PERMDIR (Maintain SFS Directory Access Lists)

System environment

Start of change SFS directories apply to z/VM® systems only. End of change

Purpose

Use the PERMDIR command to maintain the lists of users and groups who are authorized to access a particular SFS directory or a group of SFS directories. RACF® provides two types of access lists: standard and conditional.

The standard access list includes the user IDs and/or group names authorized to access the resource and the level of access granted to each.

The conditional access list includes user IDs and/or group names and levels of access, and it also includes for each, the name of the terminal by which the user must enter the system in order for RACF to allow access to the resource. The conditional access list is used for access checking only if the TERMINAL class is active.

You can maintain either the standard access list or the conditional access list with a single PERMDIR command. Changing both requires you to issue PERMDIR twice, with one exception. You can change individual names in one access list and copy the other access list from another profile on one PERMDIR command.

Using PERMDIR, you can make the following changes to either a standard access list or conditional access list for an SFS directory:

Give specific RACF-defined users or groups authority to access a discrete or generic directory profile
Remove authority to access a discrete or generic directory profile from specific users or groups
Change the level of access authority to a discrete or generic directory profile for specific users or groups
Copy the list of authorized users from one discrete or generic directory profile to another profile of either type and modify the new list as you require
Delete an existing access list.

To have changes take effect after altering a generic profile, one of the following steps is required:

The security administrator issues the SETROPTS command:

           SETROPTS GENERIC(DIRECTRY) REFRESH

The user of the resource logs off and logs on again

Related Commands

To protect an SFS directory with a discrete or generic profile, use the ADDDIR command as described in ADDDIR (Add SFS Directory Profile).
To change an SFS directory profile, use the ALTDIR command as described in ALTDIR (Alter SFS Directory Profile).
To delete an SFS directory profile, use the DELDIR command as described in DELDIR (Delete SFS Directory Profile).
To list the information in the SFS directory profiles, use the LDIRECT command as described in LDIRECT (List SFS Directory Profile).
To obtain a list of SFS directory profiles, use the SRDIR command as described in SRDIR (Obtain a List of SFS Directory Profiles).

Authorization Required

To perform any of the PERMDIR functions, you must have sufficient authority over the directory. RACF makes the following checks until one of the conditions is met:

You have the SPECIAL attribute.
The profile is within the scope of a group in which you have the group-SPECIAL attribute.
You are the owner of the profile.
Your user ID matches the user ID qualifier in the directory name.

For discrete profiles only:

You are on the standard access list for the directory profile and you have ALTER authority.
Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority.
The universal access authority is ALTER.

When you are copying a list of authorized users from one directory profile to another, you must have sufficient authority to both of the profiles as described in the preceding list.

Syntax

The complete syntax of the command is:

PERMDIR
PDIR

profile-name-1
[ ACCESS(access-authority) | DELETE ]
[ FCLASS(profile-name-2-class) ]
[ FGENERIC ]
[ FROM(profile-name-2) ]
[ ID(name …) ]
[ RESET [( ALL | STANDARD | WHEN )] ]
[ WHEN(TERMINAL(terminal-id …) ) ]

Note: This command is an extension of the PERMIT command as it applies to the DIRECTRY class. Other PERMIT parameters, such as WHEN(PROGRAM) are also accepted on the command, but are not listed here. If they are specified on this command, they will be ignored.

Parameters

profile-name-1

specifies the name of an existing discrete or generic profile whose access list you want to modify. You can specify only one profile. For the format of these profile names, see Profile Names for SFS Files and Directories.

This operand is required and must be the first operand following PERMDIR.

ACCESS | DELETE

ACCESS(access-authority)

specifies the access authority you want to associate with the names that you identify on the ID operand. RACF sets the access authority in the standard access list.

If you specify WHEN, RACF sets the access authority in the conditional access list.

The valid access authorities are NONE, READ, UPDATE, CONTROL, and ALTER. (See Access Authority for SFS Files and Directories on z/VM or if you need more information, see z/VM: RACF Security Server Security Administrator's Guide.)

If you specify ACCESS and omit access-authority, the default value is ACCESS(READ).

If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).

If you specify both ACCESS and DELETE, RACF uses the last operand you specify.

DELETE

specifies that you are removing the names you identify on the ID operand from the standard access list for the directory. RACF deletes the names from the standard access list.

If you specify WHEN, RACF deletes the names from the conditional access list.

If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).

If you specify both ACCESS and DELETE, RACF uses the last operand you specify.

FCLASS(profile-name-2-class)

specifies the name of the class to which profile-name-2 belongs. The valid class names are DIRECTRY, FILE, DATASET, or those classes defined in the class descriptor table (CDT). For a list of general resource classes supplied by IBM®, see IBM-Supplied Resource Classes that Apply to z/VM Systems.

If you specify FROM and omit FCLASS, RACF assumes that the class for profile-name-2 is DIRECTRY. This operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.

FGENERIC

specifies that RACF is to treat profile-name-2 as a generic name, even if it does not contain any generic characters. This operand is only needed if profile-name-2 is a DATASET profile.

FROM(profile-name-2)

specifies the name of the existing discrete or generic profile that contains the access lists RACF is to copy as the access lists for profile-name-1. If you specify FROM and omit FCLASS, RACF assumes that profile-name-2 is the name of a profile in the DIRECTRY class. If FCLASS is not specified, or FCLASS(DIRECTRY) is specified, profile-name-2 must be the name of an existing profile in the DIRECTRY class. If FCLASS(FILE) is specified, profile-name-2 must be the name of an existing profile in the FILE class. For the format of these profile names, see Profile Names for SFS Files and Directories.

If profile-name-2 contains a standard access list, RACF copies it to the profile you are changing. If profile-name-2 contains a conditional access list, RACF copies it to the profile you are changing.

RACF modifies the access list for profile-name-1 as follows:

Authorizations for profile-name-2 are added to the access list for profile-name-1
If a group or user appears in both lists, RACF uses the authorization granted in profile-name-1
If you specify a group or user on the ID operand and that group or user also appears in the profile-name-2 access list, RACF uses the authorization granted on the ID operand.

To specify FROM, you must have sufficient authority to both profile-name-1 and profile-name-2, as described in Authorization Required.

ID(name …)

specifies the user IDs and group names of RACF-defined users or groups whose authority to access the directory you are giving, removing, or changing. If you omit this operand, RACF ignores the ACCESS and DELETE operands.

RESET ( ALL | STANDARD | WHEN )

RESET | RESET(ALL)

specifies that RACF is to delete from the profile both the entire current standard access list and the entire current conditional access list.

RACF deletes both access lists before it processes any operands (ID and ACCESS or FROM) that create new entries in an access list. If you delete both access lists and specify FROM when profile-name-2 contains two access lists, the PERMDIR command copies both access lists to profile-name-1. In any other situation, you cannot, on one PERMDIR command, add entries to both access lists.

If you specify RESET or RESET(ALL), add entries, and omit WHEN, RACF deletes both access lists, then adds entries to the standard access list.

If you specify RESET or RESET(ALL), add entries, and specify WHEN, RACF deletes both access lists, then adds entries to the conditional access list.

For profiles that include two access lists, use RESET and RESET(ALL) carefully. Unless you are copying both lists from another profile, it is a good practice to use RESET(STANDARD) to maintain the standard access list and RESET(WHEN) to maintain the conditional access list.

RESET(STANDARD)

specifies that RACF is to delete the entire current standard access list from the profile.

If you specify RESET(STANDARD) with ID and ACCESS or with FROM, RACF deletes the current standard access list from the profile before it adds the new names.

If you specify RESET(STANDARD) with ID and DELETE, RACF ignores RESET(STANDARD) and deletes only the names that you specify.

If you specify RESET(STANDARD) without ID and ACCESS, or without FROM, the resulting standard access list will be empty. An empty standard access list means that you must be the owner or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute, in order to update the access list again.

RESET(WHEN)

RESET(WHEN) specifies that RACF is to delete the entire current conditional access list from the profile.

If you specify RESET(WHEN) with ID and ACCESS or with FROM, RACF deletes the current conditional access list from the profile before it adds the new names.

If you specify RESET(WHEN) with ID, DELETE, and WHEN, RACF ignores RESET(WHEN) and deletes only the names that you specify.

If you specify RESET(WHEN) without ID and ACCESS, or without FROM, the resulting conditional access list will be empty.

WHEN(TERMINAL(terminal-id …))

specifies that the indicated users or groups have the specific access authority when logged on to the named terminal.

Examples

Example Operation User LAURIE wants to let user MARK look at her RACDEV directory.

Known LAURIE and MARK are RACF-defined and LAURIE's file pool ID is FP1.

Command PERMDIR FP1:LAURIE.RACDEV ID(MARK)

Defaults ACCESS(READ)