Generic profile rules - enhanced generic naming active

The enhanced generic naming option applies only to data sets and allows you to use double asterisk (**) in the DATASET class. It also changes the meaning of the single asterisk (*) at the end of a profile name.

Your RACF security administrator activates enhanced generic naming by issuing the SETROPTS command with the EGN operand. SETROPTS EGN makes the rules for data set and general resource profiles consistent with each other. Additionally, generic profiles can be more precise, and the generic profile names are more similar to other IBM products.

New installations should set EGN on immediately.

The following rules apply if you have enhanced generic naming in effect.

Specify * as follows:

As a character at the end of a data set profile name to match zero or more characters until the end of the qualifier.
As a qualifier at the end of a profile name to match one qualifier until the end of the data set name.
The meaning of an ending asterisk depends on whether the installation is using generic profiles with or without EGN.

Specify ** as follows:

As either a middle or end qualifier in a profile name to match zero or more qualifiers. Only one occurrence of a double asterisk is allowed in a profile name.
For example, ABC.DE.** is allowed; ABC.DE** is not allowed; and A.**.B.** is not allowed.

RACF does not allow you to specify any generic characters in the high-level qualifier of a data set name.

Table 1 and Table 2 show examples of generic profile names you can create when enhanced generic naming is active, and the resources protected and not protected by those profiles.

Profile name AB.CD* AB.CD.* AB.CD.** AB.CD*.** AB.CD.*.**

Resources protected by the profile

Table 1. Generic data set profile names created with enhanced generic naming active - Asterisk and double asterisk at the end
Profile name	`AB.CD*`	`AB.CD.*`	`AB.CD.**`	`AB.CD.*`	`AB.CD..*`
Resources protected by the profile	`AB.CD AB.CDEF`	`AB.CD.EF AB.CD.XY`	`AB.CD AB.CD.EF AB.CD.EF.GH AB.CD.XY`	`AB.CD AB.CD.EF AB.CDEF AB.CDEF.GH AB.CD.EF.GH AB.CD.XY`	`AB.CD.EF AB.CD.EF.GH AB.CD.XY`
Resources not protected by the profile	`AB.CD.EF AB.CD.EF.GH AB.CD.XY ABC.DEF`	`AB.CD AB.CDEF AB.CD.EF.GH ABC.DEF`	`AB.CDEF AB.CDE.FG ABC.DEF`	`ABC.DEF`	`ABC.DEF AB.CDEF AB.CDEF.GH AB.CD ABC.XY.XY.EF`

AB.CD
AB.CDEF

AB.CD.EF
AB.CD.XY

AB.CD
AB.CD.EF
AB.CD.EF.GH
AB.CD.XY

AB.CD
AB.CD.EF
AB.CDEF
AB.CDEF.GH
AB.CD.EF.GH
AB.CD.XY

AB.CD.EF
AB.CD.EF.GH
AB.CD.XY

Resources not protected by the profile

AB.CD.EF
AB.CD.EF.GH
AB.CD.XY
ABC.DEF

AB.CD
AB.CDEF
AB.CD.EF.GH
ABC.DEF

AB.CDEF
AB.CDE.FG
ABC.DEF

ABC.DEF

ABC.DEF
AB.CDEF
AB.CDEF.GH
AB.CD
ABC.XY.XY.EF

Table 2. Generic data set profile names created with enhanced generic naming active - Asterisk, double asterisk, or percent sign in the middle
Profile name	`ABC.%EF`	`AB.*.CD`	`AB.**.CD`
Resources protected by the profile	`ABC.DEF ABC.XEF`	`AB.CD.CD`	`AB.CD AB.X.CD AB.X.Y.CD`
Resources not protected by the profile	`ABC.DEFGHI ABC.DEF.GHI ABC.DDEF`	`AB.CD AB.CD.EF AB.CDEF ABC.DEF ABC.XY.CD ABC.XY.XY.CD`	`AB.CD.EF AB.CDEF ABC.X.CD.EF ABC.DEF ABX.YCD`

Note: Although multiple generic profiles might match a data set name, only the most specific actually protects the data set. For example, AB.CD*, AB.CD.**, and AB.**.CD all match the data set AB.CD, but AB.CD.** protects the data set.

In general, given two profiles that match a data set, you can find the more specific one by comparing the profile name from left to right. Where they differ, a nongeneric character is more specific than a generic character. In comparing generics, a % is more specific than an *, and an * is more specific than **. Another way to determine the most specific is with the SEARCH command, as there are some rare exceptions to the general rule. SEARCH always lists the profiles in the order of the most specific to the least specific.

Data set profiles created before enhanced generic naming is activated continue to provide the same RACF protection after this option is activated.

If you protect resources with generic profiles while enhanced generic naming is active and then deactivate this option, your resources can no longer be protected. Table 3 and Table 4 show examples of generic profiles created with enhanced generic naming active and the protection after deactivation.

Table 3. After deactivating EGN - Asterisk and percent sign in the middle
Profile name	`ABC.%EF`	`ABC.*.DEF`
How RACF displays the name after EGN is deactivated	`ABC.%EF`	`ABC.*.DEF`
Resources protected by the profile after EGN is deactivated	Same as before	Same as before

Table 4. After deactivating EGN - Asterisk and double asterisk at the end
Profile name	`AB.CD*`	`AB.CD.*`	`AB.CD.**`	`AB.CD.*`	`AB.CD..*`
How RACF displays the name after EGN is deactivated	`AB.CD*`	`AB.CD.*`	`AB.CD.`	`AB.CD*`	`AB.CD.*`
Resources protected by the profile after EGN is deactivated	None	None	None	Same as before	Same as before