z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling the use of SMS classes

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

To control the use of SMS classes, issue RACF® commands as described below.

First, issue the SETROPTS command with the CLASSACT operand to activate the RACF general resource classes MGMTCLAS and STORCLAS. The format of the command is as follows: 
SETROPTS CLASSACT(MGMTCLAS STORCLAS)

Then, to define a specific SMS class, issue the RDEFINE command and specify the appropriate operands. After you define a profile to protect a specific SMS class, issue the PERMIT command to create entries in the access list of the profile. You might want to look at Determining the owner of an SMS-managed data set for more information.

For example, suppose you want to define a profile in the RACF general resource class STORCLAS to protect an SMS storage class named DFP2STOR. You can control which users and groups can use DFP2STOR by issuing one of the following sequences of commands:
  • To limit the number of users who can use DFP2STOR:
    1. Issue the RDEFINE command to define the profile for DFP2STOR and assign a UACC of NONE to the profile. The format of the command is as follows: 
      RDEFINE STORCLAS DFP2STOR UACC(NONE)

      This command specifies that no users can access DFP2STOR, except for the creator of the profile. For more information, see z/OS Security Server RACF Command Language Reference.

    2. Selectively allow certain users and groups access to DFP2STOR by issuing the PERMIT command and specifying an ACCESS of READ. The format of the command is as follows: 
      PERMIT DFP2STOR CLASS(STORCLAS) ID(SMITH JONES) ACCESS(READ)

      This command allows SMITH and JONES the use of storage class DFP2STOR.

  • To allow many users the use of DFP2STOR:
    1. Issue the RDEFINE command to define the profile for DFP2STOR and assign a UACC of READ to the profile. The format of the command is as follows: 
      RDEFINE STORCLAS DFP2STOR UACC(READ)

      This command specifies that all users can access DFP2STOR.

    2. You can selectively exclude certain users and groups from using DFP2STOR by issuing the PERMIT command and specifying an ACCESS of NONE. The format of the command is as follows: 
      PERMIT DFP2STOR CLASS(STORCLAS) ID(SMITH JONES) ACCESS(NONE)

      This command prevents SMITH and JONES from using storage class DFP2STOR.

  • For SMS resource classes that you want to be available to all users, consider creating an entry in the global access checking table. For example, to allow all users access to DFP2STOR, enter: 
    RDEFINE GLOBAL STORCLAS ADDMEM(DFP2STOR/READ)

SETROPTS GLOBAL(STORCLAS) REFRESH

    Global access checking helps reduce processing overhead associated with RACF authorization checking. For SMS resources that you want to have available to a limited number of users, consider using SETROPTS RACLIST processing for STORCLAS and MGMTCLAS to provide the best performance.

After you define profiles in the MGMTCLAS and STORCLAS resource classes, you should activate SETROPTS RACLIST processing for these classes. This can improve performance by reducing I/O to the RACF database.

To activate SETROPTS RACLIST processing for the MGMTCLAS and STORCLAS resource classes, issue the SETROPTS command with the RACLIST operand and specify the appropriate RACF resource class names. The format of the command is as follows: 
SETROPTS RACLIST(STORCLAS MGMTCLAS)

For more information, see SETROPTS RACLIST processing.

Parent topic: RACF and Storage Management Subsystem (SMS)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014