I had written Here’s another nice mess I’ve gotten into! My master catalog is full of junk which describes what I did once I found my master catalog was full of stuff which should not be there.
I’ve now got round to finding out how to stop people from putting rubbish there in the first place!
See One minute mvs: catalogs and datasets for an introduction to master and user catalogs.
The master catalog should have some system datasets, aliases, and not much else.
An alias says for this high level qualifier (COLIN) go to the usercatalog(‘USER.COLIN.CATALOG).
A catalog is a dataset, and you can use a RACF profile to protect it, so only authorised people can update it. Typically, when you define a userid or a high level qualifier, you should also define an alias for that userid (or HLQ), pointing to a user catalog.
To keep user data out of the master catalog you need
- one or more user catalogs – for example do you give each user their own catalog, have one per deparment, or one for all users. These catalogs are typically defined by storage administrators (or automation set up by storage administrators).
- an alias for each userid and the name of the catalog that userid should use. These aliases are set up by people (or automation) which defines userids.
- an alias for each dataset High Level Qualifier (HLQ) and the name of the catalog that the HLQ should use. These aliases are set up by people (or automation) which defines the high level qualifiers. An example HLQ is CEE, or DB2.
If you migrate to a system with a new master catalog (for example with zPDT or zD&T), you will need to import the usercatalogs into the master catalog, and redefine the aliases.
Import a user catalog
When I tried to import a user catalog into the master catalog, I got
ICH408I USER(COLIN ) GROUP(TEST ) NAME(CCPAICE )
CATALOG.Z31B.MASTER CL(DATASET ) VOL(B3SYS1)
INSUFFICIENT ACCESS AUTHORITY
FROM CATALOG.Z31B.* (G)
ACCESS INTENT(UPDATE ) ACCESS ALLOWED(READ )
so any userid importing or exporting a catalog needs update access to the catalog.
Defining and deleting an alias
Having set up RACF profiles, and given my userid COLIN only READ access to the master catalog, I found my userid could still define and delete aliases. It took a couple of days to find out why.
- If a userid has ALTER access to CLASS(FACILITY) STGADMIN.IGG.DEFDEL.UALIAS the userid can define and delete ALIAS profiles. This overrides dataset access checks.
- If a userid does not have ALTER access to the profile, then normal dataset checks are made.
What I learned…
- My userid had “special”. As the documentation says The RACF SPECIAL attribute allows you to update any profile in the RACF database. This meant I could display and update any profile.
- There is a profile class(facility) STGADMIN.IGG.DEFDEL.UALIAS which allows you to define and delete user aliases in the (master) catalog
- If my userid had SPECIAL, or the userid was in group SYS1 I could issue the command
rlist facility STGADMIN.IGG.DEFDEL.UALIAS
and it gave
CLASS NAME
----- ----
FACILITY STGADMIN.IGG.* (G)
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 IBMUSER NONE ALTER NO
USER ACCESS
---- ------
SYS1 ALTER
IBMUSER ALTER
If my userid did not have special and was not in SYS1, I got
ICH13002I NOT AUTHORIZED TO LIST STGADMIN.IGG.*
When my userid was connected to the group SYS1, it got the ALTER access to the profile, and overrode the RACF profiles for the catalog data set.
Which is my master catalog?
At IPL, it reports
IEA370I MASTER CATALOG SELECTED IS CATALOG.Z31B.MASTER
You can use the operator command D IPLINFO
SYSTEM IPLED AT 07.26.58 ON 01/02/2026
RELEASE z/OS 03.01.00 LICENSE = z/OS
USED LOADCP IN SYS1.IPLPARM ON 00ADF
My load parm member, SYS1.IPLPARM(LOADCP) has
IODF 99 SYS1
INITSQA 0000M 0008M
SYSCAT B3SYS1113CCATALOG.Z31B.MASTER
SYSPARM CP
IEASYM (00,CP)
The catalog is called CATALOG.Z31B.MASTER and is on volume B3SYS1
Does a RACF profile exist?
See What RACF profile is used for a data set?
tso listdsd dataset(‘CATALOG.Z31B.MASTER’)
tso listdsd dataset(‘CATALOG.Z31B.MASTER’) generic
Showed there was no profile defined.
Create the profile
* DELDSD 'CATALOG.Z31B.*'
ADDSD 'CATALOG.Z31B.*' UACC(READ)
PERMIT 'CATALOG.Z31B.*' ID(IBMUSER ) ACCESS(CONTROL)
PERMIT 'CATALOG.Z31B.*' ID(COLIN ) ACCESS(READ )
When I tried to use the master catalog from a general userid the request failed.
DELETE TEST ALIAS
IDC3018I SECURITY VERIFICATION FAILED+
IDC3009I ** VSAM CATALOG RETURN CODE IS 56 - REASON CODE IS IGG0CLFT-6
IDC0551I ** ENTRY COLIN.TEST NOT DELETED
IDC0014I LASTCC=8
Hmm that’s strange
With userid COLIN, I could still issue commands, such as DELETE TEST ALIAS, even though I had given it only read access.
If I displayed the profile from userid COLIN it had
INFORMATION FOR DATASET CATALOG.Z31B.* (G)
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- -------- ---------------- ------- -----
00 COLIN READ NO NO
YOUR ACCESS CREATION GROUP DATASET TYPE
----------- -------------- ------------
READ SYS1 NON-VSAM
This had me confused for several hours. That’s when I found out about the presence of the STGADMIN.IGG.DEFDEL.UALIAS profile.
Summary
You want users (non system) datasets to be in a user catalog, rather than the master catalog. This makes migrating to a new master catalog much easier, You just have to import the catalogs, and redefine the aliases.
You need to set up
- one (or more) user catalogs
- aliases to connect the userid (and High Level Qualifiers) to a catalog
- give authorised used alter access to class(facility) STGADMIN.IGG.DEFDEL.UALIAS to allow them to maintain aliases.
- define a RACF profile for the master catalog and make the UACC(READ).
- for those people who need to need to define, import or export catalogs, they need update access to the master catalog dataset.
ColinPaice 