z/OS Security Server RACF Callable Services
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF authorization

z/OS Security Server RACF Callable Services
SA23-2293-00

  1. A process is the owner of the file if the process's effective OS/390® UNIX user identifier (UID) is equal to the file's owner UID.
  2. If the caller is not superuser nor the owner, and the audit function code is listed in Table 1, an authorization check is performed on the corresponding resource name in the UNIXPRIV class. If the authorization check is successful, the caller is treated as a superuser.
    Table 1. UNIXPRIV class resource names used in ck_owner_two_files
    Audit function code Resource name Access required
    RENAME, RMDIR, UNLINK SUPERUSER.FILESYS CONTROL
  3. If the SECLABEL class is active and the file or directory has a security label, then the current security label of the process must be greater than or equal to the security label of the resource or the security label of the resource must be greater than or equal to the process's current security label, that is, the security labels are not disjoint. If MLFSOBJ is active, a failure will occur if the resource does not have a security label. Security label checking is bypassed if the ACEE indicates trusted or privileged authority or if the service is passed a system CRED.
Parent topic: ck_owner_two_files (IRRSC200): Check owner of two files

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014