To control the use of SMS classes, issue RACF® commands as described below.
First, issue the SETROPTS command with the CLASSACT operand to
activate the RACF general resource
classes MGMTCLAS and STORCLAS. The format of the command is as follows:
SETROPTS CLASSACT(MGMTCLAS STORCLAS)
Then, to define a specific SMS class, issue the RDEFINE command
and specify the appropriate operands. After you define a profile to
protect a specific SMS class, issue the PERMIT command to create entries
in the access list of the profile. You might want to look at Determining the owner of an SMS-managed data set for more information.
For example, suppose you want to define a profile in the RACF general resource class STORCLAS
to protect an SMS storage class named DFP2STOR. You can control which
users and groups can use DFP2STOR by issuing one of the following
sequences of commands:
- To limit the number of users who can use DFP2STOR:
- Issue the RDEFINE command to define the profile for DFP2STOR and
assign a UACC of NONE to the profile. The format of the command is
as follows:
RDEFINE STORCLAS DFP2STOR UACC(NONE)
This
command specifies that no users can access DFP2STOR, except for the
creator of the profile. For more information, see z/OS Security Server RACF Command Language Reference.
- Selectively allow certain users and groups access to DFP2STOR
by issuing the PERMIT command and specifying an ACCESS of READ. The
format of the command is as follows:
PERMIT DFP2STOR CLASS(STORCLAS) ID(SMITH JONES) ACCESS(READ)
This
command allows SMITH and JONES the use of storage class DFP2STOR.
- To allow many users the use of DFP2STOR:
- Issue the RDEFINE command to define the profile for DFP2STOR and
assign a UACC of READ to the profile. The format of the command is
as follows:
RDEFINE STORCLAS DFP2STOR UACC(READ)
This
command specifies that all users can access DFP2STOR.
- You can selectively exclude certain users and groups from using
DFP2STOR by issuing the PERMIT command and specifying an ACCESS of
NONE. The format of the command is as follows:
PERMIT DFP2STOR CLASS(STORCLAS) ID(SMITH JONES) ACCESS(NONE)
This command prevents SMITH and JONES from using storage
class DFP2STOR.
- For SMS resource classes that you want to be available to all
users, consider creating
an entry in the global access checking table. For example, to allow
all users access to DFP2STOR, enter:
RDEFINE GLOBAL STORCLAS ADDMEM(DFP2STOR/READ)
SETROPTS GLOBAL(STORCLAS) REFRESH
Global access checking
helps reduce processing overhead associated with RACF authorization checking. For SMS resources
that you want to have available to a limited number of users, consider
using SETROPTS RACLIST processing for STORCLAS and MGMTCLAS to provide
the best performance.
After you define profiles in the MGMTCLAS and STORCLAS resource
classes, you should activate SETROPTS RACLIST processing for these
classes. This can improve performance by reducing I/O to the RACF database.
To activate SETROPTS RACLIST processing for
the MGMTCLAS and STORCLAS resource classes, issue the SETROPTS command
with the RACLIST operand and specify the appropriate RACF resource class names. The format of the
command is as follows:
SETROPTS RACLIST(STORCLAS MGMTCLAS)
For more information, see SETROPTS RACLIST processing.