The z/OS UNIX setfacl command is used to create, modify, and delete ACLs. The z/OS UNIX getfacl command is used to display the contents of ACLs. To create and administer an ACL for a file, you must either be the file owner or you must have superuser authority by having UID(0) or READ access to SUPERUSER.FILESYS.CHANGEPERMS in the UNIXPRIV class.

You can also use setfacl to create default (or model) ACLs for directories. When new objects are created within the directory, the default ACL is automatically inherited by the new object. See z/OS UNIX System Services Planning for complete information on using ACLs.

You must activate the FSSEC class before ACLs can be used in access decisions. You can define and display ACLs while the FSSEC class is inactive, however they will not be used for authorization checking. Similarly, if you have defined default ACLs on directories, the ACLs will be inherited by new objects while the FSSEC class is inactive but they will not be used for authorization checking.

The following command can be used to activate the FSSEC class.

SETROPTS CLASSACT(FSSEC)

When a security decision is needed, the file system calls RACF®, supplying the ACL, if present, and the FSP. RACF provides authorization checking and auditing, and then returns control to the file system. See Authorization checking for RACF-protected resources for details.