Profile names for general resources

For naming general resources, you can use discrete or generic profiles. As mentioned before, discrete profile names exactly match the general resource name.

For the syntax required for profiles in the DIRECTRY and FILE classes, see RACF Command Language Reference for your VM system.

Table 1 shows the rules for using asterisks in profile names for general resources.

Note: The ending asterisk has different meanings and is explained further in the appropriate sections.

Table 1. Generic naming for general resources
Double asterisk in the beginning, middle, or end	Middle asterisk	Beginning asterisk	Ending asterisk
Allowed	Allowed	Allowed	Allowed

Valid generic characters are a percent sign (%), asterisk (*), double asterisk (**), and ampersand (&):

Specify a percent sign to match any single character in a resource profile name.
Specify a double asterisk once in a profile name as follows:
- As the entire profile name to match all resource names in a class.
- As either a beginning, middle, or ending qualifier (for example, **.ABC, ABC.**.DEF, or ABC.**) to match zero or more qualifiers in a resource name.
  Note: ** is always available for general resources. The SETROPTS EGN setting is exclusively for data sets.
Specify an asterisk as follows:
- As a qualifier at the beginning of a profile name to match any one qualifier in a resource name.
- As a character at the end of a profile name (for example, ABC.DEF*) to match zero or more characters until the end of the resource name, zero or more qualifiers until the end of the resource name, or both.
- As a qualifier at the end of a profile name (for example, ABC.DEF.*) to match one or more qualifiers until the end of the resource name.
- As a qualifier in the middle of a profile name (for example, ABC.*.DEF) to match any one qualifier in a resource name.
- As a character at the end of a qualifier in the middle of a profile name (for example, ABC.DE*.FGH) to match zero or more characters until the end of the qualifier in a resource name.
Specify an ampersand as follows:
- In a profile name to indicate that RACF is to use a profile in the RACFVARS class to determine the actual values to use for that part of the profile name.

Note:

If a class in the class descriptor table specifies a value for key qualifiers other than zero, generic profiles created in that class cannot contain generic characters in the specified number of qualifiers at the beginning of a profile name in that class. For example, the VM DIRECTRY class specifies KEYQUAL=2, so no generic characters are allowed in the first 2 qualifiers of DIRECTRY profile names.
If a class in the class descriptor table specifies a value for key qualifiers other than zero, all discrete and generic profiles in that class must have at least nnn+1 qualifiers in the profile name. The number of qualifiers is determined by counting the number of period characters in the profile and adding one; the first character is not examined. Any generic characters must be in the nnn+1 qualifier or beyond. Examples of valid profile names for KEYQUALIFIERS(2) are:
```
A.B.C
A.B.**
A.B.C.D*
```
The FILE and DIRECTRY classes have different rules. For the syntax required for profiles in the DIRECTRY and FILE classes, see the appropriate RACF Command Language Reference for your VM system.

See z/OS Security Server RACF Security Administrator's Guide for the unique naming conventions of specific classes and for a discussion of the RACFVARS class. See also the product documentation (such as PSF or CICS®) for the naming conventions of specific classes.

Restricted Use of %* in General Resources

New profiles with an ending %* are not allowed, nor are profiles named %*. The RDEFINE command returns an error message.

Existing profiles with an ending %* are usable, but they should be deleted before creating any new profiles with a middle or beginning * or **. The RALTER and RDELETE commands accepts %* to enable you to make the changes.

Instead of using an ending %*, create new profiles ending with %.** or * for similar function (change AB.C%* to AB.C%.** or AB.C*).

If you have existing profiles named %*, you should create new profiles (suggested name **).

Note: When creating the new profiles, consider using the FROM operand for continued use of the same access list.

Table 2, Table 3, and Table 4 give examples of generic profile names for general resources.

Table 2. Generic naming for general resources - Percent sign, asterisk, or double asterisk at the beginning
Profile name	`%.AB`	`*.AB`	`**.AB`
Resources protected by the profile	`B.AB` `A.AB`	`AB.AB` `ABC.AB` `A.AB`	`AB` `A.A.A.AB` `AB.AB` `A.AB`
Resources not protected by the profile	`AB.AB` `ABC.AB`	`AB.CD` `AB.C.AB` `AB`	`ABC.AB.DEF` `ABAB`

Table 3. Generic naming for general resources - Asterisk or double asterisk at the end
Profile name	`AB.CD*`	`AB.CD.*`	`AB.CD.**`
Resources protected by the profile	`AB.CD` `AB.CDEF` `AB.CD.EF` `AB.CD.XY` `AB.CD.EF.GH`	`AB.CD.EF` `AB.CD.XY` `AB.CD.EF.XY`	`AB.CD.CD` `AB.CD.X.Y.Z` `AB.CD` `AB.CD.EF.GH`
Resources not protected by the profile	`ABC.DEF` `ABC.XY.XY.DEF`	`AB.CD` `AB.CDEF` `ABC.DEF` `AB.XY.XY.DEF`	`ABC.CD` `AB.CDE.EF`

Table 4. Generic naming for general resources - Asterisk, double asterisk, or percent sign in the middle
Profile name	`ABC.%EF`	`AB.*.CD`	`AB.CD*.CD`	`AB.**.CD`
Resources protected by the profile	`ABC.DEF` `ABC.XEF`	`AB.CD.CD`	`AB.CD.CD` `AB.CDEF.CD`	`AB.CD` `AB.X.CD` `AB.X.Y.CD`
Resources not protected by the profile	`ABC.DEFGHI` `ABC.DEF.GHI`	`AB.CD` `AB.CD.EF` `AB.CDEF` `AB.X.Y.CD`	`AB.CD.XY` `AB.CD.XY.CD`	`AB.CD.EF` `AB.CDEF` `ABC.X.CD.EF` `ABC.DEF` `ABC.XY.CD` `ABC.XY.XY.CD`

Although multiple generic profiles might match a general resource name, only the most specific actually protects the resource. For example, AB.CD*, AB.CD.**, and AB.**.CD all match the general resource AB.CD, but AB.CD** protects it.

In general, given two profiles that match a general resource, you can find the more specific one by comparing the profile name from left to right. Where they differ, a nongeneric character is more specific than a generic character. In comparing generics, a percent sign is more specific than an asterisk, and an asterisk is more specific than double asterisk. Another way to determine the most specific is with the SEARCH command, as there are some rare exceptions to the general rule. SEARCH always lists the profiles in the order of the most specific to the least specific.