Restricting the creation of general resource profiles (GENERICOWNER option)

If you have the SPECIAL attribute, you can restrict the creation of profiles in general resource classes. To do this:

Issue a SETROPTS GENERICOWNER command.
Define a ** profile for the class, with yourself as owner. (This prevents users lacking special authority from being able to define profiles in the class.)
Define a top profile for each user, covering the subset of resources in the class which the user is allowed to create. Each user should be the owner of this top profile.

You have created an environment where the user can create only profiles that are more specific than the user's top profile. The only other users who can create profiles in the user's subset of the class are:

A user with SPECIAL authority
A user who has group-SPECIAL authority over a user who owns the top profile

For example, assume that neither JOE nor RONN have the SPECIAL or group-SPECIAL attribute. If the GENERICOWNER option is in effect, and user RONN is the owner of a JESSPOOL profile called NODEA.RONN.**, JOE cannot create profile NODEA.RONN.DATA.**, even though JOE has the CLAUTH(JESSPOOL) attribute.

Note: The GENERICOWNER operand does not affect the DATASET class. It cannot be activated for individual classes. When active, GENERICOWNER affects all general resource classes except the PROGRAM class and general resource grouping classes.

For example, when working with general resource grouping classes, assume that profile A* exists in the TERMINAL class and is owned by a group that user ELAINE does not have group-SPECIAL authority to. If the GENERICOWNER option is in effect, it will prevent user ELAINE from defining a more specific profile in the member class (for example, by using the command RDEF TERMINAL AA*). However, having the GENERICOWNER option in effect will not prevent user ELAINE from defining a profile if specified on the ADDMEM operand for the grouping class profile (such as with the command RDEF GTERMINL profile-name ADDMEM(AA*)).

You can alternatively choose to make a group the owner of the top profile for a given subset in the class. In this case, only a user with group-SPECIAL authority for the group, or with SPECIAL authority, can create profiles in the subset.

The top profile must end in a single asterisk (*), double asterisks (**), or one or more percent signs (%). More specific profiles are profiles that match the less specific top profile name character for character, up to the ending asterisks or percent signs in the less specific name.

In a search for the less specific profile, a match is found if all of the following are true:

The profile name ends in a single asterisk (*), double asterisks (**), or one or more percent signs (%).
All characters preceding the asterisks or percent signs (* or ** or %) match the corresponding characters in the resource name exactly.
The characters matching the percent signs (%) in the less-specific profile are not an asterisk (*) or period (.) in the resource name. The length of the profile must be the same for this case.

For example, to allow USERX to RDEFINE A.B in the JESSPOOL class, you need profile A.* in the JESSPOOL class, which is owned by USERX.

To cancel this option, specify NOGENERICOWNER on the SETROPTS command.

Attention: Issuing SETROPTS GENERICOWNER can prevent users with the CLAUTH attribute in general resource classes from creating profiles as they are accustomed to. Therefore, make these users OWNER of appropriate top generic profiles in the class. For an example, see Delegating authority to profiles in the FACILITY class.