Restricting access to a zFS file system
You can restrict access to a z/OS® File System (zFS) file system by defining a general resource profile in the FSACCESS class. This enables you to use RACF® commands to restrict z/OS UNIX access to the specified zFS file system for most users while allowing selected users and groups to remain eligible to access the file system. This method supports an improved audit posture by enabling the RACF administrator to demonstrate a single point of control for restricting access to one or more file systems that might contain sensitive or personal data.
When you define an FSACCESS profile, you restrict access to the file system, which includes all of its files and directories, at only the file system level. By contrast, the z/OS UNIX administrator can use the setfacl command to control access at the file system level and to control access to any of its files and directories on an individual resource basis.
When a zFS file system is protected by an FSACCESS profile with UACC(NONE), only users and groups with UPDATE access authority or higher, and users with the AUDITOR or ROAUDIT attribute, are eligible to access the file system. Eligible users are then subject to the usual authorization checking, which includes checking for superuser authority, ownership, permission bits, access control lists (ACLs), and UNIXPRIV authorities.
When a zFS file system is protected by an FSACCESS profile and a user has insufficient access authority to it, no further authorization checking is done, and z/OS UNIX access to the protected file system, including all of its files and directories, is denied. Note that while superuser authority can be used to mount a file system protected by an FSACCESS profile, it is insufficient authority to access it. Also, note that access authority to the MVS data set that contains the file system is unaffected when you define the FSACCESS profile.
You need not authorize UPDATE access for users with the AUDITOR or the ROAUDIT attribute. These users are exempt from the access restrictions enforced by the FSACCESS profile.