z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


The OPERATIONS attribute

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

A user who has the OPERATIONS attribute has full access authorization to all RACF-protected resources in the DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes, with the following exceptions:
  • If users, their current connect group, or any of their connect groups (if list-of-groups checking is active) is in the access list of a resource profile, they have only the access specified in the access list. For this reason, you should plan carefully before making users who have the OPERATIONS attribute members of any group that is in the access lists of resource profiles.
  • Security classification checking or security label checking can deny access.
In addition to having access authorization, an OPERATIONS user can:
  • Copy, reorganize, catalog, and scratch user or group data sets.
    Note: The OPERATIONS attribute is required if you use DFSMSdss to copy data sets that result in a DEFINE or a discrete data set profile for data sets you do not own.
  • Perform input/output operations on tape volumes.
  • Create or destroy labels on tape volumes through OPEN and end-of-volume operations.
  • Create group data sets for groups.
    An OPERATIONS user cannot create group data sets for groups when both of the following are true:
    1. The user is connected to the group with less than CREATE authority
    2. The user has less than ALTER access to the data set if it is protected by a generic profile

    If the user has the group-OPERATIONS attribute (that is, the user is connected to a superior group with the OPERATIONS attribute), the group for which the new data set is being created must be within the scope of that superior group.

  • Create user data sets. If the user has the group-OPERATIONS attribute (that is, the user is connected to a group with the OPERATIONS attribute), the high-level qualifier of the new data set must be the ID of a user who is within the scope of that group.
    In addition, RACF® creates a discrete profile for the user data set if the OPERATIONS user does one of the following:
    • Has the automatic data set protection (ADSP) attribute
    • Specifies PROTECT on the TSO ALLOCATE command that creates the data set
    • Specifies PROTECT=YES or SECMODEL=profile-name on the JCL DD statement that creates the data set
  • Define profiles for group data sets when one of the following is true:
    • The user is not connected to the group of the new data set. If the user has the group-OPERATIONS attribute (that is, the user is connected to a superior group with the OPERATIONS attribute), the group for which the new data set is being created must be within the scope of that superior group.
    • The user is connected to the group with at least CREATE group authority.
Parent topic: User attributes

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014