Description of RACF Classes
See z/VM: RACF Security Server Macros and Interfaces for more information on the IBM-supplied class descriptor table (CDT).
On z/VM® systems, the following classes are defined in the IBM-supplied CDT:
| Class | Purpose |
|---|---|
| DIRACC | Controls auditing (via SETROPTS LOGOPTIONS) for access checks for read/write access to HFS directories. Profiles are not allowed in this class. |
| DIRECTRY | Protection of shared file system (SFS) directories. |
| DIRSRCH | Controls auditing (via SETROPTS LOGOPTIONS) of HFS directory searches. Profiles are not allowed in this class. |
| FACILITY | Miscellaneous uses. Profiles are defined in this
class so resource managers (typically program products or components)
can check a user's access to the profiles when the users take some
action. Examples are using combinations of options for tape mounts,
and use of the RACROUTE interface. RACF® does not document all of the resources used in the FACILITY class by other products. For information on the FACILITY-class resources used by a specific product (other than RACF itself), see that product's documentation. |
| FIELD | Fields in RACF profiles (field-level access checking). |
| FILE | Protection of shared file system (SFS) files. |
| FSOBJ | Controls auditing (via SETROPTS LOGOPTIONS) for all access checks for HFS objects except directory searches. Controls auditing (via SETROPTS AUDIT) of creation and deletion of HFS objects. Profiles are not allowed in this class. |
| FSSEC | Controls auditing (via SETROPTS LOGOPTIONS) for changes to the security data (FSP) for HFS objects. Profiles are not allowed in this class. |
| GLOBAL | Global access checking. 1 |
| GMBR | Member class for GLOBAL class (not for use on RACF commands). |
| GTERMINL | Terminals with IDs that do not fit into generic profile naming conventions. 1 |
| PROCESS | Controls auditing (via SETROPTS LOGOPTIONS) of changes to UIDs and GIDs of OpenExtensions VM processes. Controls auditing (via SETROPTS AUDIT) of dubbing and undubbing of OpenExtensions VM processes. Profiles are not allowed in this class. |
| PSFMPL | When class is active, PSF/VM performs separator and data page labeling as well as auditing. |
| PTKTDATA | PassTicket Key Class. |
| PTKTVAL | Used by NetView/Access Services Secured Single Signon to store information needed when generating a PassTicket. |
| RACFEVNT | RACFEVENT class contains profiles which control whether RACF change log notification is performed for USER profiles, and whether password or password phrase enveloping is to be performed. |
| RACFVARS | RACF variables. In this class, profile names, which start with & (ampersand), act as RACF variables that can be specified in profile names in other RACF general resource classes. |
| RVARSMBR | Member class for RACFVARS (not for use on RACF commands). |
| SCDMBR | Member class for SECDATA class (not for use on RACF commands). |
| SECDATA | Security classification of users and data (security levels and security categories). 1 |
| SECLABEL | If security labels are used and, if so, their definitions. 2 |
| SFSCMD | Controls the use of shared file system (SFS) administrator and operator commands. |
| TAPEVOL | Tape volumes. |
| TERMINAL | Terminals (TSO or z/VM). See also GTERMINL class. |
| VMBATCH | Alternate user IDs. |
| VMCMD | CP commands, DIAGNOSE instructions, and system events. |
| VMDEV | Control who connects to real devices. |
| VMLAN | Use RACF to control Guest LANs |
| VMMAC | Used in conjunction with the SECLABEL class to provide security label authorization for some z/VM events. Profiles are not allowed in this class. |
| VMMDISK | z/VM minidisks. |
| VMNODE | RSCS nodes. |
| VMRDR | z/VM unit record devices (virtual reader, virtual printer, and virtual punch). |
| VMSEGMT | Restricted segments, which can be named saved segments (NSS) and discontiguous saved segments (DCSS). |
| VXMBR | Member class for VMXEVENT class (not for use on RACF commands). |
| VMXEVENT | Auditing and controlling security-related events (called z/VM events) on z/VM systems. |
| VMPOSIX | Contains profiles used by OpenExtensions z/VM. |
| WRITER | z/VM print devices. |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
- You cannot specify this class name on the GLOBAL operand of the SETROPTS command or, if you do, the GLOBAL checking is not performed.
On z/OS® systems, the following classes are defined in the IBM-supplied CDT:
| Class | Function |
|---|---|
| APPCLU | Verifying the identity of partner logical units during VTAM® session establishment. |
| APPCPORT | Controlling which user IDs can access the system from a given LU (APPC port of entry). Also, conditional access to resources for users entering the system from a given LU. |
| APPCSERV | Controlling whether a program being run by a user can act as a server for a specific APPC transaction program (TP). |
| APPCSI | Controlling access to APPC side information files. |
| APPCTP | Controlling the use of APPC transaction programs. |
| APPL | Controlling access to applications. |
| CBIND | Controlling the client's ability to bind to the server. |
| CONSOLE | Controlling access to MCS consoles. Also, conditional access to other resources for commands originating from an MCS console. |
| CSFKEYS | Controlling use of Integrated Cryptographic Service Facility/MVS (ICSF/MVS) cryptographic keys. See also the GCSFKEYS class. |
| CSFSERV | Controlling use of Integrated Cryptographics Service Facility/MVS (ICSF/MVS) cryptographic services. |
| DASDVOL | DASD volumes. See also the GDASDVOL class. |
| DEVICES | Used by z/OS allocation
to control who can allocate devices such as:
|
| DIRAUTH | Setting logging options for RACROUTE REQUEST=DIRAUTH requests. Also, if the DIRAUTH class is active, security label authorization checking is done when a user receives a message sent through the TPUT macro or the TSO SEND, or LISTBC commands. Profiles are not allowed in this class. |
| DLFCLASS | The data lookaside facility. |
| DSNR | Controlling access to DB2® subsystems. |
| FACILITY | Miscellaneous uses. Profiles are defined in this
class so that resource managers (typically program products or components)
can check a user's access to the profiles when the users take some
action. Examples are catalog operations (DFP) and use of the vector
facility. RACF does not document all of the resources used in the FACILITY class by other products. For information on the FACILITY class resources used by a specific product (other than RACF itself), see the product's documentation. |
| FIELD | Fields in RACF profiles (field-level access checking). |
| GCSFKEYS | Resource group class for CSFKEYS class. 1 |
| GDASDVOL | Resource group class for DASDVOL class. 1 |
| GLOBAL | Global access checking table entry. 1 |
| GMBR | Member class for GLOBAL class (not for use on RACF commands). |
| GSDSF | Resource group class for SDSF class. 1 |
| GTERMINL | Resource group class for TERMINAL class. 1 |
| JESINPUT | Conditional access support for commands or jobs entered into the system through a JES input device. |
| JESJOBS | Controlling the submission and cancellation of jobs by job name. |
| JESSPOOL | Controlling access to job data sets on the JES spool (that is, SYSIN and SYSOUT data sets). |
| NODES | Controlling the following on z/OS systems:
|
| NODMBR | Member class for NODES class (not for use on RACF commands). |
| OPERCMDS | Controlling who can issue operator commands. 2 |
| PMBR | Member class for PROGRAM class (not for use on RACF commands). |
| PROGRAM | Controlled programs (load modules). 1 |
| PROPCNTL | Controlling if user ID propagation can occur, and if so, for which user IDs (such as the CICS® or IMS main task user ID), user ID propagation is not to occur. |
| PSFMPL | Used by PSF to perform security functions for printing, such as separator page labeling, data page labeling, and enforcement of the user printable area. |
| PTKTDATA | PassTicket Key Class enables the security administrator to associate a RACF secured signon secret key with a particular mainframe application that uses RACF for user authentication. Examples of such applications are IMS, CICS, TSO, VM, and APPC. |
| RACFVARS | RACF variables. In this class, profile names, which start with & (ampersand), act as RACF variables that can be specified in profile names in other RACF general resource classes. |
| RVARSMBR | Member class for RACFVARS (not for use on RACF commands). |
| SCDMBR | Member class for SECDATA class (not for use on RACF commands). |
| SDSF | Controls the use of authorized commands in the System Display and Search Facility (SDSF). See also GSDSF class. |
| SECDATA | Security classification of users and data (security levels and security categories). 1 |
| SECLABEL | If security labels are used, and, if so, their definitions. 2 |
| SMESSAGE | Controlling to which users a user can send messages (TSO only). |
| SOMDOBJS | Controlling the client's ability to invoke the method in the class. |
| SURROGAT | If surrogate submission is allowed, and if allowed, which user IDs can act as surrogates. |
| TAPEVOL | Tape volumes. |
| TEMPDSN | Controlling who can access residual temporary data sets. You cannot create profiles in this resource class. |
| TERMINAL | Terminals (TSO or VM). See also GTERMINL class. |
| VTAMAPPL | Controlling who can open ACBs from non-APF authorized programs. |
| WRITER | Controlling the use of JES writers. |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
- You cannot specify this class name on the GLOBAL operand of SETROPTS or, if you do, the GLOBAL checking is not performed.
| Class | Function |
|---|---|
| ACICSPCT | CICS program control table. 2 |
| BCICSPCT | Resource group class for ACICSPCT class. 1 |
| CCICSCMD | Used by CICS/ESA 3.1, or later, to verify that a user is permitted to use CICS system programmer commands such as INQUIRE, SET, PERFORM, and COLLECT. 1 |
| DCICSDCT | CICS destination control table. 2 |
| ECICSDCT | Resource group class for DCICSDCT class. 1 |
| FCICSFCT | CICS file control table. 2 |
| GCICSTRN | Resource group class for TCICSTRN class. 2 |
| HCICSFCT | Resource group class for FCICSFCT class. 1 |
| JCICSJCT | CICS journal control table. 2 |
| KCICSJCT | Resource group class for JCICSJCT class. 1 |
| MCICSPPT | CICS processing program table. 2 |
| NCICSPPT | Resource group class for MCICSPPT class. 1 |
| PCICSPSB | CICS program specification blocks or PSBs |
| QCICSPSB | Resource group class for PCICSPSB class. 1 |
| SCICSTST | CICS temporary storage table. 2 |
| TCICSTRN | CICS transactions. |
| UCICSTST | Resource group class for SCICSTST class. 1 |
| VCICSCMD | Resource group class for the CCICSCMD class. 1 |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
- You cannot specify this class name on the GLOBAL operand of SETROPTS or, if you do, the GLOBAL checking is not performed.
| Class | Function |
|---|---|
| MGMTCLAS | SMS management classes. |
| STORCLAS | SMS storage classes. |
| Class | Function |
|---|---|
| AIMS | Application group names (AGN). |
| CIMS | Command. |
| DIMS | Grouping class for Command. |
| FIMS | Field (in data segment). |
| GIMS | Grouping class for transaction. |
| HIMS | Grouping class for field. |
| OIMS | Other. |
| PIMS | Database. |
| QIMS | Grouping class for database. |
| SIMS | Segment (in database). |
| TIMS | Transaction (trancode). |
| UIMS | Grouping class for segment. |
| WIMS | Grouping class for other. |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
| Class | Function |
|---|---|
| GINFOMAN | Resource group class for Information Management Version 5. |
| INFOMAN | Member class for Information Management Version 5. |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
| Class | Function |
|---|---|
| LFSCLASS | Controls access to file services provided by LFS/ESA. |
| Class | Function |
|---|---|
| GMQADMIN | Grouping class for MQM administrative options. 1 |
| GMQCHAN | Reserved for MQM/ESA. |
| GMQNLIST | Grouping class for MQM namelists. 1 |
| GMQPROC | Grouping class for MQM processes. 1 |
| GMQQUEUE | Grouping class for MQM queues. 1 |
| MQADMIN | Protects MQM administrative options. |
| MQCMDS | Protects MQM commands. |
| MQCONN | Protects MQM connections. |
| MQNLIST | Protects MQM namelists. |
| MQPROC | Protects MQM processes. |
| MQQUEUE | Protects MQM queues. |
Note:
- You cannot specify this class name on the GENCMD, GENERIC, and GLOBAL/NOGLOBAL operands of the SETROPTS command.
- You cannot specify this class name on the GLOBAL operand of SETROPTS or, if you do, the GLOBAL checking is not performed.
| Class | Function |
|---|---|
| NVASAPDT | NetView/Access Services. |
| PTKTVAL | Used by NetView/Access Services Secured Single Signon to store information needed when generating a PassTicket. |
| RMTOPS | NetView® Remote Operations. |
| RODMMGR | NetView Resource Object Data Manager (RODM). |
| Class | Function |
|---|---|
| DIRACC | Controls auditing (via SETROPTS LOGOPTIONS) for access checks for read/write access to HFS directories. Profiles are not allowed in this class. |
| DIRSRCH | Controls auditing (via SETROPTS LOGOPTIONS) of HFS directory searches. Profiles are not allowed in this class. |
| FSOBJ | Controls auditing (via SETROPTS LOGOPTIONS) for all access checks for HFS objects except directory searches. Controls auditing (via SETROPTS AUDIT) of creation and deletion of HFS objects. Profiles are not allowed in this class. |
| FSSEC | Controls auditing (via SETROPTS LOGOPTIONS) for changes to the security data (FSP) for HFS objects. Profiles are not allowed in this class. |
| PROCESS | Controls auditing (via SETROPTS LOGOPTIONS) of changes to UIDs and GIDs of OpenExtensions VM processes. Controls auditing (via SETROPTS AUDIT) of dubbing and undubbing of OpenExtensions VM processes. Profiles are not allowed in this class. |
| Class | Function |
|---|---|
| ACCTNUM | TSO account numbers. |
| PERFGRP | TSO performance groups. |
| TSOAUTH | TSO user authorities such as OPER and MOUNT. |
| TSOPROC | TSO logon procedures. |