A RACF® always-call environment
exists when all data accesses on behalf of non-DFSMShsm-authorized
users result in the invocation of RACF for
authorization checking, regardless of the setting of the RACF indicator in the VTOC entry
or catalog record. Always-call is a system-wide convention for protection
that is available to data sets that are allocated on DASD. With always-call
support, resource managers in the operating system call RACF, regardless of the setting
of the RACF indicator in the
data set’s DSCB. Some of the resource managers of the operating
system are:
- OPEN/CLOSE/EOF
- DADSM ALLOCATE/EXTEND/RENAME/SCRATCH
- IEHMOVE
For details on the security facilities in your system, see your
Security Administrator.
Without an always-call environment, generic profiles do not necessarily
provide protection for the data sets they cover, because an unauthorized
user might be able to access the data sets if the RACF indicator is not on. In this environment, use
only discrete profiles. When the RACFIND parameter of the SETSYS command
is in effect, DFSMShsm turns on the VTOC entry RACF indicator to prohibit access to the backup
versions and migration copies of RACF-indicated data sets.