Changing the universal access authority to a data set

You can allow other users to access a data set by specifying a universal access authority. This access level pertains to any user on the system. For example, if you add confidential research data to a data set, you might want to ensure that the universal access authority of the data set is NONE.

Note: As an alternative to specifying a universal access authority, you can add an entry for ID(*) to the access list to specify an access level that pertains to any RACF®-defined user on the system. For more information, see Using ID(*) in an access list.

To change a data set's UACC (universal access authority), you must enter the ALTDSD command with the appropriate operands. To change a data set's UACC:

  1. Find the name of the profile that protects the data set. To do this, see Finding out what data set profiles you have.

    Remember changing the UACC for a generic profile changes the access to all data sets protected by the profile.

  2. Decide which level of UACC to specify in the profile.

    The UACC can have one of the following values: NONE, READ, UPDATE, CONTROL, ALTER, or EXECUTE. For descriptions of these values, see Access authority for data sets.

    Attention:
    1. Anyone who has READ, UPDATE, CONTROL, or ALTER authority to a protected data set can create a copy of it. As owner of the copied data set, that user has control of the security characteristics of the copied data set, and can downgrade it. For this reason, you might want to initially assign a UACC of NONE, and then selectively permit a small number of users to access your data set, as their needs become known. (See Permitting an individual or a group to use a data set for information on how to permit selected users or groups to access a data set.)
    2. If you are changing the UACC to restrict access, be certain that any user or group specifically mentioned in the access list has the access to the resource that you intend. For example, if you change the UACC to NONE, and there is a user specifically named in the access list with any authority, that user still has that authority to the resource.
  3. Change the UACC specified in the profile.
    To change the UACC, enter the ALTDSD command as follows: 
    ALTDSD 'profile-name' UACC(access-authority)
    • Example 1:
      Assume that data set 'SMITH.PROJ.ONE' is protected by a discrete profile. To change the UACC for this data set to NONE, enter the following command: 
      ALTDSD 'SMITH.PROJ.ONE' UACC(NONE)
    • Example 2:
      If you are changing the UACC specified in a generic profile, specify the name of the generic profile. For example, to change the UACC for generic profile SMITH.* to NONE, enter the following command: 
      ALTDSD 'SMITH.*' UACC(NONE)