|
Purpose Use the ADDSD command to add RACF® protection to data sets with
either discrete or generic profiles.
Changes made to discrete
profiles take effect after the ADDSD command is processed. Changes
made to generic profiles do not take effect until one or more of the
following steps is taken: - The user of the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use
the data set name, not the profile name.
- The security administrator issues the SETROPTS command:
SETROPTS GENERIC(DATASET) REFRESH
See
SETROPTS command for authorization requirements.
- The user of the data set logs off and logs on again.
For more information, refer to z/OS Security Server RACF Security Administrator's Guide.
Issuing options The following table identifies
the eligible options for issuing the ADDSD command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on
issuing this command as a RACF TSO
command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When
issuing this command as a RACF operator
command, you might require sufficient authority to the proper resource
in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
Note: - You need not have the SPECIAL attribute to specify the OWNER operand.
- To specify the AT keyword, you must have READ authority to the
DIRECT.node resource in the RRSFDATA class and a user ID association
must be established between the specified node.userid pair(s).
- To specify the ONLYAT keyword you must have the SPECIAL attribute,
the userid specified on the ONLYAT keyword
must have the SPECIAL attribute, and a user ID association must be
established between the specified node.userid pair(s)
if the user IDs are not identical.
The level of authority you need to use the ADDSD
command and the types of profiles you can define are: - To protect a user data set with RACF,
one of the following must be true:
- The high-level qualifier of the data set name (or the qualifier
supplied by the RACF naming
conventions table or by a command installation exit) must match your
user ID.
- You must have the SPECIAL attribute.
- The user ID for the data set profile must be within the scope
of a group in which you have the group-SPECIAL attribute.
- To protect a group data set with RACF,
one of the following must be true:
- You must have at least CREATE authority in the group.
- You must have the SPECIAL attribute.
- You must have the OPERATIONS attribute and not be connected to
the group.
- The data set profile must be within the scope of the group in
which you have the group-SPECIAL attribute.
- The data set profile must be within the scope of the group in
which you have the group-OPERATIONS attribute, and you must not be
connected to the group.
- If you have the OPERATIONS or group-OPERATIONS attribute and are
connected to a group, you must have at least CREATE authority in that
group to protect a group data set.
- When creating a group data set profile, the profile creator's
user ID is placed on the access list with ALTER authority unless the
creation was allowed due to OPERATIONS or group-OPERATIONS authority
or unless the SETROPTS NOADDCREATOR option is in effect.
- To define to RACF a data
set that was brought from another system where it was RACF-indicated
and RACF-protected with a discrete profile, one of the following must
be true:
- You must either have the SPECIAL attribute, or the data set's
profile is within the scope of a group in which you have the group-SPECIAL
attribute
- Your user ID must be the high-level qualifier of the data set
name (or the qualifier supplied by the naming conventions routine
or a command installation exit).
- To assign a security category to a profile, you must have the
SPECIAL attribute or have the category in your user profile.
- To assign a security level to a profile, you must have the SPECIAL
attribute or, in your own profile, a security level that is equal
to or greater than the security level you are defining.
- To assign a security label to a profile, you must have the SPECIAL
attribute or READ authority to the security label profile. However,
the security administrator can limit the ability to assign security
labels to only users with the SPECIAL attribute.
- To access the DFP or TME segment, field-level access checking
is required.
- When either a user or group uses modeling to protect a data set
with a discrete profile, RACF copies
the following fields from the model profile: the level
number, audit flags, global audit flags, the universal access authority
(UACC), the owner, the warning, the access list, installation data,
security category names, the security level name, the user to be notified,
the retention period for a tape data set, and the erase indicator.
- To add a discrete profile for a VSAM data set already RACF-protected
by a generic profile, you must have ALTER access authority to the
catalog or to the data set through the generic profile.
Model profiles: To specify a model data
set profile (using, as required, FROM, FCLASS, FGENERIC, and FVOLUME),
you must have sufficient authority over the model profile (the from profile). RACF makes the following checks
until one of the conditions is met: - You have the SPECIAL attribute.
- The from profile is within the scope of a group in which
you have the group-SPECIAL attribute.
- You are the owner of the from profile.
- The high-level qualifier of the profile name (or the qualifier
supplied by the naming conventions routine or a command installation
exit routine) is your user ID.
- For a discrete profile, you are on the access list in the from profile
with ALTER authority. (If you have any lower level of authority, you
cannot use the profile as a model.)
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is on the
access list in the from profile with ALTER authority.
- For a discrete profile, the UACC is ALTER.
Syntax For
the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the ADDSD
command is:
|
|
---|
[subsystem-prefix]{ADDSD
| AD} |
|
(profile-name-1 [/password] …) |
|
[ ADDCATEGORY(category-name
…) ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDIT(access-attempt[(audit-access-level)] …)
] |
|
[ DATA('installation-defined-data')
] |
|
[ DFP(RESOWNER(userid or group-name)
| NORESOWNER) ] |
|
[ ERASE ] |
|
[ FCLASS(profile-name-2-class)
] |
|
[ FGENERIC ] |
|
[ FILESEQ(number) ] |
|
[ FROM(profile-name-2)
] |
|
[ FVOLUME(profile-name-2-serial)
] |
|
[ {GENERIC | MODEL | TAPE} ] |
|
[ LEVEL(nn) ] |
|
[ {SET | SETONLY | NOSET} ] |
|
[ NOTIFY[(userid)] ] |
|
[ OWNER(userid or group-name)
] |
|
[ RETPD(nnnnn) ] |
|
[ SECLABEL(security-label)
] |
|
[ SECLEVEL(security-level)
] |
|
[ TME([ ROLES(role-access-specification
…) ]) ] |
|
[ UACC(access-authority)
] |
|
[ UNIT(type) ] |
|
[ VOLUME(volume-serial …)
] |
|
[ WARNING ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name-1
- Specifies the name of the discrete
or generic profile to be added to the RACF database.
If you specify more than one name, the list of names must be enclosed
in parentheses.
The format of the profile name should follow the
TSO/E data set naming conventions, except that the high-level qualifier
of the profile name (or the qualifier determined by the naming conventions
table or by a command installation exit) must be a user ID or a group
name. See z/OS Security Server RACF Security Administrator's Guide for
more information about the TSO/E data set naming conventions.
To
specify a user ID other than your own, you must have the SPECIAL attribute,
or the data set profile must be within the scope of a group in which
you have the group-SPECIAL attribute. To define a group data set, you
must have at least CREATE authority in the specified group, or the
SPECIAL attribute, or the data set must be within the scope of a group
in which you have the group-SPECIAL attribute.
This operand
is required and must be the first operand following ADDSD. Note that,
because RACF uses the RACF database and not the system
catalog, you cannot use alias data set names.
For additional
information, see Profile names for data sets and the
section describing rules for defining data set profiles in z/OS Security Server RACF Security Administrator's Guide.
Tape
data set: If you are defining a discrete profile that protects
a tape data set, you must specify TAPE. If you are defining more than
one tape data set profile, the data sets must all reside on the same
volume, and you must specify the profile names in an order that corresponds
to the file sequence numbers of the data sets on the volume.
VSAM
data set: All of the components of a VSAM data set are protected
by the profile that protects the cluster name. It is not necessary
to create profiles that protect the index and the data components
of the cluster.
Data
sets cataloged by an indirect VOLSER: When you catalog a data
set using an indirect VOLSER - using
asterisks (******) or a symbolic such as &SYSRS in
place of the VOLSER - you can
protect the data set with a generic profile (preferred method) or
else with one or more discrete data set profiles that contain the
real unit and volume for each data set covered by the catalog entry.
The latter must be done while the data set is online.
- /password
- Specifies
the data set password if you are protecting an existing password-protected
data set. If you specify a generic or model profile, RACF ignores this operand.
For a non-VSAM
password-protected data set, the WRITE level password must be specified.
For
a VSAM data set that is not password-protected, you do not need the
password or RACF access authority
for the catalog.
A password is not required when you specify
NOSET.
If the command is executing in the foreground and you
omit the password for a password-protected data set, the logon password
is used. You are prompted if the password you enter or the logon password
is incorrect. (If it is a non-VSAM multivolume data set, you are prompted
once for each volume on which the data set resides.)
If the
command is executing in a batch job and you either omit the password
for a password-protected data set or supply an incorrect password,
the operator is prompted. (If it is a non-VSAM multivolume data set,
the operator is prompted once for each volume on which the data set
resides.)
- ADDCATEGORY(category-name
…)
- Specifies
one or more names of installation-defined security categories. The
names you specify must be defined as members of the CATEGORY profile
in SECDATA class. (For information on defining security categories,
see z/OS Security Server RACF Security Administrator's Guide.)
When
the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in
addition to its other authorization checking. If a user requests access
to a data set, RACF compares
the list of security categories in the user's profile with the list
of security categories in the data set profile. If RACF finds any security category in the data
set profile that is not in the user's profile, RACF denies access to the data set. If the user's
profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security
category checking for a started task or user that has the RACF privileged or trusted attribute.
The RACF privileged or trusted
attribute can be assigned to a started task through the RACF started procedures table or STARTED class,
or to other users by installation-supplied RACF exits.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDIT(access-attempt[(audit-access-level)]…)
- Specifies
which access attempts and access levels you want logged to the SMF
data set.
- access-attempt
- Specifies which access attempts you want logged to the SMF data
set. The following options are available:
- ALL
- Specifies that you want to log both authorized accesses and detected
unauthorized access attempts.
- FAILURES
- Specifies that you want to log detected unauthorized attempts.
FAILURES is the default value if you omit access-attempt.
- NONE
- Specifies that you do not want any logging to be done.
- SUCCESS
- Specifies that you want to log authorized accesses.
- audit-access-level
- Specifies which access levels you want
logged to the SMF data set. The levels you can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. READ is the default value if
you omit audit-access-level.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
FAILURES(READ) is the default value if you omit
the AUDIT operand. You cannot audit access attempts at the EXECUTE
level.
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the data set profile and must be enclosed in single quotation marks.
It might also contain double-byte character set (DBCS) data.
Use
the LISTDSD command to list this information.
- DFP
- Specifies
that for an SMS-managed data set, you can enter the following information:
- RESOWNER(userid or group-name) | NORESOWNER
- Specifies
the user ID or group of the actual owner of the data sets protected
by the profile specified in profile-name-1. This name must
be that of a RACF-defined user or group. (The data set resource owner,
specified with RESOWNER, is distinguished from the owner specified
with OWNER, which represents the user or group that owns the data
set profile).
If NORESOWNER is specified, the user or group represented
by the high level qualifier of the data set profile is assigned as
the owner of data sets protected by the profile when SMS needs to
determine the RESOWNER.
- ERASE
- Specifies
that when SETROPTS ERASE is active, data management is to physically
erase the contents of deleted data sets and scratched or released
DASD extents. Erasing the data set means overwriting its contents
with binary zeroes so that it cannot be read.
Restrictions: The
ERASE operand is ignored when any of the following conditions exist:
- FCLASS(profile-name-2-class)
- Specifies
the name of the class to which profile-name-2 belongs.
The valid class names are DATASET and those classes defined in the
class descriptor table. If you omit this operand, RACF assumes the DATASET class. This operand
is valid only when you also specify the FROM operand; otherwise, RACF ignores it.
- FGENERIC
- Specifies
that RACF is to treat profile-name-2 as
a generic name, even if it is fully qualified (meaning that it does
not contain any generic characters). This operand is only needed when profile-name-2 is
a DATASET profile.
- FILESEQ(number)
- Specifies
the file sequence number for a tape data set. The number can range
from 1 through 65535.
If you specify more than one profile
name, RACF assigns
the file sequence number that you specify to the first profile name,
then increments the number by one for each additional name. Thus,
be sure to specify profile names in the order of their file sequence
numbers.
If you omit FILESEQ, the default is FILESEQ(1). If
you omit VOLUME, RACF retrieves
the volume serial number from the catalog.
If you omit TAPE, RACF ignores FILESEQ.
- FROM(profile-name-2)
- Specifies the name of
an existing discrete or generic profile that RACF is to use as a model for the new profile.
The model profile name you specify on the FROM operand overrides any
model name specified in your user or group profile. If you specify
FROM and omit FCLASS, RACF assumes
that profile-name-2 is the name of a profile
in the DATASET class.
To specify FROM, you must have sufficient
authority to both profile-name-1 and profile-name-2,
as described in Authorization required.
Naming
conventions processing affects profile-name-2 in
the same way that it affects profile-name-1.
Mixed-case
profile names are accepted and preserved when FCLASS refers to a class
defined in the static class descriptor table with CASE=ASIS or in
the dynamic class descriptor table with CASE(ASIS).
If the
profile being added is for a group data set and the user has the GRPACC
attribute for that group, RACF places
the group on the access list with UPDATE access authority. Otherwise,
if the group is already on the access list, RACF changes the group's access authority to
UPDATE.
Possible Changes to Copied Profiles When Modeling
Occurs: When a profile is copied during profile modeling, the
new profile could differ from the model in the following ways: - Certain conditional access list conditions are valid only for
specific classes. For example, WHEN(SYSID) is valid only for the PROGRAM
class and WHEN(CRITERIA) is valid only for general resource
classes (not data sets). When copying the conditional access list
from profile-name-2 to profile-name-1,
the profile might differ if the condition is not valid for the data
set class. For example, if profile-name-2 is
a PROGRAM profile with SYSID or CRITERIA entries in the conditional
access list, those entries are not copied to the new data set profile
(profile-name-1).
- RACF places the user on
the access list with ALTER access authority or, if the user is already
on the access list, changes the user's access authority to ALTER.
This does not occur if the NOADDCREATOR option is in effect.
If
the profile being added is for a group data set and the user has the
GRPACC attribute for that group, RACF places
the group on the access list with UPDATE access authority. If the
group is already on the access list, RACF changes
the group's access authority to UPDATE. These access list changes
do not occur if the data set profile is created only because the user
has the OPERATIONS attribute.
- The security label, if specified in the model profile, is not
copied. Instead, the user's current security label is used.
- Information in the non-RACF segments (for example, the DFP segment)
is not copied.
- FVOLUME(profile-name-2-serial)
- Specifies
the volume RACF is to use to
locate the model profile (profile-name-2).
If you specify FVOLUME and RACF does
not find profile-name-2 associated with
that volume, the command fails. If you omit this operand and the data
set name appears more than once in the RACF database,
the command fails.
FVOLUME is valid only when FCLASS either
specifies or defaults to DATASET and when profile-name-2 specifies
a discrete profile. Otherwise, RACF ignores
FVOLUME.
- GENERIC
| MODEL | TAPE
-
- GENERIC
- Specifies
that RACF is to treat profile-name-1 as
a fully qualified generic name, even if it does not contain any generic
characters.
- MODEL
- Specifies
that you are defining a model profile to be used when new data sets
are created. The SETROPTS command (specifying MODEL operand with either
GROUP or USER) controls whether this profile is used for data sets
with group names or user ID names.
When you specify MODEL, you
can omit UNIT and VOLUME.
When you specify MODEL, the SET,
GENERIC, and TAPE operands are ignored, and NOSET is used as the default.
MODEL
and GENERIC operands are mutually exclusive. You cannot specify a
generic profile for automatic profile modelling through the MODEL
operand of ADDUSER, ALTUSER, ADDGROUP, or ALTGROUP. However, you can
explicitly use a generic profile as a model with the FROM operand,
and if needed, the FGENERIC operand of the ADDSD command.
For
information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.
- TAPE
- Specifies
that the data set profile is to protect a tape data set. If tape data
set protection is not active, RACF treats
TAPE as an invalid operand and issues an appropriate error message.
If profile-name-1 is a generic profile name, RACF ignores this operand. (RACF processes a tape data set
protected by a generic profile in the same way as it processes a DASD
data set protected by a generic profile.)
- LEVEL(nn)
- Specifies
a level indicator, where nn is an integer
from 0 and 99. The default is 0.
Your installation assigns the
meaning of the value.
RACF includes
it in all records that log data set accesses and in the LISTDSD command
display.
- SET |
SETONLY | NOSET
- If you do not specify SET, SETONLY, or NOSET, the default
value is SET.
- SET
- Specifies
that the data set is to be RACF-indicated. SET is the default value
when you are RACF-protecting a data set. If the indicator is already
on, the command fails. If you specify a generic profile name or the
GENERIC operand, RACF ignores
this operand.
- SETONLY
- Specifies
that for a tape data set, RACF is
to create only an entry in the TVTOC; it is not to create a discrete
data set profile. Specifying SETONLY allows you to protect a tape
data set with a TVTOC and a generic profile.
Thus, you would normally specify
SETONLY with TAPE, and, when you do, RACF ignores
the OWNER, UACC, AUDIT, DATA, WARNING, LEVEL, and RETPD operands.
If you specify SETONLY without TAPE, RACF treats
SETONLY as SET.
- NOSET
- Specifies
that the data set is not to be RACF-indicated.
For a DASD data
set, use NOSET when you are defining a data set to RACF that has been brought from another system
where it was RACF-protected. (The data set is already RACF-indicated.)
For
a tape data set, use NOSET when, because of a previous error, the
TVTOC indicates that the data set is RACF-indicated, but the discrete
profile is missing.
If you specify NOSET, for a discrete profile,
when the data set is not already RACF-indicated, RACF access control to that data set is not
enforced.
If you specify NOSET, the volumes on which the data
set or catalog resides need not be online, and the password in the
first operand of this command is not required.
To use NOSET,
one of the following must be true: - You must have the SPECIAL attribute
- The profile must fall within the scope of a group in which you
have the group-SPECIAL attribute
- The high-level qualifier of the data set name (or the qualifier
supplied by a command installation exit routine) must be your user
ID.
If you specify a generic profile name, RACF ignores this operand.
Note: If you
specify a profile name that exists as a generation data group (GDG)
data set base name with NOSET - but do
not specify a unit and volume, RACF creates
a model profile for the data set instead of a discrete profile. In
this situation, the model profile provides the same protection as
a discrete profile.
- NOTIFY[(userid)]
- Specifies
the user ID of a RACF-defined user to be notified whenever RACF uses this profile to deny
access to a data set. If you specify NOTIFY without userid, RACF takes your user ID as the
default; you are notified whenever the profile denies access to a
data set.
A user who is to receive NOTIFY messages should log
on frequently, both to take action in response to the unauthorized
access attempts the messages describe and to clear the messages from
the SYS1.BRODCAST data set. (When the profile also includes WARNING, RACF might have granted access
to the data set to the user identified in the message.)
Note: The
user ID specified on the NOTIFY operand is not notified when the profile
disallows creation or deletion of a data set. NOTIFY is used only
for resource access checking, not for resource creation or deletion.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be assigned as the owner of the data
set profile. When you define a group data set, the user you designate
as owner must have at least USE authority in the group specified by
the high-level qualifier of the data set name (or the qualifier determined
by the naming conventions routine or by a command installation exit
routine).
If you omit this operand, you are defined as the owner
of the data set profile. However, if the high-level qualifier is a
user ID that is different from your user ID, the OWNER of the profile
is the user ID specified in the high-level qualifier. In addition,
if you are using naming convention processing, either through the
naming convention table or an exit, the owner of the profile is determined
by the naming convention processing. If you have the SPECIAL attribute
and define a profile for a group data set while SETROPTS ADDCREATOR
is in effect, your user ID is added to the access list for the data
set with ALTER access authority, whether or not you specify the OWNER
operand. If you have the SPECIAL attribute and define a profile for
a user data set, your user ID is not added to the access list for
the data set.
If you specify OWNER(userid), the user
you specify as the owner does not automatically have access to the
data set. Use the PERMIT command to add the owner to the access list
as desired. If you specify OWNER(group-name), RACF treats any users who have the group-SPECIAL
attribute in the group as owners of the data set profile.
- RETPD(nnnnn)
- Specifies
the RACF security retention
period for a tape data set. The security retention period is the number
of days that must elapse before a tape data set profile expires. (Note
that, even though the data set profile expires, RACF-protection for
data sets protected by the profile is still in effect. For more information,
see z/OS Security Server RACF Security Administrator's Guide.
The
number you specify, nnnnn must be one to
five digits in the range of 0 through 65533. To indicate a data set
that never expires, specify nnnnn as 99999.
When 99999 is used, the SETROPTS command stores it internally as 65534.
The RACF security retention period
is the same as the data set retention period specified by the EXPDT/RETPD
parameters on the JCL DD statement only when the data set profile
is discrete and you do not modify the RACF security
retention period.
When the TAPEVOL class is active, RACF checks the RACF security retention period before it allows
a data set to be overwritten. RACF adds
the number of days in the retention period to the creation date for
the data set. If the result is less than the current date, RACF continues to protect the data
set.
When the TAPEVOL class is not active, RACF ignores the RETPD operand.
If you
omit RETPD and your installation has established a default security
retention period (through the RETPD operand on the SETROPTS command), RACF uses the default. If you omit
RETPD and your installation has not established a default, RACF uses 0 as a default.
Specifying
this operand for a DASD data set does not cause an error, but it has
no meaning because RACF ignores
the operand during authorization checking.
- SECLABEL(security-label)
- Specifies
the name of an installation-defined security label representing an
association between a particular security level and a set of zero
or more categories.
A security label corresponds to a particular
security level (such as CONFIDENTIAL) with a set of zero or more security
categories (such as PAYROLL or PERSONNEL).
RACF stores the name of the security label you
specify in the data set profile if you are authorized to use that
label.
If you are not authorized to use the security label
or if the name you had specified is not defined as a SECLABEL profile
in the SECLABEL class, the data set profile is not created.
- SECLEVEL(security-level)
- Specifies
the name of an installation-defined security level. This name corresponds
to the number that is the minimum security level a user must have
to access the data set. security-level must
be a member of the SECLEVEL profile in the SECDATA class.
When
you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to
its other authorization checking. If global access checking does not
grant access, RACF compares
the security level allowed in the user profile with the security level
required in the data set profile. If the security level in the user
profile is less than the security level in the data set profile, RACF denies the access. If the
security level in the user profile is equal to or greater than the
security level in the data set profile, RACF continues
with other authorization checking.
Note: RACF does not perform security level checking
for a started task or user that has the RACF privileged
or trusted attribute. The RACF privileged
or trusted attribute can be assigned to a started task through the RACF started procedures table or
STARTED class, or to other users by installation-supplied RACF exits.
If the SECDATA
class is not active, RACF still
stores the security-level you specified
in the data set profile, but cannot perform security level checking
until you have activated the SECDATA class. If the name you specify
is not defined as a SECLEVEL profile and the SECDATA class is active,
you are prompted to provide a valid name for security-level.
- TME
- Specifies
that information for the Tivoli® Security
Management Application is to be added.
Note: The TME segment fields
are intended to be updated only by the Tivoli Security Management application, which
manages updates, permissions, and cross references. A security administrator
should only directly update TME fields on an exception basis.
- ROLES(role-access-specification …)
- Specifies
a list of roles and associated access levels related to this profile.
One or more role-access-specification values
can be specified, each separated by blanks. Each value should contain
no imbedded blanks and should have the following format: role-name:authority[:conditional-class:conditional-profile]
where role-name is
a discrete general resource profile defined in the ROLE class. The authority is
the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER)
with which groups in the role definition should be permitted to the
resource.
The conditional-class is
a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID)
for conditional access permission, and is followed by the conditional-profile value,
a resource profile defined in the conditional class.
- UACC(access-authority)
- Specifies the universal
access authority to be associated with the data sets. The universal
access authorities are ALTER, CONTROL, UPDATE, READ, EXECUTE, and
NONE. If you omit UACC or specify UACC with no access authority, RACF uses the default value in
your current connect group. If you specify CONTROL for a tape data
set or a non-VSAM DASD data set, RACF treats
the access authority as UPDATE. If you specify EXECUTE for a tape
data set, or a DASD data set not used as a program library, RACF treats the access authority
as NONE.
If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access
authority (UACC) as NONE for that access attempt.
- UNIT(type)
- Specifies the
unit type on which a tape data set or a non-VSAM DASD data set resides.
You can specify an installation-defined unit name, a generic device
type, or a specific device address. If you specify UNIT and VOLUME
for a DASD data set, RACF assumes
that the data set is a non-VSAM data set; therefore, do not use UNIT
and VOLUME for a VSAM data set.
If the data set is not cataloged,
UNIT and VOLUME are required. You must specify UNIT and VOLUME for
data sets cataloged with an esoteric name (such as an installation-defined
unit name).
If you specify a generic or model profile name, RACF ignores this operand.
- VOLUME(volume-serial
…)
- Specifies
the volumes on which a tape data set or a non-VSAM DASD data set resides.
If you specify UNIT and VOLUME for a DASD data set, RACF assumes that the data set is a non-VSAM
data set; therefore, do not use UNIT and VOLUME for a VSAM data set.
If the data set is not cataloged, UNIT and VOLUME are required.
You must specify UNIT and VOLUME for data sets cataloged with an esoteric
name (such as an installation-defined unit name).
If you specify
a tape data set profile name, you can specify only one volume.
If
you specify a generic or model profile name, RACF ignores this operand.
- WARNING
- Specifies
that even if access authority is insufficient, RACF is to issue a warning message and allow
access to the resource. RACF also
records the access attempt in the SMF record if logging is specified
in the profile.
When SETROPTS MLACTIVE(FAILURES) is in effect: A
user or task can access a data set that is in WARNING mode and has
no security label even when MLACTIVE(FAILURES) is in effect and the
class requires security labels. The user or task receives a warning
message and gains access.
Examples
|
|
|
---|
Example 1 |
Operation |
User ADM1 wants to create a generic profile to
protect all data sets having the high-level qualifier SALES. Only
users with a security level of CONFIDENTIAL or higher are to be able
to access the data sets. |
Known |
User ADM1 has the SPECIAL attribute and the installation
has defined CONFIDENTIAL as a valid security level name. User ADM1
wants to issue the command as a RACF TSO
command. |
Command |
ADDSD 'SALES.*' UACC(READ) AUDIT(ALL(READ))
SECLEVEL(CONFIDENTIAL) |
Defaults |
OWNER(ADM1) LEVEL(0) |
Example 2 |
Operation |
User AEH0 wants to protect the data set AEH0.DEPT1.DATA
with a discrete RACF profile. |
Known |
User AEH0 is RACF-defined. AEH0.DEPT1.DATA is
not cataloged. It resides on volume USER03 which is a 3330 volume.
User AEH0 wants to issue the command as a RACF TSO command. |
Command |
ADDSD 'AEH0.DEPT1.DATA' UNIT(3330) VOLUME(USER03) |
Defaults |
OWNER(AEH0) UACC(UACC of user AEH0 in current
connect group) AUDIT(FAILURES(READ)) LEVEL(0) SET |
Example 3 |
Operation |
User ADM1 wants to RACF-define the DASD data set
SYS1.ICH02.DATA which was brought from another system where it was
protected by a discrete RACF profile
and was RACF-indicated. On the new system, only users with a security
category of DEPT1 are to be allowed to access the data set. |
Known |
User ADM1 has the SPECIAL attribute. SYS1.ICH02.DATA
is cataloged. User ADM1 has create authority in group SYS1 and is
connected to group SYS1 with the group-SPECIAL attribute. The installation
has defined DEPT1 as a valid security category. User ADM1 wants to
issue the command as a RACF TSO
command. |
Command |
ADDSD 'SYS1.ICH02.DATA' OWNER(SYS1) UACC(NONE)
AUDIT(ALL) NOSET CATEGORY(DEPT1) |
Defaults |
LEVEL(0) |
Example 4 |
Operation |
User AEHO wants to create a model profile for
group RSC and place an installation-defined description in the profile. |
Known |
User AEHO has at least CREATE authority in group
RSC. User AEHO wants to issue the command as a RACF TSO command. |
Command |
ADDSD 'RSC.ACCESS.PROFILE' MODEL DATA('PROFILE
THAT CONTAINS MODELING INFORMATION') |
Defaults |
OWNER(AEHO), UACC(the UACC of user AEHO in
current group) AUDIT(FAILURES(READ)) LEVEL(0) |
Example 5 |
Operation |
User AEH1 wants to protect the tape data set named
AEH1.TAPE.RESULTS with a discrete RACF profile. |
Known |
User AEH1 is a RACF-defined user. Data set AEH1.TAPE.RESULTS
is cataloged, and tape data set protection is active. User AEH1 wants
to issue the command as a RACF TSO
command. |
Command |
ADDSD 'AEH1.TAPE.RESULTS' UACC(NONE) AUDIT(ALL(READ))
TAPE NOTIFY FILESEQ(1) RETPD(100) |
Defaults |
LEVEL(0) |
Example 6 |
Operation |
User AEH1 wants to protect the tape data set named
AEH1.TAPE.FUTURES with a discrete RACF profile,
which is so much like the profile created for AEH1.TAPE.RESULTS (Example
5) that AEH1 can use the existing profile as a model for the new profile. |
Known |
User AEH1 is a RACF-defined user. Data set AEH1.TAPE.FUTURES
is cataloged, and tape data set protection is active. User AEH1 wants
to issue the command as a RACF TSO
command. |
Command |
ADDSD 'AEH1.TAPE.FUTURES' FROM('AEH1.TAPE.RESULTS')
FILESEQ(2) |
Defaults |
LEVEL(0) |
Example 7 |
Operation |
User ADM1 wants to create a generic profile to
protect all data sets having the high-level qualifier PROJECTA. The
data sets protected by the profile will be managed by DFP. Group TEST4
will be assigned as the actual owner of the data sets protected by
the profile. The profile will have a universal access authority of
READ. User ADM1 wants to direct the command to run at the local
node under the authority of user DAP02 and prohibit the command from
being automatically directed to other nodes.
|
Known |
Users ADM1 and DAP02 have the SPECIAL attribute.
TEST4 is a RACF-defined group. Users ADM1 and DAP02 have an already
established user ID association. User ADM1 wants to issue the command
as a RACF TSO command. |
Command |
ADDSD 'PROJECTA.*' UACC(READ) DFP(RESOWNER(TEST4))
ONLYAT(.DAP02) |
Defaults |
OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) |
Results |
The command is only processed on the local node
and not automatically directed to any other nodes in the RRSF configuration. |
Example 8 |
Operation |
User TSO7 wants to create a generic profile to
protect all data sets having the high-level qualifier PROJECTB with
a security label of CONF. User TSO7 is authorized to the security
label. User TSO7 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @. |
Known |
User TSO7 is a RACF-defined user. |
Command |
@ADDSD 'PROJECTB.*' SECLABEL(CONF) |
Defaults |
None. |
|