I have a development system that multiple developers are working on. The current configuration allows any request for a new dataset to be catalogued in the Master catalog. To protect the master catalog from writes apart from authorized system personnel it appears that SAF is the suggested and best option. My security manager is RACF.
In looking through the IBM manuals there is a lot of academic information but no practical solution that describes all of the elements required to implement the solution.
One of the manuals I've been referencing is z/OS Security Server for RACF
Here is the summary from this section:
RDEFINE GLOBAL DATASET
RALTER GLOBAL DATASET ADDMEM('CATALOG.MASTER'/READ)
ADDGROUP CATALOG # Defines the hlq of the dataset
ADDSD 'CATALOG.MASTER' UACC(READ)
This approach does not yield any positive results and the system continues to allow anyone to catalog new datasets in the Master catalog.
My plan was to lock and unlock the default access since this is a test system but perhaps I need to create a separate User for catalog administration.
I expect that there are a variety of required elements from DFSMS, RACF, and perhaps other areas that need to be configured to make this work. Unfortunately the IBM manuals, although quite detailed, yield little in the way of practical / complete examples.
A cheap way to do it is by using a prior-to-SAF method: set a password on the master catalog. Anyone creating a data set with a high level qualifier not matching an alias entry will generate a WTOR asking for the password. It wouldn’t pass auditor muster, but in a development ADCD/ADLT environment I’ve found this very effective.
Below is from manual: z/OS Security Server RACF Security Administrator's Guide
Suggest getting with your RACF administrator and setting something like this up
You can get a look on zos supplied resource in racf language reference manual. You can see also addsd and adduser commands in the same document.