z/OS Security Server RACF Command Language Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Permitting profiles for GENERICOWNER classes

z/OS Security Server RACF Command Language Reference
SA23-2292-00

GENERICOWNER gives an installation the ability of restricting CLAUTH users from creating profiles in a class. In order to do this, a top-level ** profile is defined. This profile is owned by the system administrator and this profile blocks all non-SPECIAL users from creating profiles. A permitting profile must be defined for each CLAUTH user. Each profile defines the subset of resources in the class that the user is allowed to create.

When a CLAUTH user attempts to define a resource, a search is made for a less-specific (permitting) profile that covers the profile being defined. This less-specific profile is a profile that matches the more specific profile name, character for character, up to the ending * or ** or ending contiguous % characters in the less-specific name.

This definition might appear simple, but is not exactly what you might expect in comparison to the preceding section.

Table 1. Permitting profile names containing asterisks (*)
Profile name AA.* AA.** AA* A.*.B.**
covered

AA.BB
AA.B.C
AA.%%

AA.*
AA
AA.BB
AA.B.C
AA.%

AA.*
AA
AA.BB
AA.B.C
AAC.BB
AA%.%%

A.*.B.CC
A.*.B.%%.%%
not covered

AA.**
AA
ABC.BB
A%.AA

AAC.BB
ABC.BB
%A.%

ABC.BB
A%A

A.A.B.CC
A.%.B.%%.%%
Table 2. Permitting profile names containing percent signs (%)
Profile name AA.% AA.%% AA% A.*.B.%%
covered AA.B

AA.BB
AA.%B

 AAC A.*.B.CC
not covered

AA.**
A%.A
AA.CC

 AA.B

AA.B
A%A

A.A.B.CC
A.%.B.%%
Parent topic: Profile names for general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014