Access authority for data sets

Data sets can have one of the following access authorities:

NONE

Does not allow users to access the data set.

EXECUTE

For a private load library, EXECUTE allows users to load and execute, but not to read or copy, programs (load modules) in the library.

In order to specify EXECUTE for a private load library, you must ask for assistance from your RACF® security administrator.

Important: Anyone who has READ, UPDATE, CONTROL, or ALTER authority to a protected data set can create a copy of it. As owner of the copied data set, that user has control of the security characteristics of the copied data set, and can change them. For this reason, you should assign a UACC of NONE, and then selectively permit a small number of users to access your data set, as their needs become known.

READ

Allows users to access the data set for reading only. (Note that users who can read the data set can copy or print it.)

UPDATE

Allows users to read from, copy from, or write to the data set. UPDATE does not authorize a user to delete, rename, move, or scratch the data set.

Allows users to perform normal VSAM I/O (not improved control interval processing) to VSAM data sets.

CONTROL

For VSAM data sets, CONTROL is equivalent to the VSAM CONTROL password; that is, it allows users to perform improved control interval processing - CONTROL is control-interval access (access to individual VSAM data blocks), and the ability to retrieve, update, insert, or delete records in the specified data set.

For non-VSAM data sets, CONTROL is equivalent to UPDATE.

ALTER

ALTER allows users to read, update, delete, rename, move, or scratch the data set.

When specified in a discrete profile, ALTER allows users to read, alter, and delete the profile itself including the access list.

ALTER does not allow users to change the owner of the profile using the ALTDSD command. However, if a user with ALTER access authority to a discrete data set profile renames the data set, changing the high-level qualifier to his or her own user ID, both the data set and the profile are renamed, and the OWNER of the profile is changed to the new user ID.

ALTER authority to a generic profile allows users to create new data sets that are covered by that profile, it does not give users authority over the profile itself.