Field-level access checking

You can use RACF® to control which users can access data in RACF profiles at the field level through field-level access checking. To do this, you create profiles in the FIELD class and permit users to the profiles.

Using field-level access checking, you can:

Allow a user or group to modify a particular field (or segment) in all profiles of a particular type. For example, you can define a profile to control access to the ACCTNUM field of the TSO segment of user profiles. If you give a user UPDATE authority to this profile, the user can modify the ACCTNUM field in all user profiles.
Allow all users to read or modify a particular field (or segment) of their own user profiles. To do this, specify ID(&RACUID) on the PERMIT command.

You need not use field-level access checking to authorize READ access for users with the SPECIAL or AUDITOR attribute. These users are authorized to list all fields of all segments for any RACF profile.

Note: RACF command processors and panels support field-level access checking only for fields in segments other than the base segments of RACF profiles. However, the ICHEINTY and RACROUTE REQUEST=EXTRACT macros can support field-level access checking for fields in any segment of any RACF profile. If your installation has written its own programs that use these macros to access the RACF database, you can modify these programs to implement field-level access checking.

To use field-level access checking, perform the following steps:

Define profiles in the FIELD class:
```
RDEFINE FIELD profile-name UACC(NONE)
```
where profile-name has the following format:
```
profile-type.segment-name.field-name
```
where:
profile-type
is one of the following:
- DATASET for data set profiles
- GROUP for group profiles
- USER for user profiles
- class-name for general resource profiles
segment-name
is one of the following:
- BASE for BASE segments (this is supported only by user-written code)
- CDTINFO for CDTINFO segments
- CFDEF for CFDEF segments
- CICS® for CICS segments
- CSDATA for CSDATA segments
- DCE for DCE segments
- DFP for DFP segments
- DLFDATA for DLFDATA segments
- EIM for EIM segments
- ICSF for ICSF segments
- ICTX for ICTX segments
- KERB for KERB segments
- LANGUAGE for LANGUAGE segments
- LNOTES for LNOTES segments
- NDS for NDS segments
- NETVIEW for NETVIEW segments
- OMVS for OMVS segments
- OPERPARM for OPERPARM segments
- PROXY for PROXY segments
- OVM for OVM segments
- SESSION for SESSION segments
- SIGVER for SIGVER segments
- SSIGNON for SSIGNON segments
- STDATA for STDATA segments
- SVFMR for SystemView® segments
- TME for TME segments
- TSO for TSO segments
- WORKATTR for WORKATTR segments
Note: This is also the operand used on RACF commands to work with the segment.
field-name

is the name associated with the field in the RACF profile segment to be controlled.
Each field is administered by a RACF command operand. To find the field name that corresponds to a command operand, see Table 1.
Example: To control access to all fields in the TSO segment of all user profiles, issue the RDEFINE command and specify USER.TSO.* as the profile name. Before issuing this command, however, see the following note.
```
RDEFINE FIELD USER.TSO.* UACC(NONE)
```
Note: The profile name USER.TSO.* is a generic profile name. Before you issue the above command, generic profile checking for the FIELD class must be active. If it is not active, issue the SETROPTS GENERIC(FIELD) command before you define the generic profile.
When you specify a UACC of NONE, you prevent all users from accessing the TSO segment in all user profiles, including their own. Likewise, if you specify a UACC of READ, you allow all users to read the information contained in all fields of the TSO segment for all user profiles.

To control access to a specific field in the TSO segment of user profiles, issue the RDEFINE command and specify the name associated with the field as the third qualifier in the profile name.
Example: Based on Table 1, to control access to the ACCTNUM field, create a profile specifying TACCNT as the field-name qualifier:
```
RDEFINE FIELD USER.TSO.TACCNT UACC(NONE)
```
Note: A user with UPDATE access to this profile is authorized to change the account number field in a TSO segment by specifying the ACCTNUM operand on the TSO option of the ALTUSER command:
```
ALTUSER userid TSO(ACCTNUM(account-number))
```
Allow specific users or groups to have the appropriate access to the field. For example:
```
PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(TSOADM) ACCESS(UPDATE)
```
This example shows how to authorize user ID TSOADM to change the logon procedure (TLPROC field) in the profiles of all TSO users.
Note: You can also specify the value &RACUID with the ID operand on the PERMIT command for FIELD profiles. When you enter this value on the PERMIT command, you allow all users access to the specified field or segment of their own user profiles. For example, if you issue the following command, you allow all users to read the TLPROC field in the TSO segment of their own user profiles.
```
PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(&RACUID) ACCESS(READ)
```
When you are ready to start using the protection defined in the profiles, activate the FIELD class:
```
SETROPTS CLASSACT(FIELD)
```
Note: If you do not activate the FIELD class and you activate SETROPTS RACLIST processing for the FIELD class, only SPECIAL users can access fields in segments (other than the base segment) of RACF profiles.
You must activate SETROPTS RACLIST processing for the FIELD general resource class. For a complete description of this function, see SETROPTS RACLIST processing.
```
SETROPTS RACLIST(FIELD)
```
Note: Once you activate SETROPTS RACLIST processing for the FIELD class, any time you make a change to a FIELD profile, you must refresh SETROPTS RACLIST processing for the FIELD class for the change to take effect.
```
SETROPTS RACLIST(FIELD) REFRESH
```

Table 1. Fields in RACF segments that correspond to RACF command operands
To control the use of this operand: ¹	Specify this value as the `field-name` qualifier:
CDTINFO segment in general resource profiles (CDT class):
CASE DEFAULTRC DEFAULTUACC FIRST GENERIC GENLIST GROUP KEYQUALIFIERS MACPROCESSING MAXLENGTH MAXLENX MEMBER OPERATIONS OTHER POSIT PROFILESALLOWED RACLIST SECLABELSREQUIRED SIGNAL	CDTCASE CDTDFTRC CDTUACC CDTFIRST CDTGEN CDTGENL CDTGROUP CDTKEYQL CDTMAC CDTMAXLN CDTMAXLX CDTMEMBR CDTOPER CDTOTHER CDTPOSIT CDTPRFAL CDTRACL CDTSLREQ CDTSIGL
CFDEF segment in general resource profiles (CFIELD class):
TYPE MAXLENGTH MAXVALUE MINVALUE FIRST OTHER MIXED HELP LISTHEAD	CFDTYPE CFMXLEN CFMXVAL CFMNVAL CFFIRST CFOTHER CFMIXED CFHELP CFLIST
CICS segment in user profiles:
OPCLASS OPIDENT OPPRTY RSLKEY TIMEOUT TSLKEY XRFSOFF	OPCLASS and OPCLASSN ² OPIDENT OPPRTY RSLKEY and RSLKEYN ² TIMEOUT TSLKEY and TSLKEYN ² XRFSOFF
CSDATA segment in user and group profiles:
custom-field-name	custom-field-name
DCE segment in user profiles:
AUTOLOGIN DCENAME HOMECELL HOMEUUID UUID	DCEFLAGS DCENAME HOMECELL HOMEUUID UUID
DFP segment in data set profiles:
RESOWNER	RESOWNER
DFP segment in user and group profiles:
DATAAPPL DATACLAS MGMTCLAS STORCLAS	DATAAPPL DATACLAS MGMTCLAS STORCLAS
DLFDATA segment in DLFCLASS class profiles:
RETAIN JOBNAMES	RETAIN JOBNAMES and JOBNMCNT ²
EIM segment in user profiles:
LDAPPROF	LDAPPROF
EIM segment in FACILITY and LDAPBIND class profiles:
DOMAINDN KERBREGISTRY LOCALREGISTRY OPTIONS X509REGISTRY	DOMAINDN KERBREG LOCALREG OPTIONS X509REG
ICSF segment in CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY class profiles:
ASYMUSAGE SYMEXPORTABLE SYMEXPORTCERTS SYMEXPORTKEYS SYMCPACFWRAP	CSFAUSE CSFSEXP CSFSCLBS and CSFSCLCT ² CSFSKLBS and CSFSKLCT ² CSFSCPW
ICTX segment in LDAPBIND class profiles:
USEMAP DOMAP MAPREQUIRED MAPPINGTIMEOUT	USEMAP DOMAP MAPREQ MAPTIMEO
KERB segment in user profiles:
ENCRYPT KERBNAME MAXTKTLFE	ENCRYPT KERBNAME MAXTKTLFE
KERB segment in REALM class profiles:
CHECKADDRS DEFTKTLFE ENCRYPT KERBNAME MAXTKTLFE MINTKTLFE	CHKADDRS DEFTKTLFE ENCRYPT KERBNAME MAXTKTLFE MINTKTLFE
LANGUAGE segment in user profiles:
PRIMARY SECONDARY	USERNL1 USERNL2
LNOTES segment in user profiles:
SNAME	SNAME
NDS segment in user profiles:
UNAME	UNAME
NETVIEW segment in user profiles:
IC CONSNAME CTL MSGRECVR OPCLASS DOMAINS NGMFADMN NGMFVSPN	IC CONSNAME CTL MSGRECVR OPCLASS and OPCLASSN ² DOMAINS and DOMAINSN ² NGMFADMN NGMFVSPN
OMVS segment in group profiles:
GID	GID
OMVS segment in user profiles:
ASSIZEMAX CPUTIMEMAX FILEPROCMAX HOME MEMLIMIT MMAPAREAMAX PROCUSERMAX PROGRAM SHMEMMAX THREADSMAX UID	ASSIZE CPUTIME FILEPROC HOME MEMLIMIT MMAPAREA PROCUSER PROGRAM SHMEMMAX THREADS UID
OPERPARM segment in user profiles:
ALTGRP ³ AUTH AUTO CMDSYS DOM KEY HC INTIDS LEVEL LOGCMDRESP MFORM MIGID ³ MONITOR MSCOPE ROUTCODE STORAGE UD ³ UNKNIDS	OPERALTG OPERAUTH OPERAUTO OPERCMDS OPERDOM OPERKEY OPERHC OPERINT OPERLEVL OPERLOGC OPERMFRM OPERMGID OPERMON OPERMSCP and OPERMCNT ² OPERROUT OPERSTOR OPERUD OPERUNKN
OVM segment in group profiles:
GID	GID
OVM segment in user profiles:
FSROOT HOME PROGRAM UID	FSROOT HOME PROGRAM UID
PROXY segment in user and FACILITY class profiles:
BINDDN LDAPHOST	BINDDN LDAPHOST
SESSION segment in APPCLU class profiles:
CONVSEC INTERVAL LOCK SESSKEY	CONVSEC KEYINTVL SLSFLAGS SESSKEY
SIGVER segment in PROGRAM class profiles:
SIGREQUIRED FAILLOAD SIGAUDIT	SIGREQD FAILLOAD SIGAUDIT ⁴
SSIGNON segment in PTKTDATA class profiles:
KEYENCRYPTED KEYMASKED	SSKEY SSKEY
STDATA segment in STARTED class profiles:
USER GROUP PRIVILEGED TRACE TRUSTED	STUSER STGROUP FLAGPRIV FLAGTRAC FLAGTRUS
SVFMR segment in SYSMVIEW class profiles:
PARMNAME SCRIPTNAME	PARMN SCRIPTN
TME segment in group and data set profiles:
ROLES	ROLES and ROLEN ²
TME segment in general resource profiles:
ROLES GROUPS RESOURCE CHILDREN PARENT	ROLES and ROLEN ² GROUPS and GROUPN ² RESOURCE and RESN ² CHILDREN and CHILDN ² PARENT
TSO segment in user profiles:
ACCTNUM COMMAND DEST HOLDCLASS JOBCLASS PROC MAXSIZE MSGCLASS SECLABEL SIZE SYS UNIT USERDATA	TACCNT TCOMMAND TDEST THCLASS TJCLASS TLPROC TMSIZE TMCLASS TSOSLABL TLSIZE TSCLASS TUNIT TUDATA
WORKATTR segment in user profiles:
WANAME WABLDG WADEPT WAROOM WAADDR1 WAADDR2 WAADDR3 WAADDR4 WAACCNT	WANAME WABLDG WADEPT WAROOM WAADDR1 WAADDR2 WAADDR3 WAADDR4 WAACCNT
Note: Many operands in this table have corresponding versions that include a prefix of NO. In addition, several operands have corresponding versions that include prefixes of ADD and DEL. See the z/OS Security Server RACF Command Language Reference to identify these. For operands that are listed with two `field-name` qualifiers: To authorize READ access, define one FIELD profile specifying the first value as the `field-name` qualifier. Permit users READ access. To authorize UPDATE access, define two FIELD profiles. Define one profile for each of the two `field-name` qualifiers listed. Permit users UPDATE access to both profiles. This setting is ignored when each system sharing the RACF database runs z/OS Version 1 Release 8 or higher. The SIGAUDIT field controls the audit policy related to digital signature verification of programs. Users with the AUDITOR attribute can list the SIGAUDIT field but they cannot update it unless they have UPDATE authority through field-level access checking.