z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Possible changes to copied profiles when modeling occurs

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When a profile is copied during profile modeling, the new profile could differ from the model in the following ways:
  • RACF® places the user creating the new profile on the access list with ALTER access authority or, if the user is already on the access list, changes the user's access authority to ALTER. This is true only if ADDCREATOR is in effect, or if you are creating a discrete DATASET or TAPEVOL profile with RACROUTE REQUEST=DEFINE. Otherwise, the user creating the new profile is not placed on the access list or, if the user is already on the access list, the user's authority is not changed when the access list is copied to the new profile.

    If the profile being added is for a group data set and the user has the GRPACC attribute for that group, RACF places the group on the access list with UPDATE access authority or, if the group is already on the access list, changes the group's access authority to UPDATE.

    Note: These access list changes do not occur if the data set profile is created only because the user has the OPERATIONS attribute.
  • If the model profile contains members (specified with the ADDMEM operand), the members are not copied into the new profile.
  • If the SETROPTS MLS option is in effect, the security label, if specified in the model profile, is not copied. Instead, the user's current security label is used. For more information on security labels, see Understanding security labels.
    Note: When the SETROPTS MLS option is in effect, if the SETROPTS MLSTABLE option is also in effect and the user has the SPECIAL attribute, the security label specified in the model profile is copied to the new profile. For more information on security labels, see Understanding security labels.
  • For TAPEVOL profiles, TVTOC information is not copied to the new profile.
  • Even if SETROPTS NOADDCREATOR is set, the model profile access list is copied exactly. Therefore, if the creator's user ID appeared in the model's access list, the authority is copied to the new profile exactly.
  • Entries in the conditional access list of the model profile are copied to the conditional access list of the new profile only when the condition is valid for the class of the new profile.
    • WHEN(SYSID) is valid only for the PROGRAM class. SYSID entries are copied only when the new profile is a PROGRAM class profile.
    • WHEN(PROGRAM) is valid only for data sets and the SERVAUTH class. PROGRAM entries are copied only when the new profile is a data set profile or a SERVAUTH class profile.
    • WHEN(CRITERIA) is valid only for general resource classes. CRITERIA entries are not copied when the new profile is a data set profile.
Parent topic: Protecting new data

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014