Author: steve-myers
Posted: Mon Sep 26, 2016 8:49 am (GMT 5.5)
RACF 101
A RACF "resource" is a named something. A data set, for example, can be a RACF resource.
Generically, there are two types of resources: data sets and "general" resources, which can be almost anything else. "General" resources can be a pain in the neck since documentation is scattered, especially for installation defined resources.
A "profile" defines access to a resource.
Now let's examine this access -
You use the RACF LISTDSD command to list accesses to either a data set profile or a data set resource. The LISTDSD command in the example specifies a resource.
There are two types of data set profiles.
INFORMATION FOR DATASET SYS1.** (G)
SYS1.** is the actual profile, and (G) indicates it is a generic profile.
"Universal access," also known as UACC, specifies the data set access authorized when the user's access cannot be determined by using the access list.
This is the access list. The ID is a RACF group or an actual user id. "Access" is a code, but it does not mean what is commonly accepted by the term, especially for general resources.
Posted: Mon Sep 26, 2016 8:49 am (GMT 5.5)
RACF 101
A RACF "resource" is a named something. A data set, for example, can be a RACF resource.
Generically, there are two types of resources: data sets and "general" resources, which can be almost anything else. "General" resources can be a pain in the neck since documentation is scattered, especially for installation defined resources.
A "profile" defines access to a resource.
Now let's examine this access -
| Code: |
| listdsd da('sys1.linklib') generic authuser INFORMATION FOR DATASET SYS1.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 SYS1 READ NO NO AUDITING -------- FAILURES(ALTER) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE ----------- -------------- ------------ READ SYSPROG NON-VSAM NO INSTALLATION DATA SECURITY LEVEL ------------------------------------------ NO SECURITY LEVEL CATEGORIES ---------- NO CATEGORIES SECLABEL -------- NO SECLABEL ID ACCESS -------- ------- SYSPROG ALTER SYSPROC ALTER ID ACCESS CLASS ENTITY NAME -------- ------- -------- ---------------------------------------------------- NO ENTRIES IN CONDITIONAL ACCESS LIST READY |
There are two types of data set profiles.
- Discrete - A "discrete" profile specifies access to a unique data set.
- Generic - A "generic" profile specifies access to a data set resource regardless of where it is located unless it is also protected by a discrete profile.
INFORMATION FOR DATASET SYS1.** (G)
SYS1.** is the actual profile, and (G) indicates it is a generic profile.
| Code: |
| UNIVERSAL ACCESS ---------------- READ |
| Code: |
| ID ACCESS -------- ------- SYSPROG ALTER SYSPROC ALTER |
- ALTER â The user can allocate and delete resources identified by the profile.
- CONTROL â This is used with VSAM; the user has âcontrol intervalâ access to the resource.
- UPDATE â The user can update the contents of the resource.
- READ â The user can read the resource.
- NONE â The user cannot use the resource.