Using data set profiles, you can control whether
users can create (allocate) new data sets.
For cataloged data sets, creating, deleting, or renaming the data
set involves access not only to the data set profile protecting the
data set, but also to the catalog in which the data set is cataloged.
In general, users need the following:
- To add entries to the catalog, users need authority to create
the data set as specified below and UPDATE authority to the catalog.
- To delete entries from the catalog, users need ALTER authority
to the protecting profile or to the catalog.
For more information, see Protecting catalogs and z/OS DFSMS Managing Catalogs.
The following cases describe how RACF® can
be used to control the creation of new user and group data sets.
A user can create a new user data set in the following situations:
- The data set is protected by an existing generic profile and the
user does not have ADSP.
The creation is allowed if (1) the user
has ALTER authority to the data set through the generic profile or
global access checking, or (2) the data set is the user's own data
set. RACF does not create a
profile.
- The data set name is not covered by an existing generic profile
and the user does not have ADSP.
If PROTECTALL is not in effect,
the creation is allowed, but RACF does
not create a profile. See Note 2.
- The user has ADSP and the data set is the user's own data set.
The
creation is allowed and RACF creates
a discrete profile for the data set.
- The REQUEST=DEFINE preprocessing exit routine allows RACF protection.
- The user has the OPERATIONS attribute. If the user has the group-OPERATIONS
attribute (that is, the user is connected to a group with the OPERATIONS
attribute), the high-level qualifier of the new data set must be the
ID of a user who is within the scope of that group.
A user can create a new group data set in the following situations:
- The data set name is protected by an existing generic profile
and the user does not have ADSP.
The creation is allowed if at
least one of the following is true:
- The user has ALTER authority to the data set through the generic
profile or global access checking.
- The user has CREATE authority in the group.
RACF does not create
a profile.
- The data set name is not covered by an existing generic profile
and the user does not have ADSP.
If PROTECTALL is not in effect,
the creation is allowed, but RACF does
not create a profile. See Note 2.
- The user has ADSP and the data set belongs to a group of which
the user is a member.
The creation is allowed only if the user
has CREATE authority in the group. If the creation is allowed, RACF creates a discrete profile
for the data set.
- The REQUEST=DEFINE preprocessing exit routine allows RACF protection.
- The user has the OPERATIONS attribute except when both of the
following are true:
- The user is connected to the group with less than CREATE authority.
- The user has less than ALTER access to the data set if it protected
by a generic profile.
If the user has the group-OPERATIONS attribute (that is, the
user is connected to a superior group with the OPERATIONS attribute),
the group for which the new data set is being created must be within
the scope of that superior group.
If PROTECTALL is not in effect, any user without ADSP can create a data set whose
high-level qualifier is neither a RACF user
ID (user data set) nor a RACF group
name (group data set), but the data set cannot be RACF-protected.
Note that a dummy group (a group that has no users connected to it)
can be defined for the high-level qualifier of these data sets so
that they can then be RACF-protected.
Note: - In all cases, if the user specifies the PROTECT=YES or SECMODEL
parameter on the JCL DD statement, or the PROTECT or SECMODEL operand
on the TSO ALLOCATE command (these operands request that RACF create a discrete profile), RACF treats the user the same as a user with
ADSP. However, because the use of these operands is voluntary, an
installation cannot use the operands to control the creation of data
sets.
- If PROTECTALL is in effect at your installation, a user cannot
create a new data set unless the data set is RACF-protected by either
a discrete or generic profile. However, instead of rejecting all creation
requests for unprotected data sets, PROTECTALL also allows installations
to issue warning messages. For more information on the PROTECTALL
option, see RACF-protecting all data sets (PROTECTALL option).