RACF resource classes
You can use RACF® resource classes to protect system objects.
The evaluated configuration covers the protection that is provided
by the Db2-related RACF resource
classes that are shown in the following table.
| Class | Function |
|---|---|
| DSNADM | Controls Db2 administrative authority. |
| DSNR | Controls access to Db2 subsystems. |
| GDSNBP or MDSNBP | Controls access to Db2 buffer pools. |
| GDSNCL or MDSNCL | Controls access to Db2 collections. |
| GDSNDB or MDSNDB | Controls access to Db2 databases. |
| GDSNGV or MDSNGV | Controls access to Db2 global variables. |
| GDSNJR or MDSNJR | Controls access to Db2 Java™ archive files. Restriction: You cannot access Java archive files in the evaluated configuration.
|
| GDSNPK or MDSNPK | Controls access to Db2 packages. |
| GDSNPN or MDSNPN | Controls access to Db2 plans. |
| GDSNSC or MDSNSC | Controls access to Db2 schemas. |
| GDSNSG or MDSNSG | Controls access to Db2 storage groups. |
| GDSNSM or MDSNSM | Controls Db2 privileges. |
| GDSNSP or MDSNSP | Controls access to Db2 stored procedures. |
| GDSNSQ or MDSNSQ | Controls access to Db2 sequences. |
| GDSNTB or MDSNTB | Controls access to Db2 tables, indexes, and views. |
| GDSNTS or MDSNTS | Controls access to Db2 table spaces. |
| GDSNUF or MDSNUF | Controls access to Db2 user-defined functions.1 |
| GDSNUT or MDSNUT | Controls access to Db2 user-defined types.1 |
Note: You can use user-defined
types and user-defined functions, but they are not part of the evaluated configuration. RACF resource classes GDSNUF, MDSNUF, GDSNUT, and MDSNUT do not protect or otherwise influence the other classes that are defined for Db2 objects.
|
|
The evaluated configuration also covers the protection that is
provided by the generic RACF resource classes that are
shown in the following table.
| Class | Function |
|---|---|
| CONSOLE | Controls access to MCS or SMCS consoles. Also controls conditional access to other resources for commands that originate from an operator console. |
| DASDVOL | Controls access to DASD volumes for maintenance operations. |
| DEVICES | Controls access to unit record devices, teleprocessing or communication devices, and graphic devices. |
| DIRAUTH1 | Ensures that security label authorization checking is done when a user receives a message that is sent through the TPUT macro or the TSO SEND or LISTBC commands. Profiles are not allowed in this class. |
| FACILITY | Used by various components of the evaluated configuration to manage specific privileges that can be assigned to users so that they do not need the SPECIAL attribute. |
| GLOBAL | Defines the entries in the global access checking table. |
| GTERMINL | Resource group class for TERMINAL class. |
| JESINPUT | Port of entry class to control which JES2 input devices a user can use to submit batch work to the system. |
| JESJOBS | Controls the submission and cancellation of jobs by job name. |
| JESSPOOL | Controls access to job data sets on the JES spool (that is, SYSIN and SYSOUT data sets). |
| NODES | Controls the following factors on z/OS® systems:
|
| OPERCMDS | Controls who can issue operator commands. |
| PROGRAM | Controls access to programs (load modules). |
| PSFMPL | Used by Print Services Facility (PSF) to perform security functions for printing, such as separator page labeling, data page labeling, and enforcement of the user printable area. |
| SDSF | Controls the use of authorized commands in the System Display and Search Facility (SDSF). |
| Labeled Security only: SECDATA | Controls security classification of users and data (security levels and security categories). |
| Labeled Security only: SECLABEL | Controls security labels. |
| SERVAUTH | Controls a client's authorization to use a server or to use resources that are managed by the server. |
| SERVER | Controls the validity of servers for the application environment. |
| SMESSAGE | Controls to which users a user can send messages (TSO only). |
| STARTED | Assigns an identity to a started task during the processing of a z/OS START command. Use STARTED as an alternative to the started procedures table (ICHRIN03). |
| TAPEVOL | Controls access to tape volumes. |
| TERMINAL | Controls access to terminals (TSO/E). |
| TSOPROC | TSO logon procedures. |
| UNIXPRIV | Used to grant z/OS UNIX privileges. |
| VTAMAPPL | Controls who can open ACBs from non-APF-authorized programs. This prevents programs from counterfeiting login screens. |
| WRITER | Controls the user of JES2 printers and outbound NJE processing. |
The security enforcement of all RACF classes was not subject to evaluation. However, you can choose to use additional classes.