Protecting DFSMSdss functions with RACF FACILITY class profiles
Besides protecting DFSMSdss/ISMF functions, you can also protect certain DFSMSdss keywords and functions. You do so by defining RACF® FACILITY class profiles and restricting access to those profiles. Table 1 lists these keywords and functions, and their associated RACF FACILITY class profiles.
- RACF FACILITY class is active
- The indicated profile has been defined.
When the RACF FACILITY class is active and one of the profiles listed in Table 1 is defined, you must have READ access authority to use the indicated command or keyword. Otherwise, anyone can use the indicated command or keyword. If RACF FACILITY class checking is not set up for these keywords, any DFSMSdss user can use them.
| Keyword or Function | Profile Name |
|---|---|
| BYPASSACS with COPY | STGADMIN.ADR.COPY.BYPASSACS |
| BYPASSACS with RESTORE | STGADMIN.ADR.RESTORE.BYPASSACS |
| CGCREATED | STGADMIN.ADR.CGCREATE |
| CLOUD with DUMP | STGADMIN.ADR.DUMP.CLOUD |
| CLOUD with RESTORE | STGADMIN.ADR.RESTORE.CLOUD |
| CLOUDUTILS | STGADMIN.ADR.CLOUDUTILS |
| CONCURRENT with COPY | STGADMIN.ADR.COPY.CNCURRNT |
| CONCURRENT with DUMP | STGADMIN.ADR.DUMP.CNCURRNT |
| CONSOLIDATE | STGADMIN.ADR.CONSOLID |
| CONVERTV | STGADMIN.ADR.CONVERTV |
| DEFRAG | STGADMIN.ADR.DEFRAG |
| DELETECATALOGENTRY with RESTORE | STGADMIN.ADR.RESTORE.DELCATE |
| DELETE with CLOUDUTILS | STGADMIN.ADR.CLOUDUTILS.DELETE |
| FCCGFREEZE with COPY | STGADMIN.ADR.COPY.FCFREEZE |
| FCFASTREVERSERESTORE with COPY | STGADMIN.ADR.COPY.FCFRR |
| FCSETGTOK with COPY | STGADMIN.ADR.COPY.FCSETGT |
| FCTOPPRCPRIMARY with COPY | STGADMIN.ADR.COPY.FCTOPPRCP |
| FCTOPPRCPRIMARY with DEFRAG | STGADMIN.ADR.DEFRAG.FCTOPPRCP |
| FCTOXRCPRIMARY with COPY | STGADMIN.ADR.COPY.FCTOXRCP |
| FlashCopy® with CONSOLIDATE | STGADMIN.ADR.CONSOLID.FLASHCPY |
| FlashCopy with COPY | STGADMIN.ADR.COPY.FLASHCPY |
| FlashCopy with DEFRAG | STGADMIN.ADR.DEFRAG.FLASHCPY |
| FORCE with CLOUTUTILS | STGADMIN.ADR.CLOUD.FORCE |
| IMPORT with RESTORE | STGADMIN.ADR.RESTORE.IMPORT |
| INCAT(catname) with COPY | STGADMIN.ADR.COPY.INCAT |
| INCAT(catname) with DUMP | STGADMIN.ADR.DUMP.INCAT |
| INCAT(catname) with RELEASE | STGADMIN.ADR.RELEASE.INCAT |
| STGADMIN.ADR.PRINT | |
| PRINT with TRACKS | STGADMIN.ADR.PRINT.TRACKS |
| PROCESS(SYS1) with COPY | STGADMIN.ADR.COPY.PROCESS.SYS |
| PROCESS(SYS1) with DUMP | STGADMIN.ADR.DUMP.PROCESS.SYS |
| PROCESS(SYS1) with RELEASE | STGADMIN.ADR.RELEASE.PROCESS.SYS |
| RESET with DUMP | STGADMIN.ADR.DUMP.RESET |
| RESET(YES) with RESTORE | STGADMIN.ADR.RESTORE.RESET.YES |
| SPACEREL | STGADMIN.ADR.SPACEREL |
| TOLERATE(ENQF) with COPY | STGADMIN.ADR.COPY.TOLERATE.ENQF |
| TOLERATE(ENQF) with DUMP | STGADMIN.ADR.DUMP.TOLERATE.ENQF |
| TOLERATE(ENQF) with RESTORE | STGADMIN.ADR.RESTORE.TOLERATE.ENQF |
| TOLERATE(WRITERS) with DUMP | STGADMIN.ADR.DUMP.TOLERATE.WRITERS |
| ZCOMPRESS with DUMP | STGADMIN.ADR.DUMP.ZCOMPRESS |
You can bypass this type of RACF FACILITY class checking with the DFSMSdss installation options exit routine that your installation may be using.
For more information about the installation options exit routine, refer to z/OS DFSMS Installation Exits.
For more information about RACF class profiles, refer to z/OS Security Server RACF Security Administrator's Guide.