|
Purpose Use the ALTDSD command to: - Modify an existing discrete or generic data set profile.
- Protect a single volume of either a multivolume tape data set
or a multivolume, non-VSAM DASD data set. (At least one volume must
already be RACF-protected.)
- Remove RACF-protection from either a single volume of a multivolume
tape data set or a single volume of a multivolume, non-VSAM DASD data
set. (You cannot delete the last volume from the profile.)
Changes made to discrete profiles take effect after the
ALTDSD command is processed. Changes made to generic profiles do not
take effect until one or more of the following steps is taken: - The user of the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use
the data set name, not the profile name.
- The security administrator issues the SETROPTS command:
SETROPTS GENERIC(DATASET) REFRESH
See
SETROPTS command for authorization requirements.
- The user of the data set logs off and logs on again.
Issuing options The following table identifies
the eligible options for issuing the ALTDSD command:
As a RACF® TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When issuing this command as a RACF operator command, you might
require sufficient authority to the proper resource in the OPERCMDS
class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
use the ALTDSD command, you must have sufficient authority over the
profile. RACF makes the following
checks until one of these conditions is met: - You have the SPECIAL attribute.
- The data set profile is within the scope of a group in which you
have the group-SPECIAL attribute.
- You are the owner of the profile.
- The high-level qualifier of the profile name (or the qualifier
supplied by the RACF naming
conventions table or by a command installation exit) is your user
ID.
- To assign a security label, you must have the SPECIAL attribute
or have READ access to the security label profile. However, the security
administrator can limit the ability to assign security labels only
to users with the SPECIAL attribute.
- To access the DFP or TME segment, field-level access checking
is required.
- For a discrete profile, you are in the access list for the discrete
profile and you have ALTER authority. (If you have any other level
of authority, you cannot alter this profile.)
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is in the
access list and has ALTER authority.
- For a discrete profile, the universal access authority is ALTER.
To use the GLOBALAUDIT operand, you must have the AUDITOR
attribute, or the data set profile must be within the scope of a group
in which you have the group-AUDITOR attribute.
If you have
the AUDITOR attribute or the data set profile is within the scope
of a group in which you have the group-AUDITOR attribute, but you
do not satisfy one of the above checks, you can specify only the GLOBALAUDIT
operand.
To specify the AT keyword, you must have READ authority
to the DIRECT.node resource in the RRSFDATA class and a user
ID association must be established between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
To assign a security category to a profile, or to delete
a category from a profile, you must have the SPECIAL attribute, or
the category must be in your user profile.
To assign a security
level to a profile, you must have the SPECIAL attribute, or, in your
own profile, a security level that is equal to, or greater than, the
security level you are assigning.
Syntax For
the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the ALTDSD
command is:
|
|
---|
[subsystem-prefix]{ALTDSD
| ALD} |
|
(profile-name [ /password ] …) |
|
[ ADDCATEGORY(category-name …)
| DELCATEGORY [( {category-name … | *} )] ]
|
|
[ ADDVOL(volume-serial)
| DELVOL(volume-serial)
| ALTVOL(old-volume-serial new-volume-serial) ]
|
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ AUDIT(access-attempt[(audit-access-level)] …) ]
|
|
[ DATA('installation-defined-data') | NODATA ]
|
|
[ DFP(RESOWNER(userid or group-name) | NORESOWNER)
| NODFP ]
|
|
[ ERASE | NOERASE ]
|
|
[ GENERIC | SET | NOSET ]
|
|
[ GLOBALAUDIT(access-attempt[(audit-access-level)] …) ]
|
|
[ LEVEL(nn) ]
|
|
[ NOTIFY(userid) | NONOTIFY ]
|
|
[ OWNER(userid or group-name) ]
|
|
[ RETPD(nnnnn) ]
|
|
[ SECLABEL(seclabel-name) | NOSECLABEL ]
|
|
[ SECLEVEL(seclevel-name) | NOSECLEVEL ]
|
|
[ TME(
[ ROLES(role-access-specification …)
| ADDROLES(role-access-specification …)
| DELROLES(role-access-specification …)
| NOROLES ]
)
| NOTME ]
|
|
[ UACC(access-authority) ]
|
|
[ UNIT(type) ]
|
|
[ VOLUME(volume-serial) ]
|
|
[ WARNING | NOWARNING ] |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name
- Specifies
the name of a discrete or generic data set profile. If you specify
more than one profile name, the list of names must be enclosed in
parentheses.
This operand is required and must be the first operand
following ALTDSD.
Note: - Because RACF uses the RACF database and not the system
catalog, you cannot use alias data set names.
- If you specify a generic profile name, RACF ignores these operands:
- ADDVOL | DELVOL | ALTVOL
- SET | NOSET
- UNIT
- VOLUME
- /password
- Specifies
the data set password if you are altering the profile for a password-protected
data set. This operand applies only if you are using the ADDVOL and
SET operands for a volume of a multivolume password-protected data
set. The WRITE level password must then be specified.
If the command
is executing in the foreground and you omit the password for a password-protected
data set, RACF uses the logon
password. You are prompted if the password you enter or the logon
password is incorrect.
If the command is executing in a batch
job and you either omit the password for a password-protected data
set or supply an incorrect password, the operator is prompted.
You
can use this operand only for tape data sets and non-VSAM DASD data
sets. If you specify a generic profile, RACF ignores
this operand.
- ADDCATEGORY
| DELCATEGORY
-
- ADDCATEGORY(category-name …)
- Specifies
one or more names of installation-defined security categories. category-name must
be defined as a member of the CATEGORY profile in the SECDATA class.
(For information on defining security categories, see z/OS Security Server RACF Security Administrator's Guide.)
Specifying
ADDCATEGORY on the ALTDSD command causes RACF to add any category names you specify to
any list of required categories that already exists in the data set
profile. All users previously allowed to access the data set can continue
to do so only if their profiles also include the additional category
names.
When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category
checking in addition to its other authorization checking. If a user
requests access to a data set, RACF compares
the list of security categories in the user profile with the list
of security categories in the data set profile. If RACF finds any security category in the data
set profile that is not in the user's profile, RACF denies access to the data set. If the user's
profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security
category checking for a started task or user that has the RACF trusted or privileged attribute.
The RACF trusted or privileged
attribute can be assigned to a started task through the RACF started procedures table or STARTED class,
or to other users by installation-supplied RACF exits.
- DELCATEGORY[(category-name
… | *)]
- Specifies
one or more names of installation-defined security categories you
want to delete from the data set profile. Specifying an asterisk (*)
deletes all categories; RACF no
longer performs security category checking for the data set profile.
Specifying DELCATEGORY by itself causes RACF to delete from the profile only undefined
category names (those category names that were once known to RACF but that the installation
has since deleted from the CATEGORY profile.)
- ADDVOL
| DELVOL | ALTVOL
-
- ADDVOL(volume-serial)
- Specifies
that you want to RACF-protect the portion of the data set residing
on this volume. At least one other portion of the data set on a different
volume must already have been RACF-protected. You can use this operand
only for tape data sets and non-VSAM data sets.
The DASD volume
must be online unless you also specify NOSET. If it is not online
and you omit NOSET, the ALTDSD command processor will, if you have
TSO MOUNT authority, request that the volume be mounted.
RACF ignores this operand if you
specify a generic profile name.
Note: The maximum number of volume
serials for a tape data set with an entry in the TVTOC is 42.
- DELVOL(volume-serial)
- Specifies
that you want to remove RACF-protection from the portion of the data
set residing on this volume. If no other portions of this data set
on another volume are RACF-protected, the command terminates. (Use
the DELDSD command to delete the profile from RACF.) You can use this operand only for tape
data sets and non-VSAM DASD data sets.
The DASD volume must be
online unless you also specify NOSET. If it is not online and you
omit NOSET, the ALTDSD command processor requests that the volume
be mounted.
RACF ignores
this operand if you specify a generic profile name.
- ALTVOL(old-volume-serial new-volume-serial)
- Specifies
that you want to change the volume serial number in the data set profile.
You can specify this operand for both VSAM and non-VSAM DASD data
sets, but you cannot specify it for tape data sets. If you specify
ALTVOL for a tape data set, the command fails.
When you specify
ALTVOL, RACF ignores the SET
and NOSET operands and modifies the data set profile, but it does
not process the RACF indicator.
RACF ignores this operand if you
specify a generic profile name.
To specify ALTVOL, you must
have the SPECIAL attribute, or the data set profile must be within
the scope of a group in which you have the group-SPECIAL attribute,
or the high-level qualifier of the data set name (or the qualifier
supplied by a command installation exit routine) must be your user
ID.
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- AUDIT(access-attempt[(audit-access-level)] …)
- Specifies
which access attempts and access levels the user who has the AUDITOR
attribute wants logged to the SMF data set.
- access-attempt
- Specifies which new
access attempts you want logged to the SMF data set. The following
options are available:
- ALL
- Specifies that you want to log both authorized accesses and detected
unauthorized access attempts.
- FAILURES
- Specifies that you want to log detected unauthorized access attempts.
- NONE
- Specifies that you do not want any logging to be done.
- SUCCESS
- Specifies that you want to log authorized accesses.
If you
specify AUDIT without a value, RACF ignores
it.
- audit-access-level
- Specifies which
access levels you want logged to the SMF data set. The levels you
can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. READ is the default value if
you omit audit-access-level.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
You cannot audit access attempts at the EXECUTE
level.
- DATA
| NODATA
-
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the data set profile and must be enclosed in single quotation marks.
It can also contain double-byte character set (DBCS) data.
Use
the LISTDSD command to list this information.
- NODATA
- Specifies
that the ALTDSD command is to delete any installation-defined data
in the data set profile.
- DFP
| NODFP
-
- DFP
- Specifies that for an SMS-managed data set, you can change the
following information:
- RESOWNER(userid or group-name) | NORESOWNER
- Specifies
the user ID or group name of the actual owner of the data sets protected
by the profile specified in profile-name-1.
The name specified for RESOWNER must be a RACF-defined user or group.
(The data set resource owner, or RESOWNER, is distinguished from the
OWNER, which represents the user or group that owns the data set profile).
If NORESOWNER is specified, the user or group represented by the
high level qualifier of the data set profile is assigned as the owner
of data sets protected by the profile when SMS needs to determine
the RESOWNER.
You can control access to the entire DFP segment
or to individual fields within the DFP segment by using field-level
access checking. For more information, see z/OS Security Server RACF Security Administrator's Guide.
- NODFP
- Specifies that RACF should
delete the DFP segment from the data set profile.
- ERASE
| NOERASE
-
- ERASE
- Specifies
that when SETROPTS ERASE is active, data management is to physically
erase the contents of deleted data sets and scratched or released
DASD extents. Erasing the data set means overwriting its contents
with binary zeroes so that it cannot be read.
Restrictions: The
ERASE operand is ignored when any of the following conditions exist:
- NOERASE
- Specifies
that data management is not to physically erase the contents of
deleted data sets and scratched or released DASD extents.
Restrictions: Setting
NOERASE has no effect and does not prevent a scratched data set from
being erased for either one of the following conditions: - SETROPTS ERASE(ALL) is in effect.
- SETROPTS ERASE(SECLEVEL(security-level)) is in effect and the
scratched data set has security level that is equal or higher than
the security-level specified with SETROPTS.
- GENERIC
| SET | NOSET
- If you do not specify GENERIC, SET, or NOSET, the default
value is SET.
- GENERIC
- Specifies
that RACF is to treat the profile
name as a generic name, even if it does not contain any generic characters.
- SET | NOSET
- Specifies whether the data set is to be RACF-indicated. RACF ignores SET and NOSET if you
do not use the ADDVOL or DELVOL operand or specify a generic profile
name.
- SET
- Specifies
that:
- The data set on this volume is to be RACF-indicated if you also
specify the ADDVOL operand. If the indicator is already on, the command
fails.
- The RACF-indicator for the data set on this volume is to be set
off if you also specify the DELVOL operand. If the indicator is already
off, the command fails.
For a DASD data set, the volume indicated in the ADDVOL or
DELVOL operand must be online.
- NOSET
- Specifies
that RACF is not to change
the RACF indicator for the
data set.
The volume indicated in the ADDVOL or DELVOL operand
does not have to be online.
To use NOSET, you must have the
SPECIAL attribute, or the data set profile must be within the scope
of a group in which you have the group-SPECIAL attribute, or the high-level
qualifier of the data set name (or the qualifier supplied by a command
installation exit) must be your user ID. If you are not authorized, RACF ignores the NOSET and ADDVOL
or DELVOL operands.
- GLOBALAUDIT(access-attempt[(audit-access-level)] …)
- Specifies
which access attempts and access levels the user who has the AUDITOR
attribute wants logged to the SMF data set.
- access-attempt
- Specifies which access
attempts the user who has the AUDITOR attribute wants logged to the
SMF data set. The following options are available:
- ALL
- Specifies that you want to log both authorized accesses and detected
unauthorized access attempts.
- FAILURES
- Specifies that you want to log detected unauthorized access attempts.
- NONE
- Specifies that you do not want any logging to be done.
- SUCCESS
- Specifies that you want to log authorized accesses.
If you
specify AUDIT without a value, RACF ignores
it.
- audit-access-level
- Specifies which
access levels the user who has the AUDITOR attribute wants logged
to the SMF data set. The levels you can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. READ is the default value if
you omit audit-access-level.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
You cannot audit access attempts at the EXECUTE
level.
To use the GLOBALAUDIT operand, you must have
the AUDITOR attribute, or the profile must be within the scope of
a group in which you have the group-AUDITOR attribute.
Note: Regardless
of the value specified in GLOBALAUDIT, RACF always
logs all access attempts specified on the AUDIT operand.
- LEVEL(nn)
- Specifies
a new level indicator, where nn is an integer 0 - 99.
Your
installation assigns the meaning of the value.
RACF includes it in all records that log data
set accesses and in the LISTDSD command display.
- NOTIFY
| NONOTIFY
-
- NOTIFY[(userid)]
- Specifies
the user ID of a user to be notified whenever RACF uses this profile to deny access to a data
set. If you specify NOTIFY without specifying a user ID, RACF takes your user ID as the default; you
are notified whenever the profile denies access to a data set.
A
user who is to receive NOTIFY messages should log on frequently, both
to take action in response to the unauthorized access attempts the
messages describe and to clear the messages from the SYS1.BRODCAST
data set. (When the profile also includes WARNING, RACF might have granted access to the data set
to the user identified in the message.)
Note: The user ID specified
on the NOTIFY operand is not notified when the profile disallows creation
or deletion of a data set. NOTIFY is only used for resource access
checking, not for resource creation or deletion.
- NONOTIFY
- Specifies
that no user is to be notified when RACF uses
this profile to deny access to a data set.
- OWNER(userid
or group-name)
- Specifies
a RACF-defined user or group to be the new owner of the data set profile.
If you specify a user ID as the owner of a group data set profile,
the specified user must have at least USE authority in the group to
which the data set profile belongs.
To change the owner of a profile,
you must be the current owner of the profile or have the SPECIAL attribute,
or the profile must be within the scope of a group in which you have
the group-SPECIAL attribute.
Note: The user specified as the owner
does not automatically have access to the data set. Use the PERMIT
command to add the owner to the access list as desired.
- RETPD(nnnnn)
- Specifies
the RACF security retention
period for a tape data set. The security retention period is the number
of days that must elapse before a tape data set profile expires. (Note
that, even though the data set profile expires, RACF-protection for
data sets protected by the profile is still in effect. For more information,
see z/OS Security Server RACF Security Administrator's Guide.
The
number you specify must be 1 to 5 digits in the range of 0 through
65533 or, to indicate a data set that never expires, 99999.
Using
RETPD to change the RACF security
retention period for a data set means that the RACF security retention period and the data
set retention period specified by the EXPDT/RETPD parameters on the
JCL DD statement are longer be the same.
When the TAPEVOL class
is active, RACF checks the RACF security retention period
before it allows a data set to be overwritten. RACF adds the number of days in the retention
period to the creation date for the data set. If the result is less
than the current date, RACF continues
to protect the data set.
When the TAPEVOL class is not active, RACF ignores the RETPD operand.
Specifying
this operand for a DASD data set does not cause an error, but it has
no meaning because RACF ignores
the operand during authorization checking.
- SECLABEL
| NOSECLABEL
-
- SECLABEL(seclabel-name)
- Specifies
an installation-defined security label for this profile. A security
label corresponds to a particular security level (such as CONFIDENTIAL)
with a set of zero or more security categories (such as PAYROLL or
PERSONNEL).
RACF stores
the name of the security label you specify in the data set profile
if you are authorized to use that SECLABEL.
If you are not
authorized to the SECLABEL or if the name you had specified is not
defined as a SECLABEL profile in the SECLABEL class, the data set
profile is not updated.
Note: If the SECLABEL class is active
and the security label is specified in this profile, any security
levels and categories in the profile are ignored.
- NOSECLABEL
- removes
the security label, if one had been specified, from the profile.
- SECLEVEL
| NOSECLEVEL
-
- SECLEVEL(seclevel-name)
- Specifies
the name of an installation-defined security level. This name corresponds
to the number that is the minimum security level that a user must
have to access the data set. The seclevel-name must
be a member of the SECLEVEL profile in the SECDATA class.
When
you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to
its other authorization checking. If global access checking does not
grant access, RACF compares
the security level allowed in the user profile with the security level
required in the data set profile. If the security level in the user
profile is less than the security level in the data set profile, RACF denies the access. If the
security level in the user profile is equal to or greater than the
security level in the data set profile, RACF continues
with other authorization checking.
Note: RACF does not perform security level checking
for a started task or user that has the RACF privileged
or trusted attribute. The RACF privileged
or trusted attribute can be assigned to a started task through the RACF started procedures table or
STARTED class, or to other users by installation-supplied RACF exits.
If the SECDATA
class is not active, RACF stores
the name you specify in the data set profile. When the SECDATA class
is activated and the name you specified is defined as a SECLEVEL profile, RACF can perform security level
access checking for the data set profile. If the name you specify
is not defined as a SECLEVEL profile and the SECDATA class is active,
you are prompted to provide a valid security level name.
- NOSECLEVEL
- Specifies
that the ALTDSD command is to delete the security level name from
the profile. RACF no longer
performs security level access checking for the data set.
- TME
| NOTME
-
- TME
- Specifies that information for the Tivoli® Security Management Application is
to be added, changed, or deleted.
Note: The TME segment fields are
intended to be updated only by the Tivoli Security
Management Application, which manages updates, permissions, and cross
references. A security administrator should only directly update Tivoli Security Management fields
on an exception basis.
- ROLES(role-access-specification …)
- Specifies a list of roles and associated access levels related
to this profile.
One or more role-access-specification values
can be specified, each separated by blanks. Each value should contain
no imbedded blanks and should have the following format: role-name:authority[:conditional-class:conditional-profile]
where role-name is
a discrete general resource profile defined in the ROLE class. The authority is
the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER)
with which groups in the role definition should be permitted to the
resource.
The conditional-class is
a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID)
for conditional access permission, and is followed by the conditional-profile value,
a resource profile defined in the conditional class.
- ADDROLES(role-access-specification …)
- Specifies that specific roles and access levels are to be added
to the current list.
- DELROLES(role-access-specification …)
- Specifies that specific roles from the current list of roles are
to be removed.
- NOROLES
- Specifies that the entire list of roles be removed.
- NOTME
- Specifies that RACF delete
the TME segment from the profile.
- UACC(access-authority)
- Specifies
the universal access authority to be associated with the data sets.
The universal access authorities are ALTER, CONTROL, READ, UPDATE,
EXECUTE, and NONE. If you specify CONTROL for a tape data set or a
non-VSAM DASD data set, RACF treats
the access authority as UPDATE. If you specify EXECUTE for a tape
data set or a DASD data set not used as a program library, RACF treats the access authority
as NONE.
If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access
authority (UACC) as NONE for that access attempt.
If you enter
UACC without a value, RACF retains
the old universal access authority for the data sets.
- UNIT(type)
- Specifies
the unit type to be added to the data set profile on which a non-VSAM
data set resides. You can specify an installation-defined unit name,
a generic device type, or a specific device address. RACF ignores this operand if you specify a generic
profile name.
- VOLUME(volume-serial)
- Specifies
the volume on which the tape data set, the non-VSAM DASD data set,
or the catalog for the VSAM data set resides.
If you specify VOLUME
and volume-serial does not appear in the
profile for the data set, the command fails. If you omit VOLUME and
the data set name appears more than once in the RACF database, the command fails. If you omit
VOLUME and the data set name appears only once in the RACF database, no volume serial checking is
performed and processing continues.
RACF ignores this operand if you specify a generic
profile name.
- WARNING
| NOWARNING
-
- WARNING
- Specifies
that even if access authority is insufficient, RACF is to issue a warning message and allow
access to the resource. RACF also
records the access attempt in the SMF record if logging is specified
in the profile.
When SETROPTS MLACTIVE(FAILURES) is in effect: A
user or task can access a data set that is in WARNING mode and has
no security label even when MLACTIVE(FAILURES) is in effect and the
class requires security labels. The user or task receives a warning
message and gains access.
- NOWARNING
- Specifies
that if access authority is insufficient, RACF is to deny the user access to the resource
and not issue a warning message.
Examples
|
|
|
---|
Example 1 |
Operation |
User AEH0 owns data set profile PAYROLL.DEPT2.DATA
and wants to assign ownership of the data set to group PAYROLL. Only
users with categories of FINANCIAL and PERSONNEL and a security level
of PERSONAL are to be able to access the data set. |
Known |
Data set PAYROLL.DEPT2.DATA is RACF-defined with
a discrete profile. FINANCIAL and PERSONNEL are valid categories of
access; PERSONAL is a valid security level name. USER AEH0 wants to
issue the command as a RACF TSO
command. |
Command |
ALTDSD 'PAYROLL.DEPT2.DATA' OWNER(PAYROLL)
ADDCATEGORY(FINANCIAL PERSONNEL) SECLEVEL(PERSONAL) |
Defaults |
None. |
Example 2 |
Operation |
User WRH0 wants to change the universal access
authority to NONE for data set RESEARCH.PROJ02.DATA and wants to have
all accesses to the data set logged on SMF records. User ADMIN02 is
to be notified when RACF uses
this profile to deny access to the data set. The data set is to be
erased when it is deleted (scratched). |
Known |
User WRH0 has ALTER access to data set profile
RESEARCH.PROJ02.DATA. User WRH0 is logged onto group RESEARCH. USER
WRH0 wants to issue the command as a RACF TSO
command. User ADMIN02 is a RACF-defined user.
Data set
RESEARCH.PROJ02.DATA is RACF-defined with a generic profile. The SETROPTS
ERASE option has been specified for the installation.
|
Command |
ALTDSD 'RESEARCH.PROJ02.DATA' UACC(NONE)
AUDIT(ALL(READ)) GENERIC NOTIFY(ADMIN02) ERASE |
Defaults |
None. |
Example 3 |
Operation |
User CD0 wants to remove RACF-protection from
volume 222222 of the multivolume data set CD0.PROJ2.DATA. |
Known |
CD0.PROJ2.DATA is a non-VSAM data set that resides
on volumes 111111 and 222222 and is defined to RACF with a discrete profile. Volume 222222
is online. User CDO's TSO profile specifies PREFIX (CDO). User CD0
wants to issue the command as a RACF operator
command, and the RACF subsystem
prefix is @. |
Command |
@ALTDSD PROJ2.DATA DELVOL(222222) |
Default |
None. |
Example 4 |
Operation |
User RVD02 wants to have all successful accesses
to data set PAYROLL.ACCOUNT on volume SYS003 to be logged to the SMF
data set. |
Known |
User RVD02 has the AUDITOR attribute. User RVD02
wants to issue the command as a RACF TSO
command. |
Command |
ALTDSD 'PAYROLL.ACCOUNT' GLOBALAUDIT(SUCCESS(READ))
VOLUME(SYS003) |
Defaults |
None. |
Example 5 |
Operation |
User SJR1 wants to modify the installation-defined
information associated with the tape data set SYSINV.ADMIN.DATA. The RACF security retention period
is to be 360 days. |
Known |
User SJR1 has ALTER authority to the data set
profile. User SJR1 wants to issue the command as a RACF TSO command. Tape data set protection
is active.
|
Command |
ALTDSD 'SYSINV.ADMIN.DATA' DATA('LIST
OF REVOKED RACF USERIDS') RETPD(360) |
Defaults |
None. |
Example 6 |
Operation |
User ADM1 wants to log all unauthorized access
attempts and all successful updates to data sets protected by a generic
profile (SALES.ABC.*). |
Known |
User ADM1 has the SPECIAL attribute. User ADM1
wants to issue the command as a RACF TSO
command. |
Command |
ALTDSD 'SALES.ABC.*' AUDIT (FAILURES(READ)
SUCCESS (UPDATE)) |
Defaults |
None. |
Example 7 |
Operation |
User ADM1 owns the DFP-managed data set RESEARCH.TEST.DATA3
and wants to assign user ADM6 as the data set resource owner. User
ADM1 wants to direct the command to run at node CLCON under the authority
of user DROLLO and prohibit the command from being automatically directed
to other nodes.
|
Known |
Data set RESEARCH.TEST.DATA3 is RACF-defined with
a discrete profile. Users ADM1 and DROLLO at CLCON have the SPECIAL
attribute, and ADM6 is defined to RACF on
node CLCON. User ADM1 wants to issue the command as a RACF TSO command. Users ADM1 and DROLLO at CLCON
have an already established user ID association. |
Command |
ALTDSD 'RESEARCH.TEST.DATA3' DFP(RESOWNER(ADM6))
ONLYAT(CLCON.DROLLO) |
Results |
The command is only processed on the node CLCON
and not automatically directed to any other nodes in the RRSF configuration. |
|