|
A group is a number of users defined together because of their
common needs. For example, a group might be all the secretaries in
a particular department. A group shares common access requirements
to resources or has similar attributes within the system.
When you log on, RACF® connects
you to your default group. If you wish to log on to a group other
than your default group, you can specify the group name when you log
on. The group that you specify becomes your current connect group.
When you are connected to a group, RACF allows
you the privileges of the group.
You can receive this information about the groups to which you
belong by using the following command. LISTUSER your-userid
The
information in the second part of the screen shown in Figure 1 describes the RACF group or groups to which you belong and
what you can do as a member of that group.
This section is repeated once for each RACF group of which you are a member. RACF uses the following terms to
describe the group to which you belong and your authorities as a member
of the group. - GROUP
- The name of a group of which you are a member.
- AUTH
- The group authorities you have because you are a member of this
group.
- USE
- Allows you to enter the system under the control of the specified
group. You can use any of the data sets the group can use.
- CREATE
- Allows you to RACF-protect group data sets and control who can
access them. It includes the privileges of the USE authority.
- CONNECT
- Allows you to connect RACF-defined users to the specified group
and assign these users the USE, CREATE, or CONNECT authority. It includes
the privileges of the CREATE authority.
- JOIN
- Allows you to define new users or groups to RACF and to assign group authorities. To define
new users, you must also have the user attribute, CLAUTH(USER). JOIN
authority includes all the privileges of the CONNECT authority.
- CONNECT-OWNER
- The owner of this group.
- CONNECT-DATE
- The date you were first connected to this group.
- CONNECTS
- The number of times you have been connected to this group.
- UACC
- The
universal access authority for resources you create while connected
to this group. If a user is not specifically listed in the access
list describing a resource owned by the connect group, RACF looks at UACC and allows the user to use
the resource in the manner specified in the UACC.
The
UACC can have one of the following values: - NONE
- Does not allow users to access the data set.
Attention: Anyone
who has READ, UPDATE, CONTROL, or ALTER authority to a protected data
set can create a copy of it. As owner of the copied data set, that
user has control of the security characteristics of the copied data
set, and can downgrade it. For this reason, you might want to initially
assign a UACC of NONE, and then selectively permit a small number
of users to access your data set, as their needs become known. (See Permitting an individual or a group to use a data set for information on how to permit
selected users or groups to access a data set.)
- READ
- Allows users to access the data set for reading only. (Note that
users who can read the data set can copy or print it.)
- UPDATE
- Allows users to read from, copy from, or write to the data set.
UPDATE does not, however, authorize a user to delete, rename, move,
or scratch the data set.
- CONTROL
- For VSAM data sets, CONTROL is equivalent to the VSAM CONTROL
password; that is, it allows users to perform control-interval access
(access to individual VSAM data blocks), and to retrieve, update,
insert, or delete records in the specified data set.
For non-VSAM
data sets, CONTROL is equivalent to UPDATE.
- ALTER
- ALTER allows users to read, update, delete, rename, move, or scratch
the data set.
When specified in a discrete profile, ALTER allows
users to read, alter, and delete the profile itself including the
access list. However, ALTER does not allow users to change the
owner of the profile.
When specified in a generic profile,
ALTER gives users no authority over the profile itself, but
allows users to create new data sets that are covered by that profile.
- EXECUTE
- For a private load library, EXECUTE allows users to load and execute,
but not read or copy, programs (load modules) in the library.
Note: In
order to specify EXECUTE for a private load library, you must ask
for assistance from your RACF security
administrator.
- LAST-CONNECT
- The last time you logged on or submitted a batch job with either
the group as your default group or with the group explicitly specified.
If you were never previously connected to the group, UNKNOWN is
displayed.
- CONNECT-ATTRIBUTES
- The
operating privileges and restrictions assigned to you when you are
connected to this group. Connect attributes are also called group-level
attributes. The connect (group-level) attributes are:
- NONE
- Allows no special operating
privileges or restrictions. Users with the NONE attribute can still
use RACF. In fact, most other
attributes allow extraordinary privileges, and generally only a few
users or groups have these attributes.
- SPECIAL
- Gives you
full authorization to all profiles in the RACF database and lets you perform all RACF functions except those requiring
the AUDITOR attribute.
- AUDITOR
- Lets you audit
the use of system resources, control the logging of detected accesses
to resources, and create security reports.
- OPERATIONS
- Gives you
full authorization to all RACF-protected data sets and to general
resources that meet certain conditions (described in z/OS Security Server RACF Security Administrator's Guide).
OPERATIONS lets you perform any maintenance operations, such as copying
and reorganizing a RACF-protected resource.
- GRPACC
- Lets
you have the group data sets that you allocate automatically accessible
to other users in the specified group.
- CLAUTH
- Lets
you define profiles for any class specified in the class name.
- ADSP
- Is the
automatic data set protection attribute. If you have the ADSP attribute, RACF creates a discrete profile
for every permanent DASD or tape data set you create. If
your installation is using automatic direction of application updates
and you have the ADSP attribute, you might be notified of the results
and output from these application updates. See Automatic direction of application updates for more information.
- REVOKE
- Prohibits a
user from entering the system. (You should never be able to see this
attribute when you list your own profile.)
- REVOKE DATE
- This is the date on which RACF prevents
you from using the system when you try to connect to the group.
- RESUME DATE
- This is the date on which RACF allows
you to use the system again when you are connected to the group.
|