z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Using access control lists (ACLs)

z/OS UNIX System Services Planning
GA32-0884-00

Use access control lists (ACLs) to control access to files and directories by individual user (UID) and group (GID). ACLs are used in conjunction with permission bits. They are created, modified, and deleted using the setfacl shell command. To display them, use the getfacl shell command. You can also use the ISHELL interface to define and display ACLs.

The HFS, zFS, and TFS file systems support ACLs. It is possible that other physical file systems will eventually support z/OS ACLs. Consult your file system documentation to see if ACLs are supported.

Before you can begin using ACLs, you must know what security product is being used. The ACLs are created and checked by RACF®, not by the kernel or file system. If a different security product is being used, you must check their documentation to see if ACLs are supported and what rules are used when determining file access.

Note:
  1. The phrases default ACLand model ACLare used interchangeably throughout z/OS UNIX documentation. Other systems that support ACL have default ACLs that are essentially the same as the directory default ACLs in z/OS UNIX.
  2. According to the X/Open UNIX 95 specification, additional access control mechanisms can only restrict the access permissions that are defined by the file permission bits. They cannot grant additional access permissions. Because z/OS ACLs can grant and restrict access, the use of ACLs is not UNIX 95-compliant.
Parent topic: Establishing UNIX security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014