I have a development system that multiple developers are working on. The current configuration allows any request for a new dataset to be catalogued in the Master catalog. To protect the master catalog from writes apart from authorized system personnel it appears that SAF is the suggested and best option. My security manager is RACF.
In looking through the IBM manuals there is a lot of academic information but no practical solution that describes all of the elements required to implement the solution.
One of the manuals I've been referencing is z/OS Security Server for RACF
Here is the summary from this section:
RDEFINE GLOBAL DATASET
RALTER GLOBAL DATASET ADDMEM('CATALOG.MASTER'/READ)
ADDGROUP CATALOG # Defines the hlq of the dataset
ADDSD 'CATALOG.MASTER' UACC(READ)
This approach does not yield any positive results and the system continues to allow anyone to catalog new datasets in the Master catalog.
My plan was to lock and unlock the default access since this is a test system but perhaps I need to create a separate User for catalog administration.
I expect that there are a variety of required elements from DFSMS, RACF, and perhaps other areas that need to be configured to make this work. Unfortunately the IBM manuals, although quite detailed, yield little in the way of practical / complete examples.