z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Generic profile checking of general resources

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The rules for access-authorization checking of generic profiles for general resources are similar to those for the DATASET class.
  • Generic profiles are not checked unless generic profile checking is in effect for the class. To do this, issue the following command. 
    SETROPTS GENERIC(classname)

    Guideline: After you activate generic profile checking for a class and define generic profiles in it, avoid deactivating generics with the NOGENERIC operand. RACF® does not use your previously defined generic profiles for authorization checking while NOGENERIC is in effect.

  • If the class is not active, RACF does not check for profiles. RACF returns the default return code of the class to the resource manager. For a complete description, see Authorization checking for RACF-protected resources.
  • If more than one profile covers a particular resource, RACF searches for profiles in the following order:
    • Discrete profile
    • Matching generic profiles (see Table 1)
Table 1. Sample general resource profile names in order from most specific to least specific
Profile name Profile type Resources being accessed
COPY COPY.PAPER COPY.PAPER.TEST COPY.WEB.FINAL
COPY.A Discrete        
COPY.WEB.FINAL Discrete       X
COPY.WEB.* Generic       X
COPY.PAPER Discrete   X    
COPY.PAPER.TEST Discrete     X  
COPY.PAPER.% Generic        
COPY.PAPER.* Generic     X  
COPY.PAPER.** Generic   X X  
COPY.PAPER% Generic        
COPY.PAPER* Generic   X X  
COPY.PAPE% Generic   X    
COPY.PAP* Generic   X X  
COPY.PRINT.* Generic        
COPY.&X (where: &X = PAPER in RACFVARS profile) Generic   X    
COPY.&Y (where: &Y = WEB.FINAL in RACFVARS profile) Generic       X
COPY.%APER Generic   X    
COPY.*.FINAL Generic       X
COPY.*.FINAL* Generic       X
COPY.**.FINAL Generic       X
COPY.**.PAPER Generic   X    
COPY.* Generic   X X X
COPY.** Generic X X X X
COPY*.** Generic X X X X
*.* Generic   X X X
*.** Generic X X X X
* Generic X X X X
** Generic X X X X
To determine which profiles have the potential to protect any particular resource, use the FILTER or MASK operands on the SEARCH command to generate a list of profiles that might match the resource. For example, you might specify the user's user ID on the FILTER operand to limit the list of profiles displayed: 
SEARCH CLASS(JESSPOOL) FILTER(**.userid.**)
In general, the list of profiles generated by the SEARCH command is the order in which RACF searches for a matching profile. To review the list:
  1. Find all profiles that match the resource name.
  2. If no profile names match, check for profile names that include an ampersand (&) (RACF variables). You must list the RACFVARS profile to determine the value of a RACF variable: 
    RLIST RACFVARS variable-name
    Also, the SEARCH command does not list grouping profiles (such as GTERMINL) that protect the resource. To do this, use the RESGROUP operand on the RLIST command. 
    RLIST member-class resource-name RESGROUP
    See Which profiles protect a particular resource?.

    If these methods do not find a profile, the resource is not protected.

  3. If only one profile matches, it protects the resource.
  4. Otherwise, find two profiles that both match the resource name. Then, compare them character by character. Where they first differ, if one has a discrete character and the other has a generic character, the one with the discrete character wins. If both have a generic character where they differ and:
    • If one has an & and the other has a %, *, or **, the & wins.
    • If one has a % and the other has an * or **, the one with % wins.
    • If one has an * and the other has a **, the one with * wins.
Notes:
  • There are exceptions to these guidelines. For example, the guidelines suggest that COPY.* is more specific than COPY.**.PAPER , because the * wins over the **. But, the opposite is true (see Table 1). The SEARCH command shows these resource names in the correct order.
  • The following guideline is generally true:

    Given two generic profiles that match a resource, the one whose first generic character is farther from the beginning of the name is used.

If two profile names match except for one character position, RACF examines them in the following order: 
blank
.
$ (X'5B')
# (X'7B')
@ (X'7C')
A—Z
0—9
& (X'50')
%
*
For example, the following profile names all match in the first three character positions (A.B), and are shown in the order RACF examines them: 
A.B
A.B.B
A.BA
A.BZ
A.B0
A.B9
A.B&X
A.B%
A.B*

When in doubt about the search order, create sample profiles and check the order of profile names shown by the SEARCH command.

Parent topic: Defining profiles for general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014