Before you begin: You need to know which users need to have
field-level access.
Perform the following steps to set up field-level access for the
OMVS segment of a user profile.
- Define a profile for each of the OMVS fields with a RACF® RDEFINE command. For example:
RDEFINE FIELD USER.OMVS.UID UACC(NONE)
RDEFINE FIELD USER.OMVS.HOME UACC(NONE)
RDEFINE FIELD USER.OMVS.PROGRAM UACC(NONE)
RDEFINE FIELD USER.OMVS.CPUTIME UACC(NONE)
RDEFINE FIELD USER.OMVS.ASSIZE UACC(NONE
RDEFINE FIELD USER.OMVS.FILEPROC UACC(NONE)
RDEFINE FIELD USER.OMVS.PROCUSER UACC(NONE)
RDEFINE FIELD USER.OMVS.THREADS UACC(NONE)
RDEFINE FIELD USER.OMVS.MMAPAREA UACC(NONE)
RDEFINE FIELD USER.OMVS.MEMLIMIT UACC(NONE)
RDEFINE FIELD USER.OMVS.SHMEMMAX UACC(NONE)
_______________________________________________________________
- Permit users to access the fields with RACF PERMIT commands.
Example: The
following example shows commands for the three fields.
- &RACUID allows all users to look at their own fields.
- READ access allows users to read the UID field.
- UPDATE access allows users to change their home directory in the
HOME field or the program invoked for a TSO/E OMVS command in the
PROGRAM field.
Give only selected users update access to the UID field and
the user limits field. Users with UPDATE access can become a superuser
by changing the UID to 0.
PERMIT USER.OMVS.UID CLASS(FIELD) ID(&RACUID) ACCESS(READ)
PERMIT USER.OMVS.HOME CLASS(FIELD) ID(&RACUID) ACCESS(UPDATE)
PERMIT USER.OMVS.PROGRAM CLASS(FIELD) ID(&RACUID) ACCESS(UPDATE)
_______________________________________________________________
- Activate the FIELD class with the RACF SETROPTS
command. For example:
SETROPTS CLASSACT(FIELD) RACLIST(FIELD)
_______________________________________________________________
When you are done, you have set up field level access.
For the other parameters on the RDEFINE, PERMIT, and SETROPTS commands,
see z/OS Security Server RACF Command Language Reference
z/OS UNIX System Services Planning
Copyright IBM Corporation 1990, 2014