Controlling the creation of new data sets
Using data set profiles, you can control whether users can create (allocate) new data sets.
- To add entries to the catalog, users need authority to create the data set according to the following specifications and UPDATE authority to the catalog.
- To delete entries from the catalog, users need ALTER authority to the protecting profile or to the catalog.
For more information, see Protecting catalogs and z/OS DFSMS Managing Catalogs.
The following cases describe how RACF® can be used to control the creation of new user and group data sets.
- The data set is protected by an existing generic profile and the
user does not have ADSP.
The creation is allowed if (1) the user has ALTER authority to the data set through the generic profile or global access checking, or (2) the data set is the user's own data set. RACF does not create a profile.
- The data set name is not covered by an existing generic profile
and the user does not have ADSP.
If PROTECTALL is not in effect, the creation is allowed, but RACF does not create a profile. See Note 2.
- The user has ADSP and the data set is the user's own data set.
The creation is allowed and RACF creates a discrete profile for the data set.
- The REQUEST=DEFINE preprocessing exit routine allows RACF protection.
- The user has the OPERATIONS attribute. If the user has the group-OPERATIONS attribute (that is, the user is connected to a group with the OPERATIONS attribute), the high-level qualifier of the new data set must be the ID of a user who is within the scope of that group.
- The data set name is protected by an existing generic profile
and the user does not have ADSP. The creation is allowed if at least one of the following is true:
- The user has ALTER authority to the data set through the generic profile or global access checking.
- The user has CREATE authority in the group.
RACF does not create a profile.
- The data set name is not covered by an existing generic profile
and the user does not have ADSP.
If PROTECTALL is not in effect, the creation is allowed, but RACF does not create a profile. See Note 2.
- The user has ADSP and the data set belongs to a group of which
the user is a member.
The creation is allowed only if the user has CREATE authority in the group. If the creation is allowed, RACF creates a discrete profile for the data set.
- The REQUEST=DEFINE preprocessing exit routine allows RACF protection.
- The user has the OPERATIONS attribute except when both of the
following are true:
- The user is connected to the group with less than CREATE authority.
- The user has less than ALTER access to the data set if it protected by a generic profile.
If the user has the group-OPERATIONS attribute (that is, the user is connected to a superior group with the OPERATIONS attribute), the group for which the new data set is being created must be within the scope of that superior group.
- In all cases, if the user specifies the PROTECT=YES or SECMODEL parameter on the JCL DD statement, or the PROTECT or SECMODEL operand on the TSO ALLOCATE command (these operands request that RACF create a discrete profile), RACF treats the user the same as a user with ADSP. However, because the use of these operands is voluntary, an installation cannot use the operands to control the creation of data sets.
- If PROTECTALL is in effect at your installation, a user cannot create a new data set unless the data set is RACF-protected by either a discrete or generic profile. However, instead of rejecting all creation requests for unprotected data sets, PROTECTALL also allows installations to issue warning messages. For more information on the PROTECTALL option, see RACF-protecting all data sets (PROTECTALL option).