associated fault entry is deleted

Z Abend Investigator tries to create and link a copied SDUMP to a fault entry when:

To create and link a copied SDUMP data set, the user must be granted ALTER access to either the appropriate XFACILIT HFZSDUMP_HLQ profile or the copied SDUMP data set profile.

Z Abend Investigator provides the equivalent access to the copied SDUMP data set, as to the fault entry that it is associated with, when you are doing problem analysis and have READ or DELETE access to the fault entry.

Deleting a fault entry implicitly causes any associated copied SDUMP data set that is linked with the fault entry to also be deleted.

XFACILIT example: copied SDUMP data sets

The following is an example of the recommended setup of the XFACILIT class for managing SDUMP data sets copied by Z Abend Investigator. You can modify or expand on this example as required.

This example assumes that the SDUMPDSN option in the HFZOPTLM configuration options module has been specified with the following value:
  1. Define an XFACILIT profile and grant universal access of ALTER to this profile:
  2. Define a generic data set profile for the same data sets with universal access of NONE: