z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Planning for profiles in the FACILITY class

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

The FACILITY class can be used for a wide variety of purposes depending on the products installed on your system. If the FACILITY class is active, users might need access to particular resources to perform specific tasks. Therefore, they must have access based on the profiles protecting those resources. For example:
  • READ access to IEAVECTOR allows users to use the vector facility.
  • READ access to ICHBLP allows tape users to bypass label processing.
  • READ access to IEC.TAPERING allows tape users to write to tape data sets without removing the write-enable ring.
  • There are many other resources that can be protected using RACF® profiles in the FACILITY class for use with many different subsystems and products.

You should activate the FACILITY class for the first such profile that is required on your system. You can create FACILITY profiles as needed to control who can use a number of processes on your system.

Guideline: Activate SETROPTS RACLIST processing for the FACILITY general resource class. When you activate this function, you improve performance because I/O to the RACF database is reduced. For a complete description of this function, see SETROPTS RACLIST processing. 
SETROPTS RACLIST(FACILITY)
If you activate SETROPTS RACLIST processing for the FACILITY class, any time you make a change to a FACILITY profile, you must also refresh SETROPTS RACLIST processing for the FACILITY class for the change to take effect.
SETROPTS RACLIST(FACILITY) REFRESH
Parent topic: Protecting general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014