z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting existing data

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To protect data that already exists on your system before RACF® is installed, you must create RACF profiles. You can use either discrete or generic profiles. However, using generic profiles can reduce the administrative effort of this task, because one generic profile can protect many resources. For example,
  • You can protect existing data sets by using the ADDSD command. You should consider creating at least one profile for each high-level qualifier (user ID or group name) on your system. You can specify profile names with the format: 
    'high-level-qualifier.*'
    If enhanced generic naming is in effect, use: 
    'high-level-qualifier.**'

    You must determine the appropriate UACC, access lists, and other information (such as security classification, if used) for each profile.

    For resources that have unique security requirements, you must create discrete profiles.

  • You can also protect existing general resources (such as tape volumes or terminals) by using the RDEFINE command. If several resources in the same class have the same access requirements, you can use one profile to protect them. Not only does this save space, but it also saves administrative time.

    If the names of the resources contain some identical characters, you can usually create generic profiles whose names contain the *, **, or % character to protect the resources.

    For certain classes, such as terminals, DASD volumes, and others, you can create resource grouping profiles to protect resources whose names do not lend themselves to the use of the *, **, or % character.

    For any general resource class, you can define a "RACF variable" that can be used in the profile names in general resource classes. For more information about how to select the type of profile to protect a resource, see Choosing among generic profiles, resource group profiles, and RACFVARS profiles.

You must determine the appropriate UACC, access lists, and other information (such as security classification, if used) for each profile.

For resources that have unique security requirements, you must create discrete profiles.

Parent topic: Deciding what to protect

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014