z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Protecting GDG data sets

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can RACF-protect GDG (generation data group) data sets in one of the following ways:
  • You can define a generic profile to protect all members of a GDG. This is the preferred method and it is the same method for protecting non-GDG data sets with a generic profile. For example, a profile of the form GDG.basename* protects all members of a GDG and the base entry for the GDG in the catalog.

    Note that, if enhanced generic naming is in effect, a profile of the form GDG.basename.** provides the same protection.

    Table 1 shows examples of generic profiles that you can define to protect GDG data sets.
    Table 1. Protecting GDG data sets using generic profiles
    Generic profile name EGN Protected GDG names
    GDG.BASENAME* Off 
    GDG.BASENAME
GDG.BASENAME.G0123V00
    GDG.BASENAME.** On 
    GDG.BASENAME
GDG.BASENAME.G0123V00
    Note: For GDG profiles, with enhanced generic naming active, you can no longer define a profile name such as GDG.ABCDEFGH* whose last qualifier contains an asterisk as the ninth character. Externally, an existing profile name of this format is shown as GDG.ABCDEFGH.**. Internally, no conversion is required because the two names are equivalent. However, you should examine existing CLISTs that generate commands to ensure that any profile names that appear in those commands are in the correct format.
  • You can define discrete profiles to protect GDG data sets in the same way that you define discrete profiles to protect non-GDG data sets.
    Note: Catalog management also checks authority to the GDG base name. You should create a discrete profile for the GDG base with the unit and volume of the catalog on which the GDG base resides. This protects the GDG for catalog and uncatalog functions.
  • You can use the MODEL(GDG) operand on the SETROPTS command to specify that each member of a GDG can use a common profile identified by the GDG base name. The owner of the GDG data set can establish a base (index) name profile containing an access list that is accessible by all related users and groups. When MODEL(GDG) is in effect and REQUEST=AUTH processes a RACF-indicated GDG data set, RACF® first looks for a profile with the base name, and, if one exists, uses this common profile.

    If you want individual access lists, do not create the profile for the base name. If the GDG base name is not defined in the RACF database, RACF uses the profile for the individual GDG name (which is the same as the RACF-processing for non-GDG data sets).

    Note:
    1. To use GDG modeling, each generation must be RACF-indicated.
    2. Catalog management also checks authority to the GDG base name. You should create a discrete profile for the GDG base with the unit and volume of the catalog on which the GDG base resides. This protects the GDG for catalog and uncatalog functions.
Parent topic: Protecting data sets

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014