You can RACF-protect GDG (generation data group) data sets in one of the following
ways:
- You can define a generic profile to protect all members of a GDG.
This is the preferred method and it is the same method for protecting
non-GDG data sets with a generic profile. For example, a profile of
the form GDG.basename* protects all members
of a GDG and the base entry for the GDG in the catalog.
Note that,
if enhanced generic naming is in effect, a profile of the form GDG.basename.** provides
the same protection.
Table 1 shows
examples of generic profiles that you can define to protect GDG data
sets.
Table 1. Protecting
GDG data sets using generic profilesGeneric profile name |
EGN |
Protected GDG names |
---|
GDG.BASENAME* |
Off |
GDG.BASENAME
GDG.BASENAME.G0123V00
|
GDG.BASENAME.** |
On |
GDG.BASENAME
GDG.BASENAME.G0123V00
|
Note: For GDG profiles, with enhanced generic naming active, you
can no longer define a profile name such as GDG.ABCDEFGH* whose
last qualifier contains an asterisk as the ninth character. Externally,
an existing profile name of this format is shown as GDG.ABCDEFGH.**.
Internally, no conversion is required because the two names are equivalent.
However, you should examine existing CLISTs that generate commands
to ensure that any profile names that appear in those commands are
in the correct format.
- You can define discrete profiles to protect GDG data sets in
the same way that you define discrete profiles to protect non-GDG
data sets.
Note: Catalog management also checks authority to the GDG
base name. You should create a discrete profile for the GDG base with
the unit and volume of the catalog on which the GDG base resides.
This protects the GDG for catalog and uncatalog functions.
- You can use the MODEL(GDG) operand on the SETROPTS command to
specify that each member of a GDG can use a common profile identified
by the GDG base name. The owner of the GDG data set can establish
a base (index) name profile containing an access list that is accessible
by all related users and groups. When MODEL(GDG) is in effect and
REQUEST=AUTH processes a RACF-indicated GDG data set, RACF® first looks for a profile with the base
name, and, if one exists, uses this common profile.
If you want
individual access lists, do not create the profile for the base name.
If the GDG base name is not defined in the RACF database, RACF uses
the profile for the individual GDG name (which is the same as the
RACF-processing for non-GDG data sets).
Note: - To use GDG modeling, each generation must be RACF-indicated.
- Catalog management also checks authority to the GDG base name.
You should create a discrete profile for the GDG base with the unit
and volume of the catalog on which the GDG base resides. This protects
the GDG for catalog and uncatalog functions.