Protecting DFSMSdss functions with RACF FACILITY class profiles
Besides protecting DFSMSdss/ISMF functions, you can also protect certain DFSMSdss keywords and functions. You do so by defining RACF® FACILITY class profiles and restricting access to those profiles. Table 1 lists these keywords and functions, and their associated RACF FACILITY class profiles.
- RACF FACILITY class is active
- The indicated profile has been defined.
When the RACF FACILITY class is active and one of the profiles listed in Table 1 is defined, you must have READ access authority to use the indicated command or keyword. Otherwise, anyone can use the indicated command or keyword. If RACF FACILITY class checking is not set up for these keywords, any DFSMSdss user can use them.
| Keyword or Function | Profile Name |
|---|---|
| BYPASSACS with COPY | STGADMIN.ADR.COPY.BYPASSACS |
| BYPASSACS with RESTORE | STGADMIN.ADR.RESTORE.BYPASSACS |
| CGCREATED | STGADMIN.ADR.CGCREATE |
| CONCURRENT with COPY | STGADMIN.ADR.COPY.CNCURRNT |
| CONCURRENT with DUMP | STGADMIN.ADR.DUMP.CNCURRNT |
| CONSOLIDATE | STGADMIN.ADR.CONSOLID |
| CONVERTV | STGADMIN.ADR.CONVERTV |
| DEFRAG | STGADMIN.ADR.DEFRAG |
| DELETECATALOGENTRY with RESTORE | STGADMIN.ADR.RESTORE.DELCATE |
| FCCGFREEZE with COPY | STGADMIN.ADR.COPY.FCFREEZE |
| FCFASTREVERSERESTORE with COPY | STGADMIN.ADR.COPY.FCFRR |
| FCSETGTOK with COPY | STGADMIN.ADR.COPY.FCSETGT |
| FCTOPPRCPRIMARY with COPY | STGADMIN.ADR.COPY.FCTOPPRCP |
| FCTOPPRCPRIMARY with DEFRAG | STGADMIN.ADR.DEFRAG.FCTOPPRCP |
| FlashCopy® with CONSOLIDATE | STGADMIN.ADR.CONSOLID.FLASHCPY |
| FlashCopy with COPY | STGADMIN.ADR.COPY.FLASHCPY |
| FlashCopy with DEFRAG | STGADMIN.ADR.DEFRAG.FLASHCPY |
| IMPORT with RESTORE | STGADMIN.ADR.RESTORE.IMPORT |
| INCAT(catname) with COPY | STGADMIN.ADR.COPY.INCAT |
| INCAT(catname) with DUMP | STGADMIN.ADR.DUMP.INCAT |
| INCAT(catname) with RELEASE | STGADMIN.ADR.RELEASE.INCAT |
| PROCESS(SYS1) with COPY | STGADMIN.ADR.COPY.PROCESS.SYS |
| PROCESS(SYS1) with DUMP | STGADMIN.ADR.DUMP.PROCESS.SYS |
| PROCESS(SYS1) with RELEASE | STGADMIN.ADR.RELEASE.PROCESS.SYS |
| RESET with DUMP | STGADMIN.ADR.DUMP.RESET |
| RESET(YES) with RESTORE | STGADMIN.ADR.RESTORE.RESET.YES |
| TOLERATE(ENQF) with COPY | STGADMIN.ADR.COPY.TOLERATE.ENQF |
| TOLERATE(ENQF) with DUMP | STGADMIN.ADR.DUMP.TOLERATE.ENQF |
| TOLERATE(ENQF) with RESTORE | STGADMIN.ADR.RESTORE.TOLERATE.ENQF |
| ZCOMPRESS with DUMP | STGADMIN.ADR.DUMP.ZCOMPRESS |
You can bypass this type of RACF FACILITY class checking with the DFSMSdss installation options exit routine that your installation may be using.
For more information about the installation options exit routine, refer to z/OS DFSMS Installation Exits.
For more information about RACF class profiles, refer to z/OS Security Server RACF Security Administrator's Guide.