Required RACF Authorization Tables

Table 1. Required Security Authorization for Catalogs
Function Performed	Required RACF® for User Catalog	Required RACF for Master Catalog	Comments
Alter UCAT	Alter	Alter	Either UCAT or MCAT authorization is sufficient, see note 1.
Define Alias of UCAT	None	Update	MCAT update authority is not checked if the user has authority for the FACILITY class STGADMIN.IGG.DEFDEL.UALIAS. READ access to STGADMIN.IGG.DEFDEL.ALIAS is all that is required to perform this operation.
Define UCAT/MCAT	Alter	Update
Delete Alias of UCAT	Alter	Alter	UCAT/MCAT update authority is not checked if the user has authority for the FACILITY class STGADMIN.IGG.DEFDEL.UALIAS. Either UCAT or MCAT authorization is sufficient, see note 1. READ access to STGADMIN.IGG.DEFDEL.ALIAS is all that is required to perform this operation.
Delete UCAT	Alter	None
Export Disconnect of UCAT	Alter	None
Import Connect Alias of UCAT	Alter	Update
Import Connect of UCAT	Alter	Update
PRINT	Alter	Alter
Notes: Alter is an "OR" function. Either alter to the user catalog or alter to the master catalog is required, but not both.
Note: If not indicated in the comments, the same authorization applies to both non-SMS and SMS.

Table 2. Required Security Authorization for VSAM Data Sets
Function Performed	Required RACF for Data Set	Required RACF for Catalog	Comments
Alter Cluster	Alter	None	The same authorization applies to both non-SMS and SMS. See note 1.
Alter Cluster Component	Alter	None	The same authorization applies to both non-SMS and SMS. See notes 1 and 2.
Alter Cluster Newname	Alter	None	Alter is required to the new name. See note 1.
Alter Component Newname	Alter	None	Alter is required to the current cluster name but no authority is required to the new name. See notes 1 and 2.
Alter Pagespace	Alter	None	The same authorization applies to both non-SMS and SMS. See notes 1 and 2.
Define alternate index	Alter	Update	See notes 2 and 3.
Define Cluster	Alter	Update	See note 3.
Define Cluster Model	Alter	Update	See note 3.
Define Pagespace	Alter	Update	See notes 2 and 3.
Define Path	Alter	Update	See notes 2 and 3.
Define Recatalog VSAM	Alter	Update	See notes 2, 3, 5 and 6.
Delete alternate index	Alter	Alter	See notes 2 and 4.
Delete Cluster	Alter	Alter	See note 4.
Delete Cluster Noscratch	Alter	Alter	See note 4.
Delete NVR/VVR	None	Alter
Delete Pagespace	Alter	Alter	See notes 2 and 4.
Delete Path	Alter	Alter	See notes 2 and 4.
Diagnose Catalog	Alter	None	The data set is the user catalog.
Diagnose VVDS		Alter
Examine Catalog	Alter	None	The data set is the user catalog.
Examine Data Set	Control	None
Export Cluster	Alter	Alter	Alter authority to either the data set or the catalog is sufficient.
Export UCAT	Alter	None	The data set is the user catalog.
Import Into Empty	Read	Alter	The data set is the user catalog
Verify	Alter	Not applicable	The subject data set is opened for output processing
Notes: Alter is an "OR" function. Either alter to the data set or alter to the catalog is required, but not both. Authorization is always to the cluster name for VSAM components cataloged with the integrated catalog facility. Integrated catalog facility does not check for individual component names such as data, index, path, or alternate index. No authority is required to the catalog for the define of SMS-managed data sets unless the catalog is the master catalog. Update authority is required if the catalog is a master catalog. Delete is an “OR” function for both non-SMS- and SMS-managed data sets. Either alter authority to the data set or alter authority to the catalog is required to delete the data set, but not both. If the catalog is a master catalog and the dataset is a SYS1 dataset that was previously in a different catalog, ALTER access is required to the master catalog that the entry is being added to. If the facility class, STGADMIN.IGG.DEFINE.RECAT, is defined and the user has at least READ authority to the facility class, the RACF authority for data sets for this function is not required.
Notes: SMS-managed VSAM data sets associated with a DATACLAS with a non-zero DYNVOL parameter require ALTER access granted to users in order to extend the dataset to another volume. If no profile exists for a data set, then the user is considered authorized. The catalog profile is not checked, even if it exists.

Table 3. Required Security Authorization for Non-VSAM Data Sets
Function Performed	Required RACF for Data Set	Required RACF for Catalog	Comments
Alter Non-VSAM	Alter	None	The same authorization applies to both non-SMS and SMS. See note 1.
Define Alias of a Non-VSAM	None	Update
Define Alias of a SMS Non-VSAM	None	None
Define GDG	Alter	Update	Although a GDG is not SMS, these authorities still apply if the catalog is SMS. See notes 5 and 8.
Define GDS	Alter	Update	See notes 2 and note 5.
Define GDS SMS	Alter	None	See notes 2 and note 5.
Define Non-VSAM Non-SMS	Alter	Update	See notes 3 and note 5.
Define Non-VSAM Recatalog Non-SMS	Alter	Update	See note 7.
Define Non-VSAM SMS	Alter	None	Master catalog requires update authority. See note 5.
Define Non-VSAM Recatalog SMS	Alter	Update	See note 7.
Delete Alias of a Non-VSAM	Alter	Alter	See note 4.
Delete GDG	Alter	Alter	Alter authorization either to the data set or to the catalog is sufficient.
Delete Non-VSAM Scratch non-SMS	Alter	None
Delete Non-VSAM Noscratch Non-SMS	Alter	None	Alter authorization either to the data set or to the catalog is sufficient.
Delete Non-VSAM SMS	Alter	Alter	See notes 4 and 5.
Notes: Alter is an "OR" function. Either alter to the data set or alter to the catalog is required, but not both. To define a GDS, you must either have update authority to the GDG, or alter to the catalog. If this is a data set that resides on tape, SETROPTS TAPEDSN must be entered for RACF. If NOTAPEDSN (the default) is in effect, then update authority to the catalog is required to define or delete the data set. Delete is an “OR” function for both non-SMS- and SMS-managed data sets. Either alter authority to the data set or alter authority to the catalog is required to delete the data set, but not both. If the data set is cataloged in the master catalog you must have Update authority to the master catalog and Alter authority to the data set. If the data set does not have a RACF profile we will require UPDATE authority to its catalog. If the facility class, STGADMIN.IGG.DEFINE.RECAT, is defined and the user has at least READ authority to the facility class, the current RACF authority for data sets for this function is not required. A generic, not a discrete, dataset profile is needed to protect a GDG since a GDG is not a dataset per say.

Table 4. Required Security Authorization for LISTCAT
Function Performed	Required RACF for Data Set	Required RACF for Catalog	Comments
LISTCAT ALL	Read	None	Allows listing entries you have data set authority to. Passwords are not displayed.
LISTCAT ALL	None	Read	Allows listing all entries. Passwords are not displayed.
LISTCAT ALL	None	Alter	Allows listing all entries. Passwords are displayed.
LISTCAT Entry	Read	Read	Read is an "OR" function. Either read access to the data set or read access to the catalog is required, but not both.

Table 5. Required Security Authorization for Data Set Operations
Function Performed	Required RACF for Input Data Set	Required RACF for Output Data Set	Comments
BLDINDEX	n/a	Update	Authority is to the base cluster.
DCOLLECT	n/a	Update
Export Data Set	Alter	Update
REPRO	Read	Update

Table 6. Required Security Authorization for VOLCAT Operations
Function Performed	Required RACF for LIB/VOL	Required RACF for VOLCAT Operations
Alter LIBENT	none	Alter
Alter VOLENT	none	Alter
Create LIBENT	none	Update
Create VOLENT	none	Update
Delete LIBENT	none	Alter
Delete VOLENT	none	Alter
Listc LIBENT	none	none
Listc VOLENT	none	none

Table 7. RACF FACILITY Class Authorization for IDCAMS Commands
IDCAMS Command	Required RACF FACILITY Class Authorization	Function Authorized
ALTER	STGADMIN.IGG.DIRCAT	Define a data set into a particular catalog that is not the one chosen according to a regular search for SMS-managed data sets.
ALTER LIBRARYENTRY	STGADMIN.IGG.LIBRARY	Alter a tape library entry.
ALTER VOLUMEENTRY	STGADMIN.IGG.LIBRARY	Alter a tape volume entry.
BUILD INDEX	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
CREATE LIBRARYENTRY	STGADMIN.IGG.LIBRARY	Create a tape library entry.
CREATE VOLUMEENTRY	STGADMIN.IGG.LIBRARY	Create a tape volume entry.
DCOLLECT	STGADMIN.IDC.DCOLLECT	Access the DCOLLECT function.
DEFINE ALIAS	STGADMIN.IGG.DEFDEL.UALIAS	Define an alias for a user catalog.
DEFINE ALTERNATEINDEX	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
DEFINE CLUSTER	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
DEFINE NONVSAM	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
DEFINE PAGESPACE	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
DELETE	STGADMIN.IGG.DEFDEL.UALIAS	Delete an alias for a user catalog.
DELETE GDG	STGADMIN.IGG.DELGDG.FORCE	Delete a GDG using the FORCE option.
DELETE GDG	STGADMIN.IGG.DELGDG.RECOVERY	DELETE a GDG using the RECOVERY option.
DELETE	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
DELETE LIBRARYENTRY	STGADMIN.IGG.LIBRARY	Delete a tape library entry or a tape volume entry.
DIAGNOSE	STGADMIN.IDC.DIAGNOSE.CATALOG	Open a catalog without performing normal catalog security processing.
DIAGNOSE	STGADMIN.IDC.DIAGNOSE.VVDS	Open a catalog without performing normal catalog security processing.
EXAMINE	STGADMIN.IDC.EXAMINE.DATASET	Open a catalog without performing usual catalog security processing.
EXPORT	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
EXPORT DISCONNECT	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
IMPORT	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
IMPORT CONNECT	STGADMIN.IGG.DIRCAT	Specify catalog names for SMS-managed data sets.
REPRO MERGECAT	STGADMIN.IGG.DELETE.NOSCRTCH	Delete NOSCRATCH data sets that are being merged from the source catalog.
REPRO MERGECAT	STGADMIN.IGG.DEFINE.RECAT	Define Recatalog data sets that are being merged to the target catalog. Note: Access to this profile allows the user to DEFINE ALIAS, GDG and PATH entries without any other authorization. Creation of NONVSAM catalog entries during disposition processing may also occur although access to the data set is denied (IEC150I 913-6C). Make sure you grant authority to this profile only for people who need to perform REPRO MERGECAT operations.
Note: All STGADMIN profiles listed in Table 7 require READ access only for users to perform any of the listed operations.

Table 8. Required Authorization for SHCDS Subcommands
SHCDS Parameter	Required Authority
CFREPAIR	Alter authority to the catalog and update authority to STGADMIN.IGWSHCDS.REPAIR.
CFREPAIRDS	Update authority to STGADMIN.IGWSHCDS.REPAIR and to the specified data sets.
CFRESET	Alter authority to the catalog and update authority to STGADMIN.IGWSHCDS.REPAIR.
CFRESETDS	Update authority to STGADMIN.IGWSHCDS.REPAIR and to the specified data sets.
DENYNONRLSUPDATE	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
FRSETRR	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
FRUNBIND	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
FRBIND	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
FRRESETRR	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
FRDELETEUNBOUNDLOCKS	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
LISTDS	Read authority to STGADMIN.IGWSHCDS.REPAIR
LISTSHUNTED	Update authority to the specified data set and read authority to STGADMIN.IGWSHCDS.REPAIR
LISTSUBSYS	Read authority to STGADMIN.IGWSHCDS.REPAIR
LISTSUBSYSDS	Read authority to STGADMIN.IGWSHCDS.REPAIR
LISTRECOVERY	Read authority to STGADMIN.IGWSHCDS.REPAIR
LISTALL	Read authority to STGADMIN.IGWSHCDS.REPAIR
PERMITNONRLSUPDATE	Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster.
PURGE	Update authority to the specified data set and update authority to STGADMIN.IGWSHCDS.REPAIR.
REMOVESUBSYS	Update authority to STGADMIN.IGWSHCDS.REPAIR and the SUBSYSNM class.
RETRY	Update authority to the specified data set and update authority to STGADMIN.IGWSHCDS.REPAIR.