Purpose

Use the ADDSD command to add RACF® protection to data sets with either discrete or generic profiles.

For more information, refer to z/OS Security Server RACF Security Administrator's Guide.

Issuing options

The following table identifies the eligible options for issuing the ADDSD command:

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

• To change a data set profile, see ALTDSD (Alter data set profile).
• To delete a data set profile, see DELDSD (Delete data set profile).
• To permit or deny access to a data set profile, see PERMIT (Maintain resource access lists).
• To obtain a list of data set profiles, see SEARCH (Search RACF database).
• To list a data set profile, see LISTDSD (List data set profile).

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

profile-name-1

Specifies the name of the discrete or generic profile to be added to the RACF database. If you specify more than one name, the list of names must be enclosed in parentheses.

The format of the profile name should follow the TSO/E data set naming conventions, except that the high-level qualifier of the profile name (or the qualifier determined by the naming conventions table or by a command installation exit) must be a user ID or a group name. See z/OS Security Server RACF Security Administrator's Guide for more information about the TSO/E data set naming conventions.

To specify a user ID other than your own, you must have the SPECIAL attribute, or the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute. To define a group data set, you must have at least CREATE authority in the specified group, or the SPECIAL attribute, or the data set must be within the scope of a group in which you have the group-SPECIAL attribute.

This operand is required and must be the first operand following ADDSD. Note that, because RACF uses the RACF database and not the system catalog, you cannot use alias data set names.

For additional information, see Profile names for data sets and the section describing rules for defining data set profiles in z/OS Security Server RACF Security Administrator's Guide.

Tape data set: If you are defining a discrete profile that protects a tape data set, you must specify TAPE. If you are defining more than one tape data set profile, the data sets must all reside on the same volume, and you must specify the profile names in an order that corresponds to the file sequence numbers of the data sets on the volume.

VSAM data set: All of the components of a VSAM data set are protected by the profile that protects the cluster name. It is not necessary to create profiles that protect the index and the data components of the cluster.

Data sets cataloged by an indirect VOLSER: When you catalog a data set using an indirect VOLSER - using asterisks (******) or a symbolic such as &SYSRS in place of the VOLSER - you can protect the data set with a generic profile (preferred method) or else with one or more discrete data set profiles that contain the real unit and volume for each data set covered by the catalog entry. The latter must be done while the data set is online.

/password

Specifies the data set password if you are protecting an existing password-protected data set. If you specify a generic or model profile, RACF ignores this operand.

For a non-VSAM password-protected data set, the WRITE level password must be specified.

For a VSAM data set that is not password-protected, you do not need the password or RACF access authority for the catalog.

A password is not required when you specify NOSET.

If the command is executing in the foreground and you omit the password for a password-protected data set, the logon password is used. You are prompted if the password you enter or the logon password is incorrect. (If it is a non-VSAM multivolume data set, you are prompted once for each volume on which the data set resides.)

If the command is executing in a batch job and you either omit the password for a password-protected data set or supply an incorrect password, the operator is prompted. (If it is a non-VSAM multivolume data set, the operator is prompted once for each volume on which the data set resides.)

ADDCATEGORY(category-name …)

Specifies one or more names of installation-defined security categories. The names you specify must be defined as members of the CATEGORY profile in SECDATA class. (For information on defining security categories, see z/OS Security Server RACF Security Administrator's Guide.)

When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in addition to its other authorization checking. If a user requests access to a data set, RACF compares the list of security categories in the user's profile with the list of security categories in the data set profile. If RACF finds any security category in the data set profile that is not in the user's profile, RACF denies access to the data set. If the user's profile contains all the required security categories, RACF continues with other authorization checking.

Note: RACF does not perform security category checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …)

Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed to the local node.

ONLYAT([node].userid …)

Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.

If node is not specified, the command is directed only to the local node.

AUDIT(access-attempt[(audit-access-level)]…)

Specifies which access attempts and access levels you want logged to the SMF data set.

access-attempt

Specifies which access attempts you want logged to the SMF data set. The following options are available:

ALL

Specifies that you want to log both authorized accesses and detected unauthorized access attempts.

FAILURES

Specifies that you want to log detected unauthorized attempts. FAILURES is the default value if you omit access-attempt.

NONE

Specifies that you do not want any logging to be done.

SUCCESS

Specifies that you want to log authorized accesses.

audit-access-level

Specifies which access levels you want logged to the SMF data set. The levels you can specify are:

ALTER

Logs ALTER access-level attempts only.

CONTROL

Logs access attempts at the CONTROL and ALTER levels.

READ

Logs access attempts at any level. READ is the default value if you omit audit-access-level.

UPDATE

Logs access attempts at the UPDATE, CONTROL, and ALTER levels.

FAILURES(READ) is the default value if you omit the AUDIT operand. You cannot audit access attempts at the EXECUTE level.

DATA('installation-defined-data')

Specifies up to 255 characters of installation-defined data to be stored in the data set profile and must be enclosed in single quotation marks. It might also contain double-byte character set (DBCS) data.

Use the LISTDSD command to list this information.

DFP

Specifies that for an SMS-managed data set, you can enter the following information:

RESOWNER(userid or group-name) | NORESOWNER

Specifies the user ID or group of the actual owner of the data sets protected by the profile specified in profile-name-1. This name must be that of a RACF-defined user or group. (The data set resource owner, specified with RESOWNER, is distinguished from the owner specified with OWNER, which represents the user or group that owns the data set profile).

If NORESOWNER is specified, the user or group represented by the high level qualifier of the data set profile is assigned as the owner of data sets protected by the profile when SMS needs to determine the RESOWNER.

ERASE

Specifies that when SETROPTS ERASE is active, data management is to physically erase the contents of deleted data sets and scratched or released DASD extents. Erasing the data set means overwriting its contents with binary zeroes so that it cannot be read.

Restrictions: The ERASE operand is ignored when any of the following conditions exist:

• When the data set is a tape data set and your installation did not activate the TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See "Erasing Scratched or Release Data (ERASE Option)" in z/OS Security Server RACF Security Administrator's Guide for more information.
• When SETROPTS NOERASE is active for your installation. (User and data set profile definitions are overridden.)

FCLASS(profile-name-2-class)

Specifies the name of the class to which profile-name-2 belongs. The valid class names are DATASET and those classes defined in the class descriptor table. If you omit this operand, RACF assumes the DATASET class. This operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.

FGENERIC

Specifies that RACF is to treat profile-name-2 as a generic name, even if it is fully qualified (meaning that it does not contain any generic characters). This operand is only needed when profile-name-2 is a DATASET profile.

FILESEQ(number)

Specifies the file sequence number for a tape data set. The number can range from 1 through 65535.

If you specify more than one profile name, RACF assigns the file sequence number that you specify to the first profile name, then increments the number by one for each additional name. Thus, be sure to specify profile names in the order of their file sequence numbers.

If you omit FILESEQ, the default is FILESEQ(1). If you omit VOLUME, RACF retrieves the volume serial number from the catalog.

If you omit TAPE, RACF ignores FILESEQ.

FROM(profile-name-2)

Specifies the name of an existing discrete or generic profile that RACF is to use as a model for the new profile. The model profile name you specify on the FROM operand overrides any model name specified in your user or group profile. If you specify FROM and omit FCLASS, RACF assumes that profile-name-2 is the name of a profile in the DATASET class.

To specify FROM, you must have sufficient authority to both profile-name-1 and profile-name-2, as described in Authorization required.

Naming conventions processing affects profile-name-2 in the same way that it affects profile-name-1.

Mixed-case profile names are accepted and preserved when FCLASS refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).

If the profile being added is for a group data set and the user has the GRPACC attribute for that group, RACF places the group on the access list with UPDATE access authority. Otherwise, if the group is already on the access list, RACF changes the group's access authority to UPDATE.

Possible Changes to Copied Profiles When Modeling Occurs: When a profile is copied during profile modeling, the new profile could differ from the model in the following ways:

• Certain conditional access list conditions are valid only for specific classes. For example, WHEN(SYSID) is valid only for the PROGRAM class and WHEN(CRITERIA) is valid only for general resource classes (not data sets). When copying the conditional access list from profile-name-2 to profile-name-1, the profile might differ if the condition is not valid for the data set class. For example, if profile-name-2 is a PROGRAM profile with SYSID or CRITERIA entries in the conditional access list, those entries are not copied to the new data set profile (profile-name-1).
• RACF places the user on the access list with ALTER access authority or, if the user is already on the access list, changes the user's access authority to ALTER. This does not occur if the NOADDCREATOR option is in effect.

  If the profile being added is for a group data set and the user has the GRPACC attribute for that group, RACF places the group on the access list with UPDATE access authority. If the group is already on the access list, RACF changes the group's access authority to UPDATE. These access list changes do not occur if the data set profile is created only because the user has the OPERATIONS attribute.

• The security label, if specified in the model profile, is not copied. Instead, the user's current security label is used.
• Information in the non-RACF segments (for example, the DFP segment) is not copied.

FVOLUME(profile-name-2-serial)

Specifies the volume RACF is to use to locate the model profile (profile-name-2).

If you specify FVOLUME and RACF does not find profile-name-2 associated with that volume, the command fails. If you omit this operand and the data set name appears more than once in the RACF database, the command fails.

FVOLUME is valid only when FCLASS either specifies or defaults to DATASET and when profile-name-2 specifies a discrete profile. Otherwise, RACF ignores FVOLUME.

GENERIC | MODEL | TAPE

GENERIC

Specifies that RACF is to treat profile-name-1 as a fully qualified generic name, even if it does not contain any generic characters.

MODEL

Specifies that you are defining a model profile to be used when new data sets are created. The SETROPTS command (specifying MODEL operand with either GROUP or USER) controls whether this profile is used for data sets with group names or user ID names.

When you specify MODEL, you can omit UNIT and VOLUME.

When you specify MODEL, the SET, GENERIC, and TAPE operands are ignored, and NOSET is used as the default.

MODEL and GENERIC operands are mutually exclusive. You cannot specify a generic profile for automatic profile modelling through the MODEL operand of ADDUSER, ALTUSER, ADDGROUP, or ALTGROUP. However, you can explicitly use a generic profile as a model with the FROM operand, and if needed, the FGENERIC operand of the ADDSD command.

For information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.

TAPE

Specifies that the data set profile is to protect a tape data set. If tape data set protection is not active, RACF treats TAPE as an invalid operand and issues an appropriate error message. If profile-name-1 is a generic profile name, RACF ignores this operand. (RACF processes a tape data set protected by a generic profile in the same way as it processes a DASD data set protected by a generic profile.)

LEVEL(nn)

Specifies a level indicator, where nn is an integer from 0 and 99. The default is 0.

Your installation assigns the meaning of the value.

RACF includes it in all records that log data set accesses and in the LISTDSD command display.

SET | SETONLY | NOSET

If you do not specify SET, SETONLY, or NOSET, the default value is SET.

SET

Specifies that the data set is to be RACF-indicated. SET is the default value when you are RACF-protecting a data set. If the indicator is already on, the command fails. If you specify a generic profile name or the GENERIC operand, RACF ignores this operand.

SETONLY

Specifies that for a tape data set, RACF is to create only an entry in the TVTOC; it is not to create a discrete data set profile. Specifying SETONLY allows you to protect a tape data set with a TVTOC and a generic profile.

Thus, you would normally specify SETONLY with TAPE, and, when you do, RACF ignores the OWNER, UACC, AUDIT, DATA, WARNING, LEVEL, and RETPD operands. If you specify SETONLY without TAPE, RACF treats SETONLY as SET.

NOSET

Specifies that the data set is not to be RACF-indicated.

For a DASD data set, use NOSET when you are defining a data set to RACF that has been brought from another system where it was RACF-protected. (The data set is already RACF-indicated.)

For a tape data set, use NOSET when, because of a previous error, the TVTOC indicates that the data set is RACF-indicated, but the discrete profile is missing.

If you specify NOSET, for a discrete profile, when the data set is not already RACF-indicated, RACF access control to that data set is not enforced.

If you specify NOSET, the volumes on which the data set or catalog resides need not be online, and the password in the first operand of this command is not required.

To use NOSET, one of the following must be true:

• You must have the SPECIAL attribute
• The profile must fall within the scope of a group in which you have the group-SPECIAL attribute
• The high-level qualifier of the data set name (or the qualifier supplied by a command installation exit routine) must be your user ID.

If you specify a generic profile name, RACF ignores this operand.

Note: If you specify a profile name that exists as a generation data group (GDG) data set base name with NOSET - but do not specify a unit and volume, RACF creates a model profile for the data set instead of a discrete profile. In this situation, the model profile provides the same protection as a discrete profile.

NOTIFY[(userid)]

Specifies the user ID of a RACF-defined user to be notified whenever RACF uses this profile to deny access to a data set. If you specify NOTIFY without userid, RACF takes your user ID as the default; you are notified whenever the profile denies access to a data set.

A user who is to receive NOTIFY messages should log on frequently, both to take action in response to the unauthorized access attempts the messages describe and to clear the messages from the SYS1.BRODCAST data set. (When the profile also includes WARNING, RACF might have granted access to the data set to the user identified in the message.)

Note: The user ID specified on the NOTIFY operand is not notified when the profile disallows creation or deletion of a data set. NOTIFY is used only for resource access checking, not for resource creation or deletion.

OWNER(userid or group-name)

Specifies a RACF-defined user or group to be assigned as the owner of the data set profile. When you define a group data set, the user you designate as owner must have at least USE authority in the group specified by the high-level qualifier of the data set name (or the qualifier determined by the naming conventions routine or by a command installation exit routine).

If you omit this operand, you are defined as the owner of the data set profile. However, if the high-level qualifier is a user ID that is different from your user ID, the OWNER of the profile is the user ID specified in the high-level qualifier. In addition, if you are using naming convention processing, either through the naming convention table or an exit, the owner of the profile is determined by the naming convention processing. If you have the SPECIAL attribute and define a profile for a group data set while SETROPTS ADDCREATOR is in effect, your user ID is added to the access list for the data set with ALTER access authority, whether or not you specify the OWNER operand. If you have the SPECIAL attribute and define a profile for a user data set, your user ID is not added to the access list for the data set.

If you specify OWNER(userid), the user you specify as the owner does not automatically have access to the data set. Use the PERMIT command to add the owner to the access list as desired. If you specify OWNER(group-name), RACF treats any users who have the group-SPECIAL attribute in the group as owners of the data set profile.

RETPD(nnnnn)

Specifies the RACF security retention period for a tape data set. The security retention period is the number of days that must elapse before a tape data set profile expires. (Note that, even though the data set profile expires, RACF-protection for data sets protected by the profile is still in effect. For more information, see z/OS Security Server RACF Security Administrator's Guide.

The number you specify, nnnnn must be one to five digits in the range of 0 through 65533. To indicate a data set that never expires, specify nnnnn as 99999. When 99999 is used, the SETROPTS command stores it internally as 65534.

The RACF security retention period is the same as the data set retention period specified by the EXPDT/RETPD parameters on the JCL DD statement only when the data set profile is discrete and you do not modify the RACF security retention period.

When the TAPEVOL class is active, RACF checks the RACF security retention period before it allows a data set to be overwritten. RACF adds the number of days in the retention period to the creation date for the data set. If the result is less than the current date, RACF continues to protect the data set.

When the TAPEVOL class is not active, RACF ignores the RETPD operand.

If you omit RETPD and your installation has established a default security retention period (through the RETPD operand on the SETROPTS command), RACF uses the default. If you omit RETPD and your installation has not established a default, RACF uses 0 as a default.

Specifying this operand for a DASD data set does not cause an error, but it has no meaning because RACF ignores the operand during authorization checking.

SECLABEL(security-label)

Specifies the name of an installation-defined security label representing an association between a particular security level and a set of zero or more categories.

A security label corresponds to a particular security level (such as CONFIDENTIAL) with a set of zero or more security categories (such as PAYROLL or PERSONNEL).

RACF stores the name of the security label you specify in the data set profile if you are authorized to use that label.

If you are not authorized to use the security label or if the name you had specified is not defined as a SECLABEL profile in the SECLABEL class, the data set profile is not created.

SECLEVEL(security-level)

Specifies the name of an installation-defined security level. This name corresponds to the number that is the minimum security level a user must have to access the data set. security-level must be a member of the SECLEVEL profile in the SECDATA class.

When you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to its other authorization checking. If global access checking does not grant access, RACF compares the security level allowed in the user profile with the security level required in the data set profile. If the security level in the user profile is less than the security level in the data set profile, RACF denies the access. If the security level in the user profile is equal to or greater than the security level in the data set profile, RACF continues with other authorization checking.

Note: RACF does not perform security level checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.

If the SECDATA class is not active, RACF still stores the security-level you specified in the data set profile, but cannot perform security level checking until you have activated the SECDATA class. If the name you specify is not defined as a SECLEVEL profile and the SECDATA class is active, you are prompted to provide a valid name for security-level.

TME

Specifies that information for the Tivoli® Security Management Application is to be added.

Note: The TME segment fields are intended to be updated only by the Tivoli Security Management application, which manages updates, permissions, and cross references. A security administrator should only directly update TME fields on an exception basis.

ROLES(role-access-specification …)

Specifies a list of roles and associated access levels related to this profile.

One or more role-access-specification values can be specified, each separated by blanks. Each value should contain no imbedded blanks and should have the following format:

role-name:authority[:conditional-class:conditional-profile]

where role-name is a discrete general resource profile defined in the ROLE class. The authority is the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER) with which groups in the role definition should be permitted to the resource.

The conditional-class is a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID) for conditional access permission, and is followed by the conditional-profile value, a resource profile defined in the conditional class.

UACC(access-authority)

Specifies the universal access authority to be associated with the data sets. The universal access authorities are ALTER, CONTROL, UPDATE, READ, EXECUTE, and NONE. If you omit UACC or specify UACC with no access authority, RACF uses the default value in your current connect group. If you specify CONTROL for a tape data set or a non-VSAM DASD data set, RACF treats the access authority as UPDATE. If you specify EXECUTE for a tape data set, or a DASD data set not used as a program library, RACF treats the access authority as NONE.

If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access authority (UACC) as NONE for that access attempt.

UNIT(type)

Specifies the unit type on which a tape data set or a non-VSAM DASD data set resides. You can specify an installation-defined unit name, a generic device type, or a specific device address. If you specify UNIT and VOLUME for a DASD data set, RACF assumes that the data set is a non-VSAM data set; therefore, do not use UNIT and VOLUME for a VSAM data set.

If the data set is not cataloged, UNIT and VOLUME are required. You must specify UNIT and VOLUME for data sets cataloged with an esoteric name (such as an installation-defined unit name).

If you specify a generic or model profile name, RACF ignores this operand.

VOLUME(volume-serial …)

Specifies the volumes on which a tape data set or a non-VSAM DASD data set resides. If you specify UNIT and VOLUME for a DASD data set, RACF assumes that the data set is a non-VSAM data set; therefore, do not use UNIT and VOLUME for a VSAM data set.

If the data set is not cataloged, UNIT and VOLUME are required. You must specify UNIT and VOLUME for data sets cataloged with an esoteric name (such as an installation-defined unit name).

If you specify a tape data set profile name, you can specify only one volume.

If you specify a generic or model profile name, RACF ignores this operand.

WARNING

Specifies that even if access authority is insufficient, RACF is to issue a warning message and allow access to the resource. RACF also records the access attempt in the SMF record if logging is specified in the profile.

When SETROPTS MLACTIVE(FAILURES) is in effect: A user or task can access a data set that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access.