z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Security for system data sets

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

This topic contains some guidelines for defining UACC values for system data sets.

Table 1 lists the UACC values that should be assigned to many of the system data sets. Note that your security policy might require a UACC of NONE for some data sets. For example, you can specify UACC(NONE) for macro libraries if you give READ access to programmers who need to assemble or compile programs that use those libraries. For a discussion of system data sets, see Protecting DASD system data sets.

For guidelines about the security labels to assign system data sets on a multilevel-secure system, see z/OS Planning for Multilevel Security and the Common Criteria.

You should consider creating a generic profile to protect system data sets, as follows: 
ADDSD 'SYS1.*' UACC(NONE) SECLABEL(SYSHIGH)

Specifying a UACC of NONE for the SYS1.* profile protects any system data sets that are added to the system by new products. If new system data sets need a UACC higher than NONE or a SECLABEL of SYSLOW, you can create more specific profiles for them.

You should also create specific profiles for particular data sets (or groups of data sets, such as SYS1.DUMPxx data sets), using the information in Table 1.

For any data set that is listed with a UACC of READ or higher, you should consider creating an entry in the global access checking table. For more information, see Setting up the global access checking table.

For system data sets that are listed in the table with a UACC higher than NONE, you might prefer to specify UACC(NONE) and create an access list entry of ID(*) ACCESS(access-authority). This entry prevents restricted users and users who are not defined to RACF® from accessing the data sets.

Restricted users enter the system with a user ID that is defined with the RESTRICTED attribute, and might be shared by many users. Restricted users are prevented from gaining access to protected resources through the global access checking table, UACC, or the ID(*) entry on the access list. User IDs defined with the RESTRICTED attribute must be specifically authorized with sufficient authority on the access list of any protected resource they must access. Therefore, to allow restricted users to access any data set listed with UACC of READ or higher in Table 1, each user ID with the RESTRICTED attribute must be specifically authorized at the level of access indicated by the UACC value.

Table 1. UACC values for system data sets
Data set UACC Comments
APF libraries NONE Authorized program facility libraries.
Checkpoint data sets NONE  
Distribution library data sets NONE  
ISPF panel libraries READ Panel definitions, skeletons, CLISTs, and so forth. Specify UACC(NONE) if access must be restricted.
JES2 offload data sets NONE  
Load libraries READ  
Master catalog READ  
Page data sets NONE Includes PLPA, common, and local page data sets. See z/OS MVS Initialization and Tuning Guide.
PSF secure font data sets NONE  
PSF secure overlay data sets NONE  
PSF secure page segment data sets NONE  
RMF™ data sets NONE VSAM data sets.
Security definitions data sets NONE  
SMP data sets NONE  
Swap data sets NONE  
SYS1.AMACLIB READ  
SYS1.AMODGEN READ  
SYS1.ASAMPLIB READ  
SYS1.BRODCAST READ  
SYS1.CMDLIB READ  
SYS1.DAE NONE  
SYS1.DUMPxx NONE See z/OS MVS Initialization and Tuning Reference.
SYS1.HELP READ TSO online help.
SYS1.IMAGELIB NONE  
SYS1.JESPARM NONE  
SYS1.JES3LIB READ  
SYS1.LINKLIB READ  
SYS1.LOGREC NONE  
SYS1.LPALIB READ UACC can be NONE or READ depending on your installation's security policy.
SYS1.MACLIB READ  
SYS1.MANx NONE SMF data sets. See z/OS MVS Initialization and Tuning Reference.
SYS1.MIGLIB READ  
SYS1.MODGEN READ  
SYS1.NUCLEUS READ  
SYS1.OVERLIB READ  
SYS1.PARMLIB READ UACC should be NONE if any members contain passwords, or other sensitive information, such as the ACBPW password in the TSOKEYxx member.
SYS1.PROCLIB READ  
SYS1.RACF NONE Includes data sets that comprise the active and backup RACF databases, split data sets created with the IRRUT400 utility, and archival copies. Your installation might use other data set names.
SYS1.SAMPLIB READ  
SYS1.SAXREXEC READ System REXX library, or any libraries defined in the REXXLIB concatenation. UACC can be NONE or READ depending on your installation's security policy.
SYS1.STGINDEX NONE  
SYS1.SVCLIB NONE  
SYS1.TELCMLIB READ  
SYS1.UADS NONE  
SYS1.VTOCIX… NONE  
SYS1.VVDS… NONE  
SYS1.VTAMLIB READ  
SYS1.VTAMLST NONE  
Trace data sets NONE  
User catalogs UPDATE  
User dump data sets NONE  

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014