There are several ways to restrict user and group access to z/OS® UNIX file systems.

• A z/OS UNIX administrator can control access to file systems at their mount points by using the setfacl command to create, modify, and delete ACLs for specific users and groups.
• At a higher level, the security administrator can choose to restrict access to the z/OS UNIX file system for all authorization checks that involve mount point traversal. The check is performed at every mount point crossover to see if the user or group has authority to access the file system. Only those who have been given permission to covering RACF® resource profiles are eligible for access. Access to objects within the file systems are subject to the superuser, owner, permission bit, ACL, and UNIXPRIV rules. Users designated as RACF auditors are exempt from this restriction. This check, which is optional, uses the RACF FSACCESS class profile to validate the authority of users or groups who are accessing the z/OS UNIX file system, as described in Using the FSACCESS class profile to restrict access.

Restrictions: These restrictions apply:

• This additional access check using the FSACCESS class profile is only supported on zFS file systems
• For z/OS UNIX, zFS file systems that are mounted with the NOSECURITY option are not subject to this access control check.
• The root file system is excluded from this access restriction.
• A given zFs file system can be protected from the whole NFS network by not permitting the NFS Server's MVS™ UserID to the FSACCESS class profile for that specific zFS file system. Note that when the NFS Server is configured with Security(SAF) or Security(SAFEXP), the NFS Client remote MVS UserID might also need to be permitted to the FSACCESS class profile to avoid unexpected failures.