System Options under z/OS |
Controls whether SAS performs file authorization checking for
z/OS data sets or defers authorization checking to z/OS system services such
as OPEN.
Default: |
NOFILEAUTHDEFER
|
Valid in: |
configuration file, SAS invocation, OPTIONS
statement, OPTIONS window
|
Category: |
File Control: EXTFILES, File Control SASFILES
|
PROC OPTIONS GROUP= |
EXTFILES and SASFILES
|
z/OS specifics: |
all
|
FILEAUTHDEFER | NOFILEAUTHDEFER
|
- FILEAUTHDEFER
-
specifies that SAS will not attempt to perform file authorization
checking for z/OS data sets before invoking z/OS system services such as OPEN.
FILEAUTHDEFER enables the site's authorization system to record failed access
attempts in its audit log.
- NOFILEAUTHDEFER
-
specifies that SAS will not attempt to open a z/OS data
set without first verifying that the user is authorized to access the file
in the manner requested. NOFILEAUTHDEFER prevents security system messages
(such as ICH408I) and S913 abends from being issued.
If the user ID under which the session or server is running
is not authorized to access a z/OS data set in the manner requested (either
read or update), SAS, by default, produces an explanatory message in the SAS
log. SAS does not attempt to open the data set if the user ID does not have
the proper authorization. However, the auditing requirements for some installations
cause unauthorized access attempts to be sent to the log for that site's authorization
facility. An attempt to open the data set must actually occur before a message
is sent to the log of the authorization facility. Specify FILEAUTHDEFER for
unauthorized access attempts to be logged with the authorization facility
at your site.
The FILEAUTHDEFER option controls the checking of file authorization
for external files and SAS libraries. However, it only applies to files or
libraries that reside in z/OS data sets. FILEAUTHDEFER does not apply to the
processing of UFS files.
FILEAUTHDEFER does not control the authorization checking for z/OS data
sets that a SAS server accesses on behalf of a client. Such third-party authorization
checking is performed regardless of the FILEAUTHDEFER setting, and access
failures are intercepted by SAS rather than resulting in abends or system
errors. Nonetheless, FILEAUTHDEFER governs attempts by a SAS server to access
a data set in a manner not authorized for the ID under which the server is
running. However, the unauthorized access is logged as having been attempted
by the server ID, not the client ID.
Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.