A
user data set is a data set whose high-level qualifier is a RACF® user ID. The following rules apply to user
data sets:
- In general, all RACF-defined users can protect their own data
sets. However, some SETROPTS options can restrict the ability of users
to define and change profiles. See Restricting changes to security labels (SECLABELCONTROL option).
- A user can RACF-protect a data set for another user under any
of the following conditions:
- The user who is protecting the data set has the SPECIAL attribute.
A discrete or generic profile can be created.
- The user who is protecting the data set has the group-SPECIAL
attribute, and the high-level qualifier of the data set name is a
user within the group-SPECIAL user's scope of authority. A discrete
or generic profile can be created.
- The user who is protecting a data set has the OPERATIONS attribute
(or the group-OPERATIONS attribute if the data set is within his scope
of authority) and is simultaneously creating the data set.
In
this case, the user can create a discrete profile:
- Through ADSP
- By specifying the PROTECT operand on the TSO ALLOCATE command
that creates the data set
- By specifying the PROTECT=YES OR SECMODEL=profile-name operands
on the JCL DD statement that creates the data set
- The REQUEST=DEFINE preprocessing exit routine allows RACF protection.