A user who has the OPERATIONS attribute has full access
authorization to all RACF-protected resources in the DATASET, DASDVOL,
GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR
classes, with the following exceptions:
- If users, their current connect group, or any of their connect
groups (if list-of-groups checking is active) is in the access list
of a resource profile, they have only the access specified in the
access list. For this reason, you should plan carefully before making
users who have the OPERATIONS attribute members of any group that
is in the access lists of resource profiles.
- Security classification checking or security label checking can
deny access.
In addition to having access authorization, an OPERATIONS user
can:
- Copy, reorganize, catalog, and scratch user or group data sets.
Note: The
OPERATIONS attribute is required if you use DFSMSdss to copy data sets that
result in a DEFINE or a discrete data set profile for data sets you
do not own.
- Perform input/output operations on tape volumes.
- Create or destroy labels on tape volumes through OPEN and end-of-volume
operations.
- Create group data sets for groups.
An OPERATIONS user
cannot create
group data sets for groups when
both of the following are true:
- The user is connected to the group with less than CREATE authority
- The user has less than ALTER access to the data set if it is protected
by a generic profile
If the user has the group-OPERATIONS attribute (that is,
the user is connected to a superior group with the OPERATIONS attribute),
the group for which the new data set is being created must be within
the scope of that superior group.
- Create user data sets. If the user has the group-OPERATIONS attribute
(that is, the user is connected to a group with the OPERATIONS attribute),
the high-level qualifier of the new data set must be the ID of a user
who is within the scope of that group.
In addition, RACF® creates a discrete profile for the user
data set if the OPERATIONS user does one of the following:
- Has the automatic data set protection (ADSP) attribute
- Specifies PROTECT on the TSO ALLOCATE command that creates the
data set
- Specifies PROTECT=YES or SECMODEL=profile-name on
the JCL DD statement that creates the data set
- Define profiles for group data sets when
one of the following is true:
- The user is not connected to the group of the new data
set. If the user has the group-OPERATIONS attribute (that is, the
user is connected to a superior group with the OPERATIONS attribute),
the group for which the new data set is being created must be within
the scope of that superior group.
- The user is connected to the group with at least CREATE group
authority.