Field-level access checking
You can use RACF® to control which users can access data in RACF profiles at the field level through field-level access checking. To do this, you create profiles in the FIELD class and permit users to the profiles.
- Allow a user or group to modify a particular field (or segment) in all profiles of a particular type. For example, you can define a profile to control access to the ACCTNUM field of the TSO segment of user profiles. If you give a user UPDATE authority to this profile, the user can modify the ACCTNUM field in all user profiles.
- Allow all users to read or modify a particular field (or segment)
of their own user profiles. To do this, specify
ID(&RACUID)
on the PERMIT command. - Allow a user to modify or list a particular field (or segment) only in profiles that they have RACF command processor authority to modify BASE segment data.
You need not use field-level access checking to authorize READ access for users with the SPECIAL, AUDITOR or ROAUDIT attribute. These users are authorized to list all fields of all segments for any RACF profile.
- Define profiles in the FIELD class:
where profile-name has the following format:RDEFINE FIELD profile-name UACC(NONE)
profile-type.segment-name.field-name
where:- profile-type
- is one of the following:
DATASET
for data set profilesGROUP
for group profilesUSER
for user profilesclass-name
for general resource profiles
- segment-name
- is one of the following:
- BASE for BASE segments (this is supported only by user-written code)
- CDTINFO for CDTINFO segments
- CFDEF for CFDEF segments
- CICS® for CICS segments
- CSDATA for CSDATA segments
- DCE for DCE segments
- DFP for DFP segments
- DLFDATA for DLFDATA segments
- EIM for EIM segments
- ICSF for ICSF segments
- ICTX for ICTX segments
- JES for JES segments
- KERB for KERB segments
- LANGUAGE for LANGUAGE segments
- LNOTES for LNOTES segments
- MFA for MFA segments
- MFPOLICY for MFPOLICY segments
- NDS for NDS segments
- NETVIEW for NETVIEW segments
- OMVS for OMVS segments
- OPERPARM for OPERPARM segments
- PROXY for PROXY segments
- OVM for OVM segments
- SESSION for SESSION segments
- SIGVER for SIGVER segments
- SSIGNON for SSIGNON segments
- STDATA for STDATA segments
- SVFMR for SystemView segments
- TME for TME segments
- TSO for TSO segments
- WORKATTR for WORKATTR segments
Note: This is also the operand used on RACF commands to work with the segment. - field-name
- is the name associated with the field in the RACF profile
segment to be controlled.Each field is administered by a RACF command operand. To find the field name that corresponds to a command operand, see Table 1.
Example: To control access to all fields in the TSO segment of all user profiles, issue the RDEFINE command and specifyUSER.TSO.*
as the profile name. Before issuing this command, however, see the following note.RDEFINE FIELD USER.TSO.* UACC(NONE)
Note: The profile nameUSER.TSO.*
is a generic profile name. Before you issue the RDEFINE command, generic profile checking for the FIELD class must be active. If it is not active, issue the SETROPTS GENERIC(FIELD) command before you define the generic profile.When you specify a UACC of NONE, you prevent all users from accessing the TSO segment in all user profiles, including their own. Likewise, if you specify a UACC of READ, you allow all users to read the information contained in all fields of the TSO segment for all user profiles.
To control access to a specific field in the TSO segment of user profiles, issue the RDEFINE command and specify the name associated with the field as the third qualifier in the profile name.
Example: Based on Table 1, to control access to the ACCTNUM field, create a profile specifyingTACCNT
as the field-name qualifier:RDEFINE FIELD USER.TSO.TACCNT UACC(NONE)
Note: A user with UPDATE access to this profile is authorized to change the account number field in a TSO segment by specifying the ACCTNUM operand on the TSO option of the ALTUSER command:ALTUSER userid TSO(ACCTNUM(account-number))
- Allow specific users or groups to have the appropriate access to the
field. For example:
PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(TSOADM) ACCESS(UPDATE)
This example shows how to authorize user ID TSOADM to change the logon procedure (TLPROC field) in the profiles of all TSO users.
Note: You can also specify the value&RACUID
with the ID operand on the PERMIT command for FIELD profiles. When you enter this value on the PERMIT command, you allow all users access to the specified field or segment of their own user profiles. For example, if you issue the following command, you allow all users to read the TLPROC field in the TSO segment of their own user profiles.PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(&RACUID) ACCESS(READ)
- When you are ready to start using the protection defined in the
profiles, activate the FIELD class:
SETROPTS CLASSACT(FIELD)
Note: If you do not activate the FIELD class and you activate SETROPTS RACLIST processing for the FIELD class, only SPECIAL users can access fields in segments (other than the base segment) of RACF profiles. - You must activate SETROPTS RACLIST processing
for the FIELD general resource class. For a complete description of
this function, see SETROPTS RACLIST processing.
SETROPTS RACLIST(FIELD)
Note: Once you activate SETROPTS RACLIST processing for the FIELD class, any time you make a change to a FIELD profile, you must refresh SETROPTS RACLIST processing for the FIELD class for the change to take effect.SETROPTS RACLIST(FIELD) REFRESH
A user with access to a FIELD class profile for a given segment or field can manipulate that field in all profiles. Field level access can be optionally restricted such that access to a particular segment or field, as granted by FIELD profiles, is limited to profiles to which the user has BASE-segment access. BASE-segment access is obtained by way of profile ownership, group-special, or other means, as determined by the RACF command being processed.
To activate the optional BASE-segment authority requirement to field-level access checking, define a new profile in the FIELD class.
RDEFINE FIELD FLAC.SKIP.BASECHECK UACC(NONE)
If the FLAC.SKIP.BASECHECK
profile exists, and a command-issuing
user lacks READ access to it, the field level access is granted only if the user performing the
profile operation has BASE-segment access as well as authorization to the appropriate FIELD class
profile. The ability to list or modify the DATA('data') field of a profile can be
used as an indicator of having sufficient BASE-segment access.
Examples:
SETROPTS CLASSACT(FIELD) GENERIC(FIELD) RACLIST(FIELD)
REDEFINE FIELD USER.TSO.* UACC(NONE)
REDEFINE FIELD FLAC.SKIP.BASECHECK UACC(NONE)
PERMIT USER.TSO.* CLASS(FIELD) ID(GSADM1) ACCESS(UPDATE)
SETROPTS GENERIC(FIELD) RACLIST(FIELD) REFRESH
(from GSADM1)
ALTUSER USER2 TSO(PROC(OMVSPROC))
(success)
ALTUSER USER1 TSO(PROC(OMVSPROC))
IRR52127I Field level access checking failed for segment segment-name.
ICH51012I RACF AUTHORITY DENIED BY FIELD LEVEL ACCESS CHECKING.
ICH21004I {userid | DFLTGRP | OWNER | USER} NOT ALTERED.
There are two ways to set up the FLAC.SKIP.BASECHECK
profile. If
the profile is defined with UACC(READ)
, field-level-access checking processes
without taking BASE-segment authorization into consideration. Namely, anyone with FIELD access to a
particular field may access that field for all profiles defined to RACF. If there is a need to scope
the administrative abilities of selected administrators to access non-BASE fields based on profile
ownership or group-special, the administrator's access should be specified with the value NONE using
the PERMIT command.
Alternatively, the FLAC.SKIP.BASECHECK
profile can be given
UACC(NONE)
. This immediately limits all use of field-level-access to users who have
BASE-segment access in accordance to the profile manipulation rules as specified by the command
processors. Users who require system-wide access to non-BASE fields, should be given READ access to
FLAC.SKIP.BASECHECK
using the PERMIT command.
FLAC.SKIP.BASECHECK
option is only compatible with the
following RACF command processors.- ADDUSER
- ALTUSER
- LISTUSER
- ADDGROUP
- ALTGROUP
- LISTGROUP
- RDEFINE
- RALTER
- RLIST
- ADDSD
- ALTDSD
- LISTSDS
If a user defined program uses ICHEINTY or RACROUTE to manipulate non-BASE segment
and other data, and the FLAC.SKIP.BASECHECK
profile is defined, users with READ
access to FLAC.SKIP.BASECHECK
execute successfully after considering the user's
access to profiles in the FIELD class. Users with access of NONE to
FLAC.SKIP.BASECHECK
will fail to manipulate all non-BASE segment and field
information, even if they are allowed to perform the same operations using the RACF commands. If the
FLAC.SKIP.BASECHECK
profile is not defined, a call to ICHEINTY is executed as if
the user has READ access to FLAC.SKIP.BASECHECK
.
Users with access of NONE to FLAC.SKIP.BASECHECK
are still able to
alter the fields in their own user profiles that have UPDATE permission granted to
&RACUID
. The new scoping rules in effect due to having NONE access to
FLAC.SKIP.BASECHECK
do not apply when using ALTUSER to alter an individual's own
profile and when &RACUID
is on the access list of the fields being updated.
Users with access of NONE to FLAC.SKIP.BASECHECK
are still able to
list those fields in their own user profiles to which they have been granted READ permission. The
new scoping rules in effect due to having NONE access to FLAC.SKIP.BASECHECK
do not
apply when using LISTUSER to list an individual's own profile.
To control the use of this operand: 1 | Specify this value as the field-name qualifier: |
---|---|
CDTINFO segment in general resource profiles (CDT class): | |
CASE
DEFAULTRC DEFAULTUACC FIRST GENERIC GENLIST GROUP KEYQUALIFIERS MACPROCESSING MAXLENGTH MAXLENX MEMBER OPERATIONS OTHER POSIT PROFILESALLOWED RACLIST SECLABELSREQUIRED SIGNAL |
CDTCASE
CDTDFTRC CDTUACC CDTFIRST CDTGEN CDTGENL CDTGROUP CDTKEYQL CDTMAC CDTMAXLN CDTMAXLX CDTMEMBR CDTOPER CDTOTHER CDTPOSIT CDTPRFAL CDTRACL CDTSLREQ CDTSIGL |
CFDEF segment in general resource profiles (CFIELD class): | |
TYPE
MAXLENGTH MAXVALUE MINVALUE FIRST OTHER MIXED HELP LISTHEAD |
CFDTYPE
CFMXLEN CFMXVAL CFMNVAL CFFIRST CFOTHER CFMIXED CFHELP CFLIST |
CICS segment in user profiles: | |
OPCLASS
OPIDENT OPPRTY RSLKEY TIMEOUT TSLKEY XRFSOFF |
OPCLASS and OPCLASSN 2
OPIDENT OPPRTY RSLKEY and RSLKEYN 2 TIMEOUT TSLKEY and TSLKEYN 2 XRFSOFF |
CSDATA segment in user and group profiles: | |
custom-field-name
|
custom-field-name
|
DCE segment in user profiles: | |
AUTOLOGIN
DCENAME HOMECELL HOMEUUID UUID |
DCEFLAGS
DCENAME HOMECELL HOMEUUID UUID |
DFP segment in data set profiles: | |
RESOWNER
|
RESOWNER
|
DATAKEY | DATAKEY |
DFP segment in user and group profiles: | |
DATAAPPL
DATACLAS MGMTCLAS STORCLAS |
DATAAPPL
DATACLAS MGMTCLAS STORCLAS |
DLFDATA segment in DLFCLASS class profiles: | |
RETAIN
JOBNAMES |
RETAIN
JOBNAMES and JOBNMCNT 2 |
EIM segment in user profiles: | |
LDAPPROF | LDAPPROF |
EIM segment in FACILITY and LDAPBIND class profiles: | |
DOMAINDN
KERBREGISTRY LOCALREGISTRY OPTIONS X509REGISTRY |
DOMAINDN
KERBREG LOCALREG OPTIONS X509REG |
ICSF segment in CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY class profiles: | |
ASYMUSAGE
SYMEXPORTABLE SYMEXPORTCERTS SYMEXPORTKEYS SYMCPACFWRAP SYMCPACFRET |
CSFAUSE
CSFSEXP CSFSCLBS and CSFSCLCT 2 CSFSKLBS and CSFSKLCT 2 CSFSCPW CSFSCPR |
ICTX segment in LDAPBIND class profiles: | |
USEMAP
DOMAP MAPREQUIRED MAPPINGTIMEOUT |
USEMAP
DOMAP MAPREQ MAPTIMEO |
JES segment in JESJOBS class profiles: | |
KEYLABEL
|
KEYLABEL
|
KERB segment in user profiles: | |
ENCRYPT
KERBNAME MAXTKTLFE |
ENCRYPT
KERBNAME MAXTKTLFE |
KERB segment in REALM class profiles: | |
CHECKADDRS
DEFTKTLFE ENCRYPT KERBNAME MAXTKTLFE MINTKTLFE |
CHKADDRS
DEFTKTLFE ENCRYPT KERBNAME MAXTKTLFE MINTKTLFE |
LANGUAGE segment in user profiles: | |
PRIMARY
SECONDARY |
USERNL1
USERNL2 |
LNOTES segment in user profiles: | |
SNAME
|
SNAME
|
MFA segment in MFADEF class profiles: | |
MFA
|
MFDATA
|
MFPOLICY segment in MFADEF class profiles: | |
MFPOLICY
|
MFDATA
|
NDS segment in user profiles: | |
UNAME
|
UNAME
|
NETVIEW segment in user profiles: | |
IC
CONSNAME CTL MSGRECVR OPCLASS DOMAINS NGMFADMN NGMFVSPN |
IC
CONSNAME CTL MSGRECVR OPCLASS and OPCLASSN 2 DOMAINS and DOMAINSN 2 NGMFADMN NGMFVSPN |
OMVS segment in group profiles: | |
GID | GID |
OMVS segment in user profiles: | |
ASSIZEMAX
CPUTIMEMAX FILEPROCMAX HOME MEMLIMIT MMAPAREAMAX PROCUSERMAX PROGRAM SHMEMMAX THREADSMAX UID |
ASSIZE
CPUTIME FILEPROC HOME MEMLIMIT MMAPAREA PROCUSER PROGRAM SHMEMMAX THREADS UID |
OPERPARM segment in user profiles: | |
ALTGRP 3
AUTH AUTO CMDSYS DOM KEY HC INTIDS LEVEL LOGCMDRESP MFORM MIGID 3 MONITOR MSCOPE ROUTCODE STORAGE UD 3 UNKNIDS |
OPERALTG
OPERAUTH OPERAUTO OPERCMDS OPERDOM OPERKEY OPERHC OPERINT OPERLEVL OPERLOGC OPERMFRM OPERMGID OPERMON OPERMSCP and OPERMCNT 2 OPERROUT OPERSTOR OPERUD OPERUNKN |
OVM segment in group profiles: | |
GID
|
GID
|
OVM segment in user profiles: | |
FSROOT
HOME PROGRAM UID |
FSROOT
HOME PROGRAM UID |
PROXY segment in user and FACILITY class profiles: | |
BINDDN
LDAPHOST |
BINDDN
LDAPHOST |
SESSION segment in APPCLU class profiles: | |
CONVSEC
INTERVAL LOCK SESSKEY |
CONVSEC
KEYINTVL SLSFLAGS SESSKEY |
SIGVER segment in PROGRAM class profiles: | |
SIGREQUIRED
FAILLOAD SIGAUDIT |
SIGREQD
FAILLOAD SIGAUDIT 4 |
SSIGNON segment in PTKTDATA class profiles: | |
KEYENCRYPTED
KEYMASKED ENCRYPTKEY KEYLABEL NOLEGACYKEY EPTKEYLABEL TYPE TIMEOUT REPLAY |
SSKEY
SSKEY SSKEY SSKEY SSKEY PTKEYLAB PTTYPE PTTIMEO PTREPLAY |
STDATA segment in STARTED class profiles: | |
USER
GROUP PRIVILEGED TRACE TRUSTED |
STUSER
STGROUP FLAGPRIV FLAGTRAC FLAGTRUS |
SVFMR segment in SYSMVIEW class profiles: | |
PARMNAME
SCRIPTNAME |
PARMN
SCRIPTN |
TME segment in group and data set profiles: | |
ROLES
|
ROLES and ROLEN 2
|
TME segment in general resource profiles: | |
ROLES
GROUPS RESOURCE CHILDREN PARENT |
ROLES and ROLEN 2
GROUPS and GROUPN 2 RESOURCE and RESN 2 CHILDREN and CHILDN 2 PARENT |
TSO segment in user profiles: | |
ACCTNUM
COMMAND DEST HOLDCLASS JOBCLASS PROC MAXSIZE MSGCLASS SECLABEL SIZE SYS UNIT USERDATA |
TACCNT
TCOMMAND TDEST THCLASS TJCLASS TLPROC TMSIZE TMCLASS TSOSLABL TLSIZE TSCLASS TUNIT TUDATA |
WORKATTR segment in user profiles: | |
WANAME
WABLDG WADEPT WAROOM WAADDR1 WAADDR2 WAADDR3 WAADDR4 WAACCNT WAEMAIL |
WANAME
WABLDG WADEPT WAROOM WAADDR1 WAADDR2 WAADDR3 WAADDR4 WAACCNT WAEMAIL |
Note:
|