Limiting access to data sets

You may want to control the access TSO/E users have to data sets. For example, you may want to allow users to allocate only data sets having a high-level qualifier of the user's user ID, giving you more control over the use of DASD.

You can use several functions to control access to data sets and DASD, including:

The MVS™ allocation input validation routine (IEFDB401). For example, you can restrict the data sets a user can allocate. For more information, see .
RACF®. You can use RACF to specify which users can access:
- Non-VSAM and VSAM data sets
- Generation data groups.
You can RACF-protect one data set at a time, or many. For example, you can specify that all of the data sets beginning with the high-level qualifier ‘SYSTEM’ have the same protection.

To RACF-protect a data set, use either RACF commands or ISPF RACF panels to build a profile for the data set. The profile contains information about the users who can access the data set.

With RACF installed, security label checking can be activated. In this case, each data set and each user have security labels associated with them. The security label of the data set and the security label of the user's current session are checked. Access to the data set is determined by the result of that check.

For more information about using RACF to protect data sets, see .

Users can password-protect their data sets by using the TSO/E PROTECT command. You may want to limit the use of the PROTECT command at your installation because it may be difficult to centrally manage data sets that are individually password-protected. For more information about using the PROTECT command, see .

With RACF installed, messages contained in individual user log data sets can be protected from the user's view while the user is logged on at an insufficient security label. For more information, see Customizing how users send and retrieve messages.