z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Automatic profile modeling for user data set profiles

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can specify a model data set profile to be used whenever new user data set profiles are created for a specific user. Information from the model profile is copied to any data set profile with the specified user ID as high-level qualifier.

To do this, follow these steps:
  1. For each user for which modeling is to be done, specify the profile that is to be used as a model: 
    ALTUSER userid MODEL(model-profile-name)
or
ADDUSER userid MODEL(model-profile-name)
    Note: When specifying the MODEL operand, do not specify the user's user ID on the model profile name.
  2. If necessary, create a model data set profile:
    ADDSD 'userid.model-profile-name' MODEL
      …other appropriate operands such as UACC and AUDIT…

PERMIT 'userid.model-profile-name' ID(appropriate-users-or-groups)
       ACCESS(access-authority)
    Note:
    1. With the MODEL operand specified, no actual data set need exist with the specified profile name. A generic profile cannot be a model profile.
    2. A profile created with the MODEL operand is not intended to actually protect a data set (and does not cause an existing data set to be RACF-indicated). However, if a data set with the same name exists, the model profile might be used to protect that data set. Therefore, choose a profile name such that the profile does not match any data sets.
  3. When you are ready to start using model profiles for user data sets, issue the SETROPTS command with MODEL(USER) specified: 
    SETROPTS MODEL(USER)
  4. After the SETROPTS command has been issued, if a user creates a user data set profile for another user, and that profile had the MODEL operand specified, information from the model profile is always copied into the new user data set profile.

Example:

The following commands set up a model profile named SUE.SAMPMOD for user SUE. The model specifies a UACC of NONE and gives READ access to SAM, JOE, and GROUP1. 
(1) ALTUSER SUE MODEL(SAMPMOD)
(2) ADDSD 'SUE.SAMPMOD' MODEL UACC(NONE)
(3) PERMIT 'SUE.SAMPMOD' ID(SAM JOE GROUP1) ACCESS(READ)
(4) SETROPTS MODEL(USER)
User SUE then issues the following command. 
(5) ADDSD 'SUE.DATA' UACC(READ)
In this example:
  • (1) indicates to RACF® that automatic profile modeling is to be used for new profiles beginning with SUE.
  • (2) creates a profile named SUE.SAMPMOD. With the MODEL operand specified, no actual data set named SUE.SAMPMOD needs to exist. However, if a data set named SUE.SAMPMOD does exist, it is protected by the profile named SUE.SAMPMOD.
  • (3) specifies an access list for profile SUE.SAMPMOD.
  • (4) turns on automatic profile modeling for all of the users who have the MODEL operand set in their user profiles.
  • (5) creates profile SUE.DATA with UACC(READ). RACF copies the access list from SUE.SAMPMOD (SAM, JOE, and GROUP1 have READ access). With UACC(READ) specified on the ADDSD command, the UACC(NONE) value from SUE.SAMPMOD is not used. Note that the copied information can be changed during the copy. See Possible changes to copied profiles when modeling occurs.
Parent topic: Automatic profile modeling for data sets

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014