I want to make the dataset 'FULTONM.MY.FILE' read-only to everyone including me.
I issue:
addsd 'FULTONM.MY.FILE' GEN UACC(NONE)"
I then issue:
listdsd dataset('FULTONM.MY.FILE')
which prints out:
INFORMATION FOR DATASET FULTONM.MY.FILE (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 FULTONM NONE NO NO
AUDITING
--------
FAILURES(READ)
NOTIFY
--------
NO USER TO BE NOTIFIED
YOUR ACCESS CREATION GROUP DATASET TYPE
----------- -------------- ------------
ALTER CDEV NON-VSAM
NO INSTALLATION DATA
Now I want to restrict everyone's access (including me: FULTONM) to just READ. I issued:
tsocmd "permit 'FULTONM.MY.FILE' ID(*) ACCESS(READ) GENERIC"
tsocmd "listdsd da('FULTONM.MY.FILE') GENERIC"
But I can still update the file, and I see no change in the LISTDSD output?
If I issue:
tsocmd "listdsd da('FULTONM.MY.FILE') GENERIC all"
I do see:
ID ACCESS
-------- -------
* READ
but I am still able to update the dataset.
You cannot limit access to your own data sets, i.e. data sets of which the high level qualifier (HLQ) matches your userid.
From the RACF manual z/OS Security Server RACF - Security Administrator's Guide -> "Debugging problems in the RACF database" -> "Authorizing access to RACF-protected resources":
If users attempt to access their own resources, RACF grants the request. For example:
o For tape and DASD data sets, if the user ID of the requesting user is the high-level qualifier of the data set name, RACF grants the request.
Note that this describes standard behaviour assuming no RACF exit is doing special things.