I had written Here’s another nice mess I’ve gotten into! My master catalog is full of junk which describes what I did once I found my master catalog was full of stuff which should not be there.
I’ve now got round to finding out how to stop people from putting rubbish there in the first place!
See One minute mvs: catalogs and datasets for an introduction to master and user catalogs.
The master catalog should have some system datasets, aliases, and not much else.
An alias says for this high level qualifier (COLIN) go to the usercatalog(‘USER.COLIN.CATALOG).
A catalog is a dataset, and you can use a RACF profile to protect it, so only authorised people can update it. Typically, when you define a userid, you should also define an alias for that userid, pointing to a user catalog.
Which is my master catalog?
At IPL, it reports
IEA370I MASTER CATALOG SELECTED IS CATALOG.Z31B.MASTER
You can use the operator command D IPLINFO
SYSTEM IPLED AT 07.26.58 ON 01/02/2026
RELEASE z/OS 03.01.00 LICENSE = z/OS
USED LOADCP IN SYS1.IPLPARM ON 00ADF
My load parm member, SYS1.IPLPARM(LOADCP) has
IODF 99 SYS1
INITSQA 0000M 0008M
SYSCAT B3SYS1113CCATALOG.Z31B.MASTER
SYSPARM CP
IEASYM (00,CP)
The catalog is called CATALOG.Z31B.MASTER
Does a RACF profile exist?
See What RACF profile is used for a data set?
tso listdsd dataset(‘CATALOG.Z31B.MASTER’)
tso listdsd dataset(‘CATALOG.Z31B.MASTER’) generic
Showed there was no profile defined.
Create the profile
* DELDSD 'CATALOG.Z31B.*'
ADDSD 'CATALOG.Z31B.*' UACC(READ)
PERMIT 'CATALOG.Z31B.*' ID(IBMUSER ) ACCESS(CONTROL)
PERMIT 'CATALOG.Z31B.*' ID(COLIN ) ACCESS(READ )
When I tried to use the master catalog from a general userid the request failed.
DELETE TEST ALIAS
IDC3018I SECURITY VERIFICATION FAILED+
IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-6
IDC0551I ** ENTRY COLIN.TEST NOT DELETED
IDC0014I LASTCC=8
Hmm that’s strange
With userid COLIN, I could still issue commands, such as DELETE TEST ALIAS, even though I had given it only read access.
If I displayed the profile from userid COLIN it had
INFORMATION FOR DATASET CATALOG.Z31B.* (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 COLIN READ NO NO
YOUR ACCESS CREATION GROUP DATASET TYPE
----------- -------------- ------------
READ SYS1 NON-VSAM
This had me confused for several hours.
If I removed userid COLIN from group SYS1 and removed “SPECIAL”, then I could not issue commands.
The documentation says
If you have the SPECIAL attribute and define a profile for a group data set while SETROPTS ADDCREATOR is in effect, your user ID is added to the access list for the data set with ALTER access authority, whether or not you specify the OWNER operand.
I have SETROPTS ADDCREATOR specified.
Summary
You can set up a profile for the RACF data set to stop general users from updating the catalog. You’ll need to create an alias for their userid. It does not feel 100% locked down, because my userids with special authority can still update the catalog, even thought they appear to have only read access.
ColinPaice 