Required RACF Authorization Tables
Function Performed | Required RACF® for User Catalog | Required RACF for Master Catalog | Comments |
---|---|---|---|
Alter UCAT | Alter | Alter | Either UCAT or MCAT authorization is sufficient, see note 1. |
Define Alias of UCAT | None | Update | MCAT update authority is not checked if the user has authority for the FACILITY class STGADMIN.IGG.DEFDEL.UALIAS. READ access to STGADMIN.IGG.DEFDEL.ALIAS is all that is required to perform this operation. |
Define UCAT/MCAT | Alter | Update | |
Delete Alias of UCAT | Alter | Alter | UCAT/MCAT update authority is not checked if the user has authority for the FACILITY class STGADMIN.IGG.DEFDEL.UALIAS. Either UCAT or MCAT authorization is sufficient, see note 1. READ access to STGADMIN.IGG.DEFDEL.ALIAS is all that is required to perform this operation. |
Delete UCAT | Alter | None | |
Export Disconnect of UCAT | Alter | None | |
Import Connect Alias of UCAT | Alter | Update | |
Import Connect of UCAT | Alter | Update | |
Alter | Alter | ||
Notes:
|
|||
Note: If
not indicated in the comments, the same authorization applies to both
non-SMS and SMS.
|
Function Performed | Required RACF for Data Set | Required RACF for Catalog | Comments |
---|---|---|---|
Alter Cluster | Alter | None |
|
Alter Cluster Component | Alter | None |
|
Alter Cluster Newname | Alter | None |
|
Alter Component Newname | Alter | None |
|
Alter Pagespace | Alter | None |
|
Define alternate index | Alter | Update | See notes 2 and 3. |
Define Cluster | Alter | Update | See note 3. |
Define Cluster Model | Alter | Update | See note 3. |
Define Pagespace | Alter | Update | See notes 2 and 3. |
Define Path | Alter | Update | See notes 2 and 3. |
Define Recatalog VSAM | Alter | Update | See notes 2, 3, 5 and 6. |
Delete alternate index | Alter | Alter | See notes 2 and 4. |
Delete Cluster | Alter | Alter | See note 4. |
Delete Cluster Noscratch | Alter | Alter | See note 4. |
Delete NVR/VVR | None | Alter | |
Delete Pagespace | Alter | Alter | See notes 2 and 4. |
Delete Path | Alter | Alter | See notes 2 and 4. |
Diagnose Catalog | Alter | None | The data set is the user catalog. |
Diagnose VVDS | Alter | ||
Examine Catalog | Alter | None | The data set is the user catalog. |
Examine Data Set | Control | None | |
Export Cluster | Alter | Alter | Alter authority to either the data set or the catalog is sufficient. |
Export UCAT | Alter | None | The data set is the user catalog. |
Import Into Empty | Read | Alter | The data set is the user catalog |
Verify | Alter | Not applicable | The subject data set is opened for output processing |
Notes:
|
|||
Note: If
no profile exists for a data set, then the user is considered authorized.
The catalog profile is not checked, even if it exists.
|
Function Performed | Required RACF for Data Set | Required RACF for Catalog | Comments |
---|---|---|---|
Alter Non-VSAM | Alter | None |
|
Define Alias of a Non-VSAM | None | Update | |
Define Alias of a SMS Non-VSAM | None | None | |
Define GDG | Alter | Update | Although a GDG is not SMS, these authorities still apply if the catalog is SMS. See notes 5 and 8. |
Define GDS | Alter | Update | See notes 2 and note 5. |
Define GDS SMS | Alter | None | See notes 2 and note 5. |
Define Non-VSAM Non-SMS | Alter | Update | See notes 3 and note 5. |
Define Non-VSAM Recatalog Non-SMS | Alter | Update | See note 7. |
Define Non-VSAM SMS | Alter | None | Master catalog requires update authority. See note 5. |
Define Non-VSAM Recatalog SMS | Alter | Update | See note 7. |
Delete Alias of a Non-VSAM | Alter | Alter | See note 4. |
Delete GDG | Alter | Alter | Alter authorization either to the data set or to the catalog is sufficient. |
Delete Non-VSAM Scratch non-SMS | Alter | None | |
Delete Non-VSAM Noscratch Non-SMS | Alter | None | Alter authorization either to the data set or to the catalog is sufficient. |
Delete Non-VSAM SMS | Alter | Alter | See notes 4 and 5. |
Notes:
|
Function Performed | Required RACF for Data Set | Required RACF for Catalog | Comments |
---|---|---|---|
LISTCAT ALL | Read | None | Allows listing entries you have data set authority to. Passwords are not displayed. |
LISTCAT ALL | None | Read | Allows listing all entries. Passwords are not displayed. |
LISTCAT ALL | None | Alter | Allows listing all entries. Passwords are displayed. |
LISTCAT Entry | Read | Read | Read is an "OR" function. Either read access to the data set or read access to the catalog is required, but not both. |
Function Performed | Required RACF for Input Data Set | Required RACF for Output Data Set | Comments |
---|---|---|---|
BLDINDEX | n/a | Update | Authority is to the base cluster. |
DCOLLECT | n/a | Update | |
Export Data Set | Alter | Update | |
REPRO | Read | Update |
Function Performed | Required RACF for LIB/VOL | Required RACF for VOLCAT Operations | Comments |
---|---|---|---|
Alter LIBENT | none | Alter | |
Alter VOLENT | none | Alter | |
Create LIBENT | none | Update | |
Create VOLENT | none | Update | |
Delete LIBENT | none | Alter | |
Delete VOLENT | none | Alter | |
Listc LIBENT | none | none | |
Listc VOLENT | none | none |
IDCAMS Command | Required RACF FACILITY Class Authorization | Function Authorized |
---|---|---|
ALTER | STGADMIN.IGG.DIRCAT | Define a data set into a particular catalog that is not the one chosen according to a regular search for SMS-managed data sets. |
ALTER LIBRARYENTRY | STGADMIN.IGG.LIBRARY | Alter a tape library entry. |
ALTER VOLUMEENTRY | STGADMIN.IGG.LIBRARY | Alter a tape volume entry. |
BUILD INDEX | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
CREATE LIBRARYENTRY | STGADMIN.IGG.LIBRARY | Create a tape library entry. |
CREATE VOLUMEENTRY | STGADMIN.IGG.LIBRARY | Create a tape volume entry. |
DCOLLECT | STGADMIN.IDC.DCOLLECT | Access the DCOLLECT function. |
DEFINE ALIAS | STGADMIN.IGG.DEFDEL.UALIAS | Define an alias for a user catalog. |
DEFINE ALTERNATEINDEX | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
DEFINE CLUSTER | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
DEFINE NONVSAM | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
DEFINE PAGESPACE | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
DELETE | STGADMIN.IGG.DEFDEL.UALIAS | Delete an alias for a user catalog. |
DELETE GDG | STGADMIN.IGG.DELGDG.FORCE | Delete a GDG using the FORCE option. |
DELETE GDG | STGADMIN.IGG.DELGDG.RECOVERY | DELETE a GDG using the RECOVERY option. |
DELETE | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
DELETE LIBRARYENTRY | STGADMIN.IGG.LIBRARY | Delete a tape library entry or a tape volume entry. |
DIAGNOSE | STGADMIN.IDC.DIAGNOSE.CATALOG | Open a catalog without performing normal catalog security processing. |
DIAGNOSE | STGADMIN.IDC.DIAGNOSE.VVDS | Open a catalog without performing normal catalog security processing. |
EXAMINE | STGADMIN.IDC.EXAMINE.DATASET | Open a catalog without performing usual catalog security processing. |
EXPORT | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
EXPORT DISCONNECT | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
IMPORT | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
IMPORT CONNECT | STGADMIN.IGG.DIRCAT | Specify catalog names for SMS-managed data sets. |
REPRO MERGECAT | STGADMIN.IGG.DELETE.NOSCRTCH | Delete NOSCRATCH data sets that are being merged from the source catalog. |
STGADMIN.IGG.DEFINE.RECAT | Define Recatalog data sets that are being merged
to the target catalog. Note: Access to this profile
allows the user to DEFINE ALIAS, GDG and PATH entries without any
other authorization. Creation of NONVSAM catalog entries during disposition
processing may also occur although access to the data set is denied
(IEC150I 913-6C). Make sure you grant authority to this profile only
for people who need to perform REPRO MERGECAT operations.
|
|
Note: All
STGADMIN profiles listed in Table 7 require
READ access only for users to perform any of the listed operations.
|
SHCDS Parameter | Required Authority |
---|---|
CFREPAIR | Alter authority to the catalog and update authority to STGADMIN.IGWSHCDS.REPAIR. |
CFREPAIRDS | Update authority to STGADMIN.IGWSHCDS.REPAIR and to the specified data sets. |
CFRESET | Alter authority to the catalog and update authority to STGADMIN.IGWSHCDS.REPAIR. |
CFRESETDS | Update authority to STGADMIN.IGWSHCDS.REPAIR and to the specified data sets. |
DENYNONRLSUPDATE | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
FRSETRR | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
FRUNBIND | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
FRBIND | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
FRRESETRR | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
FRDELETEUNBOUNDLOCKS | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
LISTDS | Read authority to STGADMIN.IGWSHCDS.REPAIR |
LISTSHUNTED | Update authority to the specified data set and read authority to STGADMIN.IGWSHCDS.REPAIR |
LISTSUBSYS | Read authority to STGADMIN.IGWSHCDS.REPAIR |
LISTSUBSYSDS | Read authority to STGADMIN.IGWSHCDS.REPAIR |
LISTRECOVERY | Read authority to STGADMIN.IGWSHCDS.REPAIR |
LISTALL | Read authority to STGADMIN.IGWSHCDS.REPAIR |
PERMITNONRLSUPDATE | Update authority to STGADMIN.IGWSHCDS.REPAIR and the base cluster. |
PURGE | Update authority to the specified data set and update authority to STGADMIN.IGWSHCDS.REPAIR. |
REMOVESUBSYS | Update authority to STGADMIN.IGWSHCDS.REPAIR and the SUBSYSNM class. |
RETRY | Update authority to the specified data set and update authority to STGADMIN.IGWSHCDS.REPAIR. |