PERMIT (Maintain Resource Access Lists)
System environment
Purpose
Use the PERMIT command to maintain the lists of users and groups authorized to access a particular resource. RACF® provides two types of access lists: standard and conditional.
- Standard Access List
- The standard access list includes the user IDs and/or group names authorized to access the resource and the level of access granted to each.
- Conditional Access List
- The conditional access list includes user IDs and/or group names and levels of access, and also includes one of
the following conditions for each. The condition is needed for RACF to allow access to the resource:
- The name of the program the user must be executing
- The name of the terminal by which the user entered the system
- The name of the JES input device through which the user entered the system
- The name of the system console from which the request was originated
- The name of the APPC partner LU (logical unit) from which the transaction program originated.
If one of the criteria above is met, RACF uses both the standard and conditional access lists when it checks a user's authority to access a resource; otherwise RACF uses only the standard access list. For more information on conditional access lists or program control, refer to Attribute and Authority Summary.
You can maintain either the standard access list or the conditional access list with a single PERMIT command. Changing both requires you to issue PERMIT twice, with one exception. You can change individual names in one access list and copy the other access list from another profile on one PERMIT command.
- Give authority to access a discrete or generic resource profile to specific RACF-defined users or groups
- Remove authority to access a discrete or generic resource profile from specific users or groups
- Change the level of access authority to a discrete or generic resource profile for specific users or groups
- Copy the list of authorized users from one discrete or generic resource profile to another profile of either type and modify the new list as you require
- Delete an existing access list.
For more information, refer to z/VM: RACF Security Server Security Administrator's Guide.
Related Commands
- To specify the default access rights (UACC) for a general resource (such as a z/VM® minidisk or a terminal), use the RDEFINE command as described in RDEFINE (Define General Resource Profile) (when creating a new profile), or the RALTER command as described in RALTER (Alter General Resource Profile) (to change an existing profile).
Authorization Required
- You have the SPECIAL attribute
- The profile is within the scope of a group in which you have the group-SPECIAL attribute
- You are the owner of the resource
- If the resource belongs to the FILE or DIRECTRY class, the userid qualifier of the profile name matches your user ID, indicating that you are the owner of the referenced file or directory.
- You are on the standard access list for the resource and you have ALTER authority
- Your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority
- The universal access authority is ALTER.
When you are copying a list of authorized users from one resource profile to another, you must have sufficient authority, as described in the preceding list, to both of the resources.
Syntax
The complete syntax of the command is:
|
Parameters
- profile-name-1
- specifies the
name of an existing discrete or generic profile whose access list you want to modify. You may
specify only one profile.
This operand is required and must be the first operand following PERMIT.
If the name specified is a tape volume serial number that is a member of a tape volume set, the authorization assigned by this command will apply to all the volumes in the volume set.
If the profile does not belong to the DATASET class, you must also specify CLASS.
- ACCESS | DELETE
-
- ACCESS(access-authority)
- specifies the access authority you want to associate
with the names that you identify on the ID operand. RACF sets
the access authority in the standard access list.
If you specify WHEN, RACF sets the access authority in the conditional access list.
The valid access authorities are NONE, EXECUTE (for DATASET or PROGRAM class only), READ, UPDATE, CONTROL, and ALTER. If you need more information, see z/VM: RACF Security Server Security Administrator's Guide.
If you specify ACCESS and omit access-authority, the default value is ACCESS(READ).
If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).
If you specify both ACCESS and DELETE, RACF uses the last operand you specify.
- DELETE
- specifies that you
are removing the names you identify on the ID operand from an access list for the resource. RACF deletes the names from the standard access list.
If you specify WHEN, RACF deletes the names from the conditional access list.
If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).
If you specify both ACCESS and DELETE, RACF uses the last operand you specify.
- CLASS(profile-name-1-class)
- specifies the name of
the class to which profile-name-1 belongs. The valid class names are
DATASET and those classes defined in the class descriptor table (CDT). For a list of general
resource classes defined in the IBM-supplied CDT, see IBM-Supplied Resource Classes that Apply to z/VM Systems.
If you omit CLASS, the default is DATASET.
- FCLASS(profile-name-2-class)
- specifies the name of
the class to which profile-name-2 belongs. The valid class names are
DATASET and those classes defined in the class descriptor table (CDT). For a list of general
resource classes defined in the IBM-supplied CDT, see IBM-Supplied Resource Classes that Apply to z/VM Systems.
If you specify FROM and omit FCLASS, RACF assumes that the class for profile-name-2 is same as the class for profile-name-1. This operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.
- FROM(profile-name-2)
- specifies the name of the existing discrete or generic profile that
contains the access lists RACF is to copy as the access lists
for profile-name-1. If you specify FROM and omit FCLASS, RACF assumes that profile-name-2 is the name of a
profile in the same class as profile-name-1.
If profile-name-2 contains a standard access list, RACF copies it to the profile you are changing. If profile-name-2 contains a conditional access list, RACF copies it to the profile you are changing.
RACF modifies the access list for profile-name-1 as follows:- Authorizations for profile-name-2 are added to the access list for profile-name-1
- If a group or user appears in both lists, RACF uses the authorization granted in profile-name-1
- If you specify a group or user on the ID operand and that group or user also appears in the profile-name-2 access list, RACF uses the authorization granted on the ID operand.
- GENERIC
- specifies that RACF is to treat profile-name-1 as a generic name, even if it does not contain any generic characters. This operand is only needed if profile-name-1 is a DATASET profile.
- ID(name …|*)
- specifies the user IDs and/or
group names of RACF-defined users or groups whose authority to access the resource you are giving,
removing, or changing. If you omit this operand, RACF ignores
the ACCESS and DELETE operands. ID(*) can be used with standard or conditional access lists. You might specify ID(*) with a conditional access list, as follows:
This command allows all RACF-defined users and groups READ access to the specified data set when executing program XYZ. RACF grants access to the data set, using the conditional access list, with the authority you specify on the ACCESS operand. The value specified with ACCESS is used only if no more specific values are found. If you do not specify the ACCESS operand, or if you specify ACCESS without an access authority, RACF uses a default value of ACCESS(READ).PERMIT 'resource' ID(*) WHEN(PROGRAM(XYZ)) ACCESS(READ) - RESET [( ALL | STANDARD | WHEN ) ]
-
- RESET | RESET(ALL)
- specifies that RACF is to delete from the profile both the entire current
standard access list and the entire current conditional access list.
RACF deletes both access lists before it processes any operands (ID and ACCESS or FROM) that create new entries in an access list. If you delete both access lists and specify FROM when profile-name-2 contains two access lists, the PERMIT command copies both access lists to profile-name-1. In any other situation, you cannot, on one PERMIT command, add entries to both access lists.
If you specify RESET or RESET(ALL), add entries, and omit WHEN, RACF deletes both access lists, then adds entries to the standard access list.
If you specify RESET or RESET(ALL), add entries, and specify WHEN, RACF deletes both access lists, then adds entries to the conditional access list.
For profiles that include two access lists, use RESET and RESET(ALL) carefully. Unless you are copying both lists from another profile, it is a good practice to use RESET(STANDARD) to maintain the standard access list and RESET(WHEN) to maintain the conditional access list.
- RESET(STANDARD)
- specifies
that RACF is to delete the entire current standard access
list from the profile.
If you specify RESET(STANDARD) with ID and ACCESS or with FROM, RACF deletes the current standard access list from the profile before it adds the new names.
If you specify RESET(STANDARD) with ID and DELETE, RACF ignores RESET(STANDARD) and deletes only the names that you specify.
If you specify RESET(STANDARD) without ID and ACCESS, or without FROM, the resulting standard access list will be empty. An empty standard access list means that, for a general resource or a group data set profile, you must be the owner or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute, in order to update the access list again.
For a DATASET profile, an empty conditional access list means that no users or groups can access the data set by executing a program.
- RESET(WHEN)
- RESET(WHEN)
specifies that RACF is to delete the entire current
conditional access list from the profile.
If you specify RESET(WHEN) with ID and ACCESS or with FROM, RACF deletes the current conditional access list from the profile before it adds the new names.
If you specify RESET(WHEN) with ID, DELETE, and WHEN, RACF ignores RESET(WHEN) and deletes only the names that you specify.
If you specify RESET(WHEN) without ID and ACCESS, or without FROM, the resulting conditional access list will be empty.
- WHEN(TERMINAL(terminal-id …))
- specifies that the indicated users or groups have the specific access authority when logged on to the named terminal.
Examples
| Example 6 | Operation | User WJE10 wants to give UPDATE access authority to z/VM minidisk USERA.195 to all the users in the group RESEARCH. z/VM minidisk USERA.195 is protected by a discrete profile. |
| Known | User WJE10 and group RESEARCH are RACF-defined. z/VM minidisk USERA.195 is RACF-defined. | |
| Command | PERMIT USERA.195 CLASS(VMMDISK) ID(RESEARCH)
ACCESS(UPDATE) |
|
| Defaults | None | |
| Example 7 | Operation | User ADM1 wants to delete the existing standard access list from the discrete profile protecting the z/VM minidisk EUROPE.19E, then copy the standard access list from the discrete profile GROUP.193 to the discrete profile for EUROPE.19E. |
| Known | User ADM1 has the SPECIAL attribute. EUROPE.19E is in the VMMDISK class. | |
| Command | PERMIT EUROPE.19E CLASS(VMMDISK) FROM (‘GROUP.193’)
RESET(STANDARD) |
|
| Defaults | FCLASS(VMMDISK) | |
| Example 8 | Operation | User ADM1 wants to replace the conditional access list in the discrete profile that protects the minidisk MAINT.191. Two users, SYSPROG1 and SYSPROG2, are to be allowed to update the minidisk when they are using the terminal named TERM001. |
| Known | User ADM1 has the SPECIAL attribute. MAINT.191 is a profile in the VMMDISK class. TERM001 is a profile in the TERMINAL class. Users SYSPROG1 and SYSPROG2 are defined to RACF. | |
| Command | PERMIT MAINT.191 CLASS(VMMDISK) RESET(WHEN) ID(SYSPROG1 SYSPROG2)
ACCESS(UPDATE) WHEN(TERMINAL(TERM001)) |
|
| Defaults | None | |