You can specify a model data set profile to be used whenever new
user data set profiles are created for a specific user. Information
from the model profile is copied to any data set profile with the
specified user ID as high-level qualifier.
To do this, follow these steps:
- For each user for which modeling is to be done, specify
the profile that is to be used as a model:
ALTUSER userid MODEL(model-profile-name)
or
ADDUSER userid MODEL(model-profile-name)
Note: When
specifying the MODEL operand, do not specify the user's user
ID on the model profile name.
- If necessary, create a model data set profile:
ADDSD 'userid.model-profile-name' MODEL
…other appropriate operands such as UACC and AUDIT…
PERMIT 'userid.model-profile-name' ID(appropriate-users-or-groups)
ACCESS(access-authority)
Note: - With the MODEL operand specified, no actual data set need exist
with the specified profile name. A generic profile cannot be a model
profile.
- A profile created with the MODEL operand is not intended to actually
protect a data set (and does not cause an existing data set to be
RACF-indicated). However, if a data set with the same name exists,
the model profile might be used to protect that data set. Therefore,
choose a profile name such that the profile does not match any data
sets.
- When you are ready to start using model profiles for user data
sets, issue the SETROPTS
command with MODEL(USER) specified:
SETROPTS MODEL(USER)
- After the SETROPTS command has been issued, if a user creates
a user data set profile for another user, and that profile had the
MODEL operand specified, information from the model profile is always copied
into the new user data set profile.
Example:
The following commands set up a model profile named SUE.SAMPMOD
for user SUE. The model specifies a UACC of NONE and gives READ access
to SAM, JOE, and GROUP1.
(1) ALTUSER SUE MODEL(SAMPMOD)
(2) ADDSD 'SUE.SAMPMOD' MODEL UACC(NONE)
(3) PERMIT 'SUE.SAMPMOD' ID(SAM JOE GROUP1) ACCESS(READ)
(4) SETROPTS MODEL(USER)
User SUE then issues the following command.
(5) ADDSD 'SUE.DATA' UACC(READ)
In this example:
- (1) indicates to RACF® that
automatic profile modeling is to be used for new profiles beginning
with SUE.
- (2) creates a profile named SUE.SAMPMOD. With the MODEL operand
specified, no actual data set named SUE.SAMPMOD needs to exist. However,
if a data set named SUE.SAMPMOD does exist, it is protected by the
profile named SUE.SAMPMOD.
- (3) specifies an access list for profile SUE.SAMPMOD.
- (4) turns on automatic profile modeling for all of the users who
have the MODEL operand set in their user profiles.
- (5) creates profile SUE.DATA with UACC(READ). RACF copies the access list from SUE.SAMPMOD
(SAM, JOE, and GROUP1 have READ access). With UACC(READ) specified
on the ADDSD command, the UACC(NONE) value from SUE.SAMPMOD is not
used. Note that the copied information can be changed during the copy.
See Possible changes to copied profiles when modeling occurs.