Restricting the creation of general resource profiles (GENERICOWNER and ENHANCEDGENERICOWNER options)
- Issue a SETROPTS GENERICOWNER command.
- Define a
**
profile for the class, with yourself as owner. (This prevents users lacking special authority from being able to define profiles in the class.) - Define a top profile for each user, covering the subset of resources in the class which the user is allowed to create. Each user should be the owner of this top profile.
- A user with SPECIAL authority
- A user who has group-SPECIAL authority over a user who owns the top profile
For example, assume that neither JOE nor RONN have the
SPECIAL or group-SPECIAL attribute. If the GENERICOWNER option is
in effect, and user RONN is the owner of a JESSPOOL profile called NODEA.RONN.**
,
JOE cannot create profile NODEA.RONN.DATA.**
, even
though JOE has the CLAUTH(JESSPOOL) attribute.
You can alternatively choose to make a group the owner of the top profile for a given subset in the class. In this case, only a user with group-SPECIAL authority for the group, or with SPECIAL authority, can create profiles in the subset.
The top profile must end in a single asterisk (*
), double asterisks
(**
), or one or more percent signs (%
). More specific profiles are
profiles that match the less specific top profile name character for character, up to the
ending asterisks or percent signs in the less specific name.
- The profile name ends in a single asterisk (
*
), double asterisks (**
), or one or more percent signs (%
). - All characters preceding the asterisks or percent signs (
*
or**
or%
) match the corresponding characters in the resource name exactly. - The characters matching the percent signs (
%
) in the less-specific profile are not an asterisk (*
) or period (.
) in the resource name. The length of the profile must be the same for this case.
For example, to allow USERX to RDEFINE A.B
in the JESSPOOL class, you need
profile A.*
in the JESSPOOL class, which is owned by USERX.
For example, when working with general
resource grouping classes, assume that profile A*
exists in the TERMINAL class and
is owned by a group that the user does not have group-SPECIAL authority to. If the GENERICOWNER
option is in effect, it will prevent the user from defining a more specific profile in the member
class (for example, by using the command RDEF TERMINAL AA*
). However, having the
GENERICOWNER option in effect will not prevent the user from defining a profile if specified
on the ADDMEM operand for the grouping class profile (such as with the command RDEF GTERMINL
profile-name ADDMEM(AA*)
).
Because it is not possible to allow the user the ability to define profiles in the TERMINAL class and disallow the user the ability to define profiles in the GTERMINL class, it is not possible to use the GENERICOWNER option to restrict the users ability to define profiles that cover resource in the any member class, including TERMINAL.
The ENHANCEDGENERICOWNER option insures that members added to grouping class profile member lists follow the same rules as profiles defined to member classes.
For example, when working with general resource grouping classes, it assumes that profile A* exists in the TERMINAL class and is owned by a group where the user does not have group-SPECIAL authority to. If the ENHANCEDGENERICOWNER option is in effect, it will prevent user the user from defining a more specific profile in the member class (for example, by using the command RDEF TERMINAL AA*). It will also prevent the user from defining a profile via the memberlist of a grouping profile (such as RDEF GTERMINL profile-name ADDMEM(AA*)).
RDEFINE TERMINAL A* OWNER(JERRY) UACC(NONE)
RDEFINE TERMINAL XYZ ADDMEM(A.*) OWNER(JERRY) UACC(NONE)
The ENHANCEDGENERICOWNER option works with all classes except DATASET, RVARSMBR/RACFVARS, SECLMBR/SECLABEL, PMBR/PROGRAM, GMBR/GLOBAL, SCDMBR/SECDATA, VMBR/VMEVENT, VXMBR/VMXEVENT and NODMBR/NODES.
To cancel this option, specify NOGENERICOWNER on the SETROPTS command.