The rules for access-authorization checking of generic profiles for
general resources are similar to those for the DATASET class.
- Generic profiles are not checked unless generic profile checking
is in effect for the class. To do this, issue the following command.
SETROPTS GENERIC(classname)
Guideline: After you activate generic profile checking for a
class and define generic profiles in it, avoid deactivating generics
with the NOGENERIC operand. RACF® does not use your previously defined generic profiles for authorization
checking while NOGENERIC is in effect.
- If the class is not active, RACF does not check for profiles. RACF returns the default return code of the class to the resource
manager. For a complete description, see Authorization checking for RACF-protected resources.
- If more than one profile covers a particular resource, RACF searches for profiles in the
following order:
- Discrete profile
- Matching generic profiles (see Table 1)
Table 1. Sample general resource profile names in order from
most specific to least specificProfile name |
Profile type |
Resources being accessed |
---|
COPY |
COPY.PAPER |
COPY.PAPER.TEST |
COPY.WEB.FINAL |
---|
COPY.A |
Discrete |
|
|
|
|
COPY.WEB.FINAL |
Discrete |
|
|
|
X |
COPY.WEB.* |
Generic |
|
|
|
X |
COPY.PAPER |
Discrete |
|
X |
|
|
COPY.PAPER.TEST |
Discrete |
|
|
X |
|
COPY.PAPER.% |
Generic |
|
|
|
|
COPY.PAPER.* |
Generic |
|
|
X |
|
COPY.PAPER.** |
Generic |
|
X |
X |
|
COPY.PAPER% |
Generic |
|
|
|
|
COPY.PAPER* |
Generic |
|
X |
X |
|
COPY.PAPE% |
Generic |
|
X |
|
|
COPY.PAP* |
Generic |
|
X |
X |
|
COPY.PRINT.* |
Generic |
|
|
|
|
COPY.&X (where: &X = PAPER
in RACFVARS profile) |
Generic |
|
X |
|
|
COPY.&Y (where: &Y = WEB.FINAL
in RACFVARS profile) |
Generic |
|
|
|
X |
COPY.%APER |
Generic |
|
X |
|
|
COPY.*.FINAL |
Generic |
|
|
|
X |
COPY.*.FINAL* |
Generic |
|
|
|
X |
COPY.**.FINAL |
Generic |
|
|
|
X |
COPY.**.PAPER |
Generic |
|
X |
|
|
COPY.* |
Generic |
|
X |
X |
X |
COPY.** |
Generic |
X |
X |
X |
X |
COPY*.** |
Generic |
X |
X |
X |
X |
*.* |
Generic |
|
X |
X |
X |
*.** |
Generic |
X |
X |
X |
X |
* |
Generic |
X |
X |
X |
X |
** |
Generic |
X |
X |
X |
X |
To determine which profiles have the potential to protect any particular
resource, use the FILTER or MASK operands on the SEARCH command to
generate a list of profiles that might match the resource. For example,
you might specify the user's user ID on the FILTER operand to limit
the list of profiles displayed:
SEARCH CLASS(JESSPOOL) FILTER(**.userid.**)
In general, the list of profiles generated by the SEARCH command
is the order in which RACF searches
for a matching profile. To review the list:
- Find all profiles that match the resource name.
- If no profile names match, check for profile names that include
an ampersand (&) (RACF variables). You must list the RACFVARS profile to determine
the value of a RACF variable:
RLIST RACFVARS variable-name
Also,
the SEARCH command does not list grouping profiles (such as GTERMINL)
that protect the resource. To do this, use the RESGROUP operand on
the RLIST command.
RLIST member-class resource-name RESGROUP
See
Which profiles protect a particular resource?.
If
these methods do not find a profile, the resource is not protected.
- If only one profile matches, it protects the resource.
- Otherwise, find two profiles that both match the resource name.
Then, compare them character by character. Where they first differ,
if one has a discrete character and the other has a generic character,
the one with the discrete character wins. If both have a generic character
where they differ and:
- If one has an & and the other has a %, *, or **, the & wins.
- If one has a % and the other has an * or **, the one with % wins.
- If one has an * and the other has a **, the one with * wins.
If two profile names match except for one character position,
RACF examines them
in the following order: blank
.
$ (X'5B')
# (X'7B')
@ (X'7C')
A—Z
0—9
& (X'50')
%
*
For example, the following profile names all match in the first
three character positions (
A.B), and are shown in
the order RACF examines them:
A.B
A.B.B
A.BA
A.BZ
A.B0
A.B9
A.B&X
A.B%
A.B*
When in doubt about the search order, create sample profiles and
check the order of profile names shown by the SEARCH command.