Restricting the creation of general resource profiles (GENERICOWNER and ENHANCEDGENERICOWNER options)

If you have the SPECIAL attribute, you can restrict the creation of profiles in general resource classes. To do this:
  1. Issue a SETROPTS GENERICOWNER command.
  2. Define a ** profile for the class, with yourself as owner. (This prevents users lacking special authority from being able to define profiles in the class.)
  3. Define a top profile for each user, covering the subset of resources in the class which the user is allowed to create. Each user should be the owner of this top profile.
You have created an environment where the user can create only profiles that are more specific than the user's top profile. The only other users who can create profiles in the user's subset of the class are:
  • A user with SPECIAL authority
  • A user who has group-SPECIAL authority over a user who owns the top profile

For example, assume that neither JOE nor RONN have the SPECIAL or group-SPECIAL attribute. If the GENERICOWNER option is in effect, and user RONN is the owner of a JESSPOOL profile called NODEA.RONN.**, JOE cannot create profile NODEA.RONN.DATA.**, even though JOE has the CLAUTH(JESSPOOL) attribute.

You can alternatively choose to make a group the owner of the top profile for a given subset in the class. In this case, only a user with group-SPECIAL authority for the group, or with SPECIAL authority, can create profiles in the subset.

The top profile must end in a single asterisk (*), double asterisks (**), or one or more percent signs (%). More specific profiles are profiles that match the less specific top profile name character for character, up to the ending asterisks or percent signs in the less specific name.

In a search for the less specific profile, a match is found if all of the following are true:
  • The profile name ends in a single asterisk (*), double asterisks (**), or one or more percent signs (%).
  • All characters preceding the asterisks or percent signs (* or ** or %) match the corresponding characters in the resource name exactly.
  • The characters matching the percent signs (%) in the less-specific profile are not an asterisk (*) or period (.) in the resource name. The length of the profile must be the same for this case.

For example, to allow USERX to RDEFINE A.B in the JESSPOOL class, you need profile A.* in the JESSPOOL class, which is owned by USERX.

Note: The GENERICOWNER operand does not affect the DATASET class. It cannot be activated for individual classes. When active, GENERICOWNER affects all general resource classes except the PROGRAM class and general resource grouping classes.

For example, when working with general resource grouping classes, assume that profile A* exists in the TERMINAL class and is owned by a group that the user does not have group-SPECIAL authority to. If the GENERICOWNER option is in effect, it will prevent the user from defining a more specific profile in the member class (for example, by using the command RDEF TERMINAL AA*). However, having the GENERICOWNER option in effect will not prevent the user from defining a profile if specified on the ADDMEM operand for the grouping class profile (such as with the command RDEF GTERMINL profile-name ADDMEM(AA*)).

Because it is not possible to allow the user the ability to define profiles in the TERMINAL class and disallow the user the ability to define profiles in the GTERMINL class, it is not possible to use the GENERICOWNER option to restrict the users ability to define profiles that cover resource in the any member class, including TERMINAL.

The ENHANCEDGENERICOWNER option insures that members added to grouping class profile member lists follow the same rules as profiles defined to member classes.

For example, when working with general resource grouping classes, it assumes that profile A* exists in the TERMINAL class and is owned by a group where the user does not have group-SPECIAL authority to. If the ENHANCEDGENERICOWNER option is in effect, it will prevent user the user from defining a more specific profile in the member class (for example, by using the command RDEF TERMINAL AA*). It will also prevent the user from defining a profile via the memberlist of a grouping profile (such as RDEF GTERMINL profile-name ADDMEM(AA*)).

Note: The top profile which allows a given user to define additional profiles in the class must be created in the MEMBER class in order to be effective. If the top profile is defined as a member of a grouping class profile, its ownership has no effect on ENHANCEDGENERICOWNER processing.
Example of how a user can define profiles in the TERMINAL class starting with 'A':
RDEFINE TERMINAL A* OWNER(JERRY) UACC(NONE)
Example of how a user has no ability to define profiles in the TERMINAL class starting with 'A':
RDEFINE TERMINAL XYZ ADDMEM(A.*) OWNER(JERRY) UACC(NONE)

The ENHANCEDGENERICOWNER option works with all classes except DATASET, RVARSMBR/RACFVARS, SECLMBR/SECLABEL, PMBR/PROGRAM, GMBR/GLOBAL, SCDMBR/SECDATA, VMBR/VMEVENT, VXMBR/VMXEVENT and NODMBR/NODES.

Note: Both the GENERICOWNER and ENHANCEDGENERICOWNER options only affect the ability to create new profiles, or add new members to a grouping profile. These options have no effect on permission to resources, or on the ability to alter the definitions of resource profiles.

To cancel this option, specify NOGENERICOWNER on the SETROPTS command.

Attention: Issuing SETROPTS GENERICOWNER or ENHANCEDGENERICOWNER can prevent users with the CLAUTH attribute in general resource classes from creating profiles as they are accustomed to. Therefore, make these users OWNER of appropriate top generic profiles in the class. For an example, see Delegating authority to profiles in the FACILITY class.