RACF® provides several ways
to protect new data:
- Generic Profiles: Use of generic profiles can decrease
the amount of administrative effort because you can use a single generic
profile to protect a large number of existing resources that have
a similar naming structure. Generic data set profiles protect existing
data sets even if they are not RACF-indicated. (See Choosing between discrete and generic data set profiles and Protection through generic profiles.)
- Automatically-created discrete profiles: RACF automatically protects new data sets by
creating a discrete profile for each data set when the user creating
them has the ADSP attribute or has specified the PROTECT=YES operand
on the JCL DD statement that creates the data set. This automatic
definition of discrete data set profiles occurs when the resource
manager issues RACROUTE REQUEST=DEFINE.
Note: - ADSP and PROTECT=YES always cause the creation of a discrete profile,
which is desirable for data sets that have unique access-authorization
requirements. If your data sets do not have unique access-authorization
requirements, consider using generic profiles.
- By themselves, ADSP and PROTECT=YES allow only the creator of
the data set to access the protected data. One way to allow other
users access to the protected data set is to use the PERMIT command
to place them (or groups of which they are members) on the access
list of the profile with the desired access authority. Also, if the
data set being created is a group data set, and the user creating
it has the GRPACC attribute in that group, all members of the group
are given UPDATE access authority to the group data set.
- Automatic profile modeling: One way you can allow other
users to access protected data is by using automatic profile modeling.
When you use automatic profile modeling, the profile that protects
a new user or group data set automatically has an access list copied
from the model profile. Therefore, users defined in the access list
of the model can access the newly created user or group data set.
Automatic modeling is thus valuable for establishing the initial access
list for newly created generic data set profiles. You can use automatic
profile modeling for profiles that are created by the user's ADSP
attribute, the PROTECT=YES operand of the JCL DD statement, or the
ADDSD command.