z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Granting access authorities

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can grant (or deny) user or group access to a RACF-protected resource either explicitly, by assigning the specific user or group access authority with the appropriate command, or implicitly, with the universal access authority (UACC).

Each resource that you protect with RACF® requires a UACC, which is the default access authority for the resource. All users in the system who are not specifically authorized in the access list of that resource profile, except users defined with the RESTRICTED attribute, can still access the resource with the authority specified by UACC (unless the UACC is NONE). These users include users not defined to RACF.
Note: Users with the RESTRICTED attribute can access the resource when they are specifically authorized in the access list with the sufficient authority.

If you specifically assign a user or group an access authority to a resource, the specified authority overrides the UACC specified for the resource.

Valid authorities that you can specify with UACC or specifically assign to users or groups vary from class to class, and are described in the topics of this document that describe the specific classes.

Note: Not all classes are described in this document. (For example, the DSNR class is not described in this document.) Also, in some classes, the access required by some resource managers to specific profiles is described in the documentation of the resource manager.

Table 1 shows additional meanings for several access authorities for general resources.

Table 1. ALTER, NONE, and CONTROL, UPDATE, and READ access authorities for general resources
Variable Value
ALTER For discrete profiles, the specified user or group has full control over the resource and the resource profile, and can authorize other users and groups to access the resource.

For generic profiles, only the profile owner, users with the SPECIAL attribute, and group-SPECIAL users whose groups own the profile have control over the resource profile and can authorize other users and groups to access the resource.

For both profiles, full resource access is allowed.
NONE The specified user or group is not permitted to access the resource or list the profile.
CONTROL, UPDATE, READ These access authorities allow listing of selected portions of the profile and grant resource access in various ways, depending on the class.
Parent topic: Defining profiles for general resources

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014