Protection through discrete profiles

Users can protect data sets with discrete profiles in the following ways:
  • Automatically when they create a permanent data set, if they have the ADSP attribute and ADSP is active on the system
  • When they specify the PROTECT or SECMODEL parameter on a JCL DD statement for a new data set, or the PROTECT or SECMODEL operand on the TSO ALLOCATE command for a new permanent DASD data set
  • When they issue the ADDSD command with the SET operand for permanent existing data sets
Two steps occur when a user defines a data set with a discrete profile. Only when RACF® has completed both of the following steps is the data set protected:
  1. RACF sets an indicator to notify the system that the data set is RACF-protected. This condition is called RACF-indicated.

    The indicator is in the DSCB for a non-VSAM DASD data set and in the catalog entry for a VSAM data set. The indicator for a tape data set is in the tape volume profile for the volume that contains the data set.

    Note: See z/OS Security Server RACF System Programmer's Guide for information on moving RACF-indicated data sets to other systems and using utilities with RACF-protected data sets.
  2. RACF adds the discrete profile to the RACF database.

    For tape data sets, RACF also creates a discrete tape volume profile, unless a tape volume profile already exists for the volume or the TAPEVOL class is not active.

Note:
  1. Scratching a DASD data set that is RACF-protected with a discrete profile causes RACF to delete the data set profile from the RACF database.
  2. Specifying DISP=DELETE for a tape data set only causes the data set to be uncataloged if it was cataloged; it does not remove RACF protection from the data set.