Previous Page | Next Page

System Options under z/OS

FILEAUTHDEFER System Option: z/OS



Controls whether SAS performs file authorization checking for z/OS data sets or defers authorization checking to z/OS system services such as OPEN.
Default: NOFILEAUTHDEFER
Valid in: configuration file, SAS invocation, OPTIONS statement, OPTIONS window
Category: File Control: EXTFILES, File Control SASFILES
PROC OPTIONS GROUP= EXTFILES and SASFILES
z/OS specifics: all

Syntax
Details

Syntax

FILEAUTHDEFER | NOFILEAUTHDEFER

FILEAUTHDEFER

specifies that SAS will not attempt to perform file authorization checking for z/OS data sets before invoking z/OS system services such as OPEN. FILEAUTHDEFER enables the site's authorization system to record failed access attempts in its audit log.

NOFILEAUTHDEFER

specifies that SAS will not attempt to open a z/OS data set without first verifying that the user is authorized to access the file in the manner requested. NOFILEAUTHDEFER prevents security system messages (such as ICH408I) and S913 abends from being issued.


Details

If the user ID under which the session or server is running is not authorized to access a z/OS data set in the manner requested (either read or update), SAS, by default, produces an explanatory message in the SAS log. SAS does not attempt to open the data set if the user ID does not have the proper authorization. However, the auditing requirements for some installations cause unauthorized access attempts to be sent to the log for that site's authorization facility. An attempt to open the data set must actually occur before a message is sent to the log of the authorization facility. Specify FILEAUTHDEFER for unauthorized access attempts to be logged with the authorization facility at your site.

The FILEAUTHDEFER option controls the checking of file authorization for external files and SAS libraries. However, it only applies to files or libraries that reside in z/OS data sets. FILEAUTHDEFER does not apply to the processing of UFS files.

FILEAUTHDEFER does not control the authorization checking for z/OS data sets that a SAS server accesses on behalf of a client. Such third-party authorization checking is performed regardless of the FILEAUTHDEFER setting, and access failures are intercepted by SAS rather than resulting in abends or system errors. Nonetheless, FILEAUTHDEFER governs attempts by a SAS server to access a data set in a manner not authorized for the ID under which the server is running. However, the unauthorized access is logged as having been attempted by the server ID, not the client ID.

Previous Page | Next Page | Top of Page