z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF-protecting all data sets (PROTECTALL option)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

If you have the SPECIAL attribute, you can activate PROTECTALL processing by using the PROTECTALL operand of the SETROPTS command. If PROTECTALL is active, a user can create or access a data set only if the data set is RACF-protected by either a discrete or generic profile, or the access is allowed by global access checking. Note that if PROTECTALL is in effect, generic profile checking should also be in effect for the DATASET class. Otherwise, users can create only data sets that are protected by discrete profiles. The following examples show how to specify these options: 
SETROPTS PROTECTALL
SETROPTS GENERIC(DATASET)
Note:
  1. PROTECTALL requires that you RACF-protect all data sets. This protection includes tape data sets if your installation specifies TAPEDSN on the SETROPTS command.
  2. After defining, altering, or deleting a generic profile, the following command ensures that the profile is in effect during authorization checking: 
    SETROPTS GENERIC(DATASET) REFRESH
  3. Started procedures with the privileged or trusted attribute and users with the SPECIAL attribute can access a data set that has no RACF® profile, even if PROTECTALL is in effect. These exceptions allow recovery if a critical profile is accidentally deleted.
  4. If there is a global access checking table entry of &RACUID.**/ALTER for data sets, users can create unprotected data sets even if PROTECTALL is in effect. However, other users cannot access those data sets.
PROTECTALL also has a warning option that allows the request even though the data set is not protected, but sends a warning message to the user and the MVS™ console. For example: 
SETROPTS PROTECTALL(WARNING)
Guideline: Before using PROTECTALL(WARNING), perform the following actions to reduce the number of messages generated:
  • Ensure that a RACF user or group profile is defined for all catalog aliases.
  • Ensure that all RACF users and groups have a generic data set profile of the form: 
    'high-level-qualifier.*'
    or, if SETROPTS EGN is in effect: 
    'high-level-qualifier.**'
Note:

PROTECTALL applies to all data sets that do not have system-generated temporary names and that do not have names that begin with **SYSUT. You can extend PROTECTALL to include temporary data sets with system-generated names by using the naming conventions table to modify the name that RACF uses to look like a permanent name. If your installation uses nonstandard names for temporary data sets, you must also predefine entries in the global access checking table that allow these data sets to be created and accessed.

If you have the SPECIAL attribute, you can also deactivate PROTECTALL processing by using the NOPROTECTALL operand.

NOPROTECTALL is in effect when RACF is first initialized.

Parent topic: SETROPTS options for initial setup

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014