Data security and authorization checking

This section describes the data security protection and access authorization checks done by DFSMSdss. The DFSMSdss functions available to a user depend on the access authorizations as defined by:

User and group profiles: Define the authorized users of a RACF-protected system. The user or group identifier (ID) used for access-authority checking must be defined to RACF®.
Data set and general resource profiles: Protect the resources in a RACF-protected system and identify the access levels that users have to those resources.

DFSMSdss supports data-security protection and access-authorization checking through the system authorization facility (SAF), Resource Access Control Facility (RACF), and system services such as catalog management services and allocation. The phrase "RACF-protected" implies that SAF and RACF (or equivalent) are installed and active.

DFSMSdss uses the SAF interface and checks to ensure that RACF at the 1.8.1 level or later is installed and active. If an equivalent to RACF is used, either it must set the same level information that DFSMSdss checks, or your installation must use the DFSMSdss installation options exit to tell DFSMSdss that SAF with a RACF equivalent is installed. The proper level of RACF must be installed for the data-security features to work as described. The primary features and their levels of RACF are listed below:

Feature	Required Level of RACF
Generic profile handling:	RACF 1.5 or later
DASDVOL access authority:	RACF 1.6 or later
FACILITY class authority:	RACF 1.7 or later
Erase-on-scratch:	RACF 1.7 or later
Group data set creation:	RACF 1.8.1 or later
Storage class and management class:	RACF 1.8.1 or later

Related reading: For information about the installation options exit, see z/OS DFSMS Installation Exits. For information about data security and RACF, see z/OS Security Server RACF Security Administrator's Guide.