z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Rules about disallowing generics when sharing a POSIT value

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

  1. All classes with a shared POSIT value must be defined with the same GENERIC setting. This is because the SETROPTS GENERIC and SETROPTS GENCMD commands process all classes that share a POSIT number.
  2. If your new dynamic class does not have the same GENERIC setting as the rest of the classes sharing the POSIT value, RACF® will issue a warning message during SETROPTS RACLIST(CDT) processing and dynamically change the GENERIC setting of one or more classes sharing the POSIT value.
    • If your new class shares a POSIT number with a supplied class, RACF changes the GENERIC setting of your new class to match the supplied class. (The class attribute in the supplied class takes precedence.)
    • If your new class shares a POSIT number with installation-defined classes (static or dynamic), RACF determines the least restrictive attribute (GENERIC(ALLOWED) is less restrictive than GENERIC(DISALLOWED)) and changes the GENERIC(DISALLOWED) class attributes to GENERIC(ALLOWED).

      Exception: A grouping class and member class can share a POSIT number although their GENERIC keyword values need not match. You must specify GENERIC(DISALLOWED) for grouping classes. However, you can specify either ALLOWED or DISALLOWED for member classes.

Parent topic: Adding a dynamic class that shares a POSIT value

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014