A user data set is a data set whose high-level qualifier is a RACF® user ID. The following rules apply to user data sets:

• In general, all RACF-defined users can protect their own data sets. However, some SETROPTS options can restrict the ability of users to define and change profiles. See Restricting changes to security labels (SECLABELCONTROL option).
• A user can RACF-protect a data set for another user under any of the following conditions:
  • The user who is protecting the data set has the SPECIAL attribute. A discrete or generic profile can be created.
  • The user who is protecting the data set has the group-SPECIAL attribute, and the high-level qualifier of the data set name is a user within the group-SPECIAL user's scope of authority. A discrete or generic profile can be created.
  • The user who is protecting a data set has the OPERATIONS attribute (or the group-OPERATIONS attribute if the data set is within his scope of authority) and is simultaneously creating the data set.
    In this case, the user can create a discrete profile:

    • Through ADSP
    • By specifying the PROTECT operand on the TSO ALLOCATE command that creates the data set
    • By specifying the PROTECT=YES OR SECMODEL=profile-name operands on the JCL DD statement that creates the data set
• The REQUEST=DEFINE preprocessing exit routine allows RACF protection.