z/OS DFSMS Implementing System-Managed Storage
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Restricting Access to Fields in the RACF Profile

z/OS DFSMS Implementing System-Managed Storage
SC23-6849-00

You can use the RACF® FIELD resource class with SMS to control the users' ability to specify or update the following fields in a RACF profile:
  • Resource owner (RESOWNER) for data set profiles
  • Application identifier (DATAAPPL) in user or group profiles
  • Default SMS DATACLAS, STORCLAS, and MGMTCLAS values in user or group profiles

You can define default data, storage, and management class names, and an application identifier in RACF user or group profiles. SMS retrieves these defaults and supplies them as input variables to the ACS routines. You can use the application identifier to associate data sets that have different highest-level qualifiers and different resource owners.

To use default SMS classes for a data set, define a resource owner or data set owner in the RACF profile for that data set. RACF uses the resource owner to determine the user or group profiles that contain the default SMS classes.

Having a particular default STORCLAS or MGMTCLAS specified in the user or group profile does not imply that a given user is authorized to use the corresponding class. See Restricting Access to Classes and Groups for information on authorizing the use of individual management and storage classes.

Be careful when assigning RACF defaults because it is unlikely that a given SMS class is applicable to all data sets created by a user or group. However, RACF defaults can be effectively used to supplement your ACS routine logic and handle class assignments for data sets that are difficult to identify using other ACS READ/ONLY variables.

Figure 1 shows how you can use the RACF default to control the management class assigned to a data set.

Figure 1. Controlling Management Class Assignments
PROC MGMTCLAS
⋮
   IF (&ACCT_JOB = 'P' | &ACCT_JOB = 'F' | &ACCT_JOB = 'A')
      THEN SELECT
                     WHEN (&ACCT_JOB = 'P' && &STORCLAS = &DEF_STORCLAS)
                          SET &MGMTCLAS = 'PAYROLL'

                     WHEN (&ACCT_JOB = 'F' && &STORCLAS = &DEF_STORCLAS)
                          SET &MGMTCLAS = 'FINANCE'

                     WHEN (&ACCT_JOB = 'A' && &STORCLAS = &DEF_STORCLAS)
                          SET &MGMTCLAS = 'ADMIN'

                     OTHERWISE SET &MGMTCLAS = &DEF_MGMTCLAS

           END   /* END OF SELECT */
⋮
END   /* END OF PROC */

Figure 2 shows an example of a command sequence you can use to define the SMS-related FIELD resource class profiles. The example enables storage administrators to update the resource owner field, and enables the user to update the set of SMS default classes.

Figure 2. Defining Resource Class Profiles
SETROPTS CLASSACT(FIELD) RACLIST(FIELD)

RDEFINE FIELD DATASET.DFP.RESOWNER UACC(READ)

PERMIT DATASET.DFP.RESOWNER CLASS(FIELD) -
       ID(STGADMIN) ACCESS(UPDATE)

SETROPTS REFRESH RACLIST(FIELD)

SETROPTS CLASSACT(FIELD) RACLIST(FIELD)

RDEFINE FIELD USER.DFP.* UACC(READ)

RDEFINE FIELD GROUP.DFP.* UACC(READ)

PERMIT USER.DFP.* CLASS(FIELD) -
       ID(&
RACUID) ACCESS(UPDATE)

PERMIT GROUP.DFP.* CLASS(FIELD) -
       ID(&
RACUID) ACCESS(UPDATE)

SETROPTS REFRESH RACLIST(FIELD)
Parent topic: Providing Security in the DFSMS Environment

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014