z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Activating generic profile checking and generic command processing

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, you can activate or deactivate generic profile checking for a class. You can specify this option with the GENERIC and NOGENERIC operands of the SETROPTS command. The following example shows how to activate generic profile checking for the DATASET class. 
SETROPTS GENERIC(DATASET)
Guidelines:
  • When possible, use generic profiles to protect multiple resources and reduce administrative effort. Consider issuing SETROPTS GENERIC(classname) for the classes you use, so that generic profiles are usable in those classes.
  • If you already have general resource profiles defined in your database, avoid issuing the SETROPTS GENERIC(*) command. This command activates generic profile checking for all classes except resource grouping classes and classes defined with the GENERIC(DISALLOWED) attribute. Some classes, such as DIGTCERT and DIGTRING, do not support generic profile checking. These and other classes might already have profile names that contain generic characters (*, &, and %).
  • If a general resource class already has discrete profiles with names that contain generic characters (*, &, and %), enabling generic profile checking for the class prevents RACF® from using those discrete profiles for authorization checking.

    If you enable SETROPTS GENERIC for a class that has a discrete profile name containing generic characters, the profile will be marked UNUSABLE in RLIST and SEARCH output listings.

    Tip: Use the RDELETE command with the NOGENERIC option to delete this profile.

  • In general, once you activate generic profile checking for a class and define generic profiles, avoid deactivating it with the NOGENERIC operand. RACF will not use your previously defined generic profiles for authorization checking while NOGENERIC is in effect.
If you want to perform maintenance on the generic profiles in the RACF database, you might want to temporarily deactivate generic profile checking but allow RACF command processors to update generic profiles. You can specify this environment with the NOGENERIC and GENCMD operands of the SETROPTS command. The following example shows how to specify this environment for the DATASET class. 
SETROPTS NOGENERIC(DATASET) GENCMD(DATASET)

NOGENERIC and NOGENCMD are in effect when a RACF database is first initialized using IRRMIN00.

If there is a global access checking table entry of $RACUID.**/ALTER for data sets, users can create unprotected data sets even if PROTECTALL is in effect. However, other users are not allowed to access those data sets.

Parent topic: SETROPTS options for initial setup

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014