Supplied resource classes for systems
Table 1 lists the supplied CDT classes
that can be used on systems.
Several classes are listed in categories based on their usage. See
restrictions at the end of the table.
Class name | Description |
---|---|
RACF®, MVS™, and miscellaneous classes | |
ALCSAUTH | Supports the Airline Control System/MVS (ALCS/MVS) product. |
ACEECHK | Configuration of RACF ACEE Privilege Escalation Detection. |
APPCLU | Verifying the identity of partner logical units during VTAM® session establishment. |
APPCPORT | Controlling which user IDs can access the system from a given LU (APPC port of entry). Also, conditional access to resources for users entering the system from a given LU. |
APPCSERV | Controlling whether a program that is being run by a user can act as a server for a specific APPC transaction program (TP). |
APPCSI | Controlling access to APPC side information files. |
APPCTP | Controlling the use of APPC transaction programs. |
APPL | Controlling access to applications. |
CACHECLS | Contains profiles that are used for saving and restoring cache contents from the RACF database. |
CBIND | Controlling the client's ability to bind to the server. |
CDT | Contains profiles for installation-defined classes for the dynamic CDT. 3 |
CFIELD | Contains profiles that define the installation's custom fields. 3 |
CONSOLE | Controlling access to MCS consoles. Also, conditional access to other resources for commands that originate from an MCS console. |
DASDVOL | DASD volumes. |
DBNFORM | Reserved for future IBM® use. |
DEVICES | Used by MVS allocation to
control who can allocate devices such as:
|
DIGTCERT | Contains digital certificates and information that is related to them. |
DIGTCRIT | Specifies additional criteria for certificate name filters. |
DIGTNMAP | Mapping class for certificate name filters. |
DIGTRING | Contains a profile for each key ring and provides information about the digital certificates that are part of each key ring. |
DIRAUTH | Setting logging options for RACROUTE REQUEST=DIRAUTH requests. Also, if the DIRAUTH class is active, security label authorization checking is done when a user receives a message that is sent through the TPUT macro or the TSO SEND, or LISTBC commands. 5 |
DLFCLASS | The data lookaside facility. |
FACILITY | Miscellaneous uses. Profiles are defined in this class so resource
managers (typically elements of z/OS® or z/VM®) can check a user's access to the profiles when the user takes some
action. Examples are the profiles that are used to control execution of RACDCERT command functions
and the profiles that are used to control privileges in the z/OS
UNIX environment. RACF does not document all of the resources used in the FACILITY class by other products. For information on the FACILITY class resources used by a specific product (other than RACF itself), see that product's documentation. |
FIELD | Fields in RACF profiles (field-level access checking). |
GDASDVOL | Resource group class for DASDVOL class. 1 |
GLOBAL | Global access checking table entry. 1 |
GMBR | Member class for the GLOBAL class. 4 |
GSDSF | Resource group class for SDSF class. 1 |
GTERMINL | Resource group class for TERMINAL class. 1 |
GXFACILI | Grouping class for XFACILIT resources. |
HBRADMIN | Controls whether server security and security for specific server resources are enabled or disabled. |
HBRCONN | Specifies the user IDs that are authorized to connect to the zRule Execution Server for z/OS and execute rule sets. This class is ignored if server security is disabled. |
HBRCMD | Specifies the user IDs that are authorized to issue zRule Execution
Server for z/OS commands such as
START , STOP , PAUSE , or
RESUME from the z/OS console (or
equivalent). This class is ignored if server security is disabled. |
IBMOPC | Controlling access to OPC/ESA subsystems. |
IDIDMAP | Contains distributed identity filters that are created with the RACMAP command. |
JESINPUT | Conditional access support for commands or jobs that are entered into the system through a JES input device. |
JESJOBS | Controlling the submission and cancellation of jobs by job name. |
JESSPOOL | Controlling access to job data sets on the JES spool (that is, SYSIN and SYSOUT data sets). |
Contains profiles that hold keys to encrypt data that is stored in the RACF database, such as LDAP BIND passwords, DCE passwords, and Distributed File Service (DFS) Server Message Block (SMB) passwords. | |
LDAP | Controls authorization roles for LDAP administration. |
LDAPBIND | Contains the LDAP server URL, bind distinguished name, and bind password. |
LOGSTRM | Controls system logger resources, such as log streams and the coupling facility structures associated with log streams. |
NODES | Controlling the following on MVS systems:
|
NODMBR | Member class for the NODES class. 4 |
OPERCMDS | Controlling who can issue operator commands (for example, JES and MVS, and operator commands). 2 |
PKISERV | Controls access to R_PKIServ administration functions. |
PMBR | Member class for the PROGRAM class. 4 |
PROGRAM | Protects executable programs. 1 |
PROPCNTL | Controlling if user ID propagation can occur, and if so, for which user IDs (such as the CICS® or IMS main task user ID), user ID propagation is not to occur. |
PSFMPL | Used by PSF to perform security functions for printing, such as separator page labeling, data page labeling, and enforcement of the user printable area. |
PTKTDATA | PassTicket key class enables the security administrator to associate a RACF secured signon secret key with a particular mainframe application that uses RACF for user authentication. Examples of such applications are IMS, CICS, TSO, z/VM, APPC, and MVS batch. |
RACFEVNT | Contains profiles that control the following events:
|
RACFHC | Used by IBM Health Checker for z/OS. Contains profiles that list the resources to check for each installation-defined health check. 1 |
RACFVARS | RACF variables. In this
class, profile names, which start with & (ampersand), act as RACF variables that can be specified in profile names in other RACF general resource classes. |
RACGLIST | Class of profiles that hold the results of RACROUTE REQUEST=LIST,GLOBAL=YES or a SETROPTS RACLIST operation. |
RACHCMBR | Used by IBM Health Checker for z/OS. Member class for the RACFHC class. 1 |
RDATALIB | Used to control use of the R_datalib callable
service (IRRSDL00 or IRRSDL64). |
RRSFDATA | Used to control RACF remote sharing facility (RRSF) functions. |
RVARSMBR | Member class for the RACFVARS class. 4 |
SCDMBR | Member class for the SECDATA class. 4 |
SDSF | Controls the use of authorized commands in the System Display and Search Facility (SDSF). See also GSDSF class. |
SECDATA | Security classification of users and data (security levels and security categories). 1 |
SECLABEL | If security labels are used, and, if so, their definitions. 2 |
SECLMBR | Member class for the SECLABEL class. 4 |
SERVAUTH | Contains profiles used by servers to check a client's authorization to use the server or to use resources that are managed by the server. Also, can be used to provide conditional access to resources for users entering the system from a given server. |
SERVER | Controlling the server's ability to register with the daemon. |
SMESSAGE | Controlling to which users a user can send messages (TSO only). |
SOMDOBJS | Controlling the client's ability to invoke the method in the class. |
STARTED | Used in preference to the started procedures table to assign an identity during the processing of an MVS START command. |
SURROGAT | If surrogate submission is allowed, and if allowed, which user IDs can act as surrogates. |
SYSAUTO | IBM Automation Control for z/OS resources |
SYSMVIEW | Controlling access by the SystemView for MVS Launch Window to SystemView for MVS applications. |
TAPEVOL | Tape volumes. |
TEMPDSN | Controlling who can access residual temporary data sets. 5 |
TERMINAL | Terminals (TSO or z/VM). See also GTERMINL class. |
VTAMAPPL | Controlling who can open ACBs from non-APF authorized programs. |
WBEM | Controls access to the Common Information Model (CIM) functions. |
WRITER | Controlling the use of JES writers. |
XFACILIT | Miscellaneous uses. Profile names in this class can be longer than 39 characters in length. Profiles are defined in this class so that resource managers (typically elements of z/OS) can check a user's access to the resources when the users take some action. |
CICS classes | |
ACICSPCT | CICS program control table. 2 |
BCICSPCT | Resource group class for the ACICSPCT class. 1 |
CCICSCMD | Used to verify that a user is permitted to use CICS system programmer commands such as INQUIRE, SET, PERFORM, and COLLECT. 1 |
CPSMOBJ | Used by CICSPlex® System Manager, which provides a central point of control when running multiple CICS systems, to determine operational controls within a CICS complex. |
CPSMXMP | Used by CICSPlex System Manager to identify exemptions from security controls within a CICS complex. |
DCICSDCT | CICS destination control table. 2 |
ECICSDCT | Resource group class for the DCICSDCT class. 1 |
FCICSFCT | CICS file control table. 2 |
GCICSTRN | Resource group class for TCICSTRN class. 2 |
GCPSMOBJ | Resource grouping class for CPSMOBJ. |
HCICSFCT | Resource group class for the FCICSFCT class. 1 |
JCICSJCT | CICS journal control table. 2 |
KCICSJCT | Resource group class for the JCICSJCT class. 1 |
MCICSPPT | CICS processing program table. 2 |
NCICSPPT | Resource group class for the MCICSPPT class. 1 |
PCICSPSB | CICS program specification blocks (PSBs). |
QCICSPSB | Resource group class for the PCICSPSB class. 1 |
RCICSRES | CICS document templates. |
SCICSTST | CICS temporary storage table. 2 |
TCICSTRN | CICS transactions. |
UCICSTST | Resource group class for SCICSTST class. 1 |
VCICSCMD | Resource group class for the CCICSCMD class. 1 |
WCICSRES | Resource group class for the RCICSRES class. |
classes | |
DSNADM | administrative authority class. |
DSNR | Controls access to subsystems. |
GDSNBP | Grouping class for buffer pool privileges. |
GDSNCL | Grouping class for collection privileges. |
GDSNDB | Grouping class for database privileges. |
GDSNGV | Grouping class for global variables. |
GDSNJR | Grouping class for Java™ archive files (JARs). |
GDSNPK | Grouping class for package privileges. |
GDSNPN | Grouping class for plan privileges. |
GDSNSC | Grouping class for schemas privileges. |
GDSNSG | Grouping class for storage group privileges. |
GDSNSM | Grouping class for system privileges. |
GDSNSP | Grouping class for stored procedure privileges. |
GDSNSQ | Grouping class for sequences. |
GDSNTB | Grouping class for table, index, or view privileges. |
GDSNTS | Grouping class for tablespace privileges. |
GDSNUF | Grouping class for user-defined function privileges. |
GDSNUT | Grouping class for user-defined distinct type privileges. |
MDSNBP | Member class for buffer pool privileges. |
MDSNCL | Member class for collection privileges. |
MDSNDB | Member class for database privileges. |
MDSNGV | Member class for global variables. |
MDSNJR | Member class for Java archive files (JARs). |
MDSNPK | Member class for package privileges. |
MDSNPN | Member class for plan privileges. |
MDSNSC | Member class for schema privileges. |
MDSNSG | Member class for storage group privileges. |
MDSNSM | Member class for system privileges. |
MDSNSP | Member class for stored procedure privileges. |
MDSNSQ | Member class for sequences. |
MDSNTB | Member class for table, index, or view privileges. |
MDSNTS | Member class for tablespace privileges. |
MDSNUF | Member class for user-defined function privileges. |
MDSNUT | Member class for user-defined distinct type privileges. |
DCE class | |
DCEUUIDS | Used to define the mapping between a user's RACF user ID and the corresponding DCE principal UUID. Also, used to enable encrypted password support for Distributed File Service (DFS) Server Message Block (SMB) users. |
Enterprise Identity Mapping (EIM) class | |
RAUDITX | Controls auditing for Enterprise Identity Mapping (EIM). |
Enterprise Java Beans classes | |
EJBROLE | Member class for Enterprise Java Beans authorization roles. |
GEJBROLE | Grouping class for Enterprise Java Beans authorization roles. |
JAVA | Contains profiles that are used by applications to perform authorization checking for resources. |
IMS classes | |
AIMS | Application group names (AGN). |
CIMS | Command. |
DIMS | Grouping class for command. |
FIMS | Field (in data segment). |
GIMS | Grouping class for transaction. |
HIMS | Grouping class for field. |
IIMS | Program specification block (PSB). |
JIMS | Grouping class for program specification block (PSB). |
LIMS | Logical terminal (LTERM). |
MIMS | Grouping class for logical terminal (LTERM). |
OIMS | Other. |
PIMS | Database. |
QIMS | Grouping class for database. |
RIMS | Open Transaction Manager Access (OTMA) transaction pipe (TPIPE). |
SIMS | Segment (in database). |
TIMS | Transaction (trancode). |
UIMS | Grouping class for segment. |
WIMS | Grouping class for other. |
Integrated Cryptographic Service Facility (ICSF) classes | |
CRYPTOZ | Controls access to PKCS #11 tokens. |
CSFKEYS | Controls access to ICSF cryptographic keys. |
CSFSERV | Controls access to ICSF cryptographic services. |
GCSFKEYS | Resource group class for the CSFKEYS class. 1 |
GXCSFKEY | Resource group class for the XCSFKEY class. 1 |
XCSFKEY | Controls the exportation of ICSF cryptographic keys. |
Infoprint Server class | |
PRINTSRV | Controls access to printer definitions for Infoprint Server. |
Information/Management (Tivoli® Service Desk) classes | |
GINFOMAN | Grouping class for Information/Management (Tivoli Service Desk) resources. |
INFOMAN | Member class for Information/Management (Tivoli Service Desk) resources. |
LFS/ESA classes | |
LFSCLASS | Controls access to file services provided by LFS/ESA. |
License Manager class | |
ILMADMIN | Controls access to the administrative functions of IBM License Manager. |
and classes | |
NDSLINK | Mapping class for user identities. |
NOTELINK | Mapping class for user identities. |
MFA class | |
MFADEF | Contains profiles that define MFA factors. This class can also be used to define MFA application bypass profiles. |
IBM MQ | |
GMQADMIN | Grouping class for IBM MQ administrative options. 1 |
GMQCHAN | Reserved for IBM MQ. |
GMQNLIST | Grouping class for IBM MQ namelists. 1 |
GMQPROC | Grouping class for IBM MQ processes. 1 |
GMQQUEUE | Grouping class for IBM MQ queues. 1 |
MQADMIN | Protects IBM MQ administrative options. |
MQCHAN | Reserved for IBM MQ |
MQCMDS | Protects IBM MQ commands. |
MQCONN | Protects IBM MQ connections. |
MQNLIST | Protects IBM MQ namelists. |
MQPROC | Protects IBM MQ processes. |
MQQUEUE | Protects IBM MQ queues. |
NetView® classes | |
NETCMDS | Controlling which NetView commands the NetView operator can issue. |
NETSPAN | Controlling which NetView commands the NetView operator can issue against the resources in this span. |
NVASAPDT | NetView/Access Services. |
PTKTVAL | Used by NetView/Access Services Secured Single Signon to store information needed when generating a PassTicket. |
RMTOPS | NetView Remote Operations. |
RODMMGR | NetView Resource Object Data Manager (RODM). |
classes | |
KERBLINK | Contains profiles that map local and foreign principals to RACF user IDs. Also controls which users are authorized to use the SKRBKDC started procedure to decrypt service tickets for a given principal. 3 |
REALM | Used to define the local and foreign realms. 3 |
SMS (DFSMSdfp) classes | |
MGMTCLAS | SMS management classes. |
STORCLAS | SMS storage classes. |
SUBSYSNM | Authorizes a subsystem (such as a particular instance of CICS) to open a VSAM ACB and use VSAM record level sharing (RLS) functions. |
Tivoli classes | |
ROLE | Specifies the complete list of resources and associated access levels that are required to perform the particular job function this role represents and defines which RACF groups are associated with this role. |
TMEADMIN | Maps the user IDs of Tivoli administrators to RACF user IDs. |
TSO classes | |
ACCTNUM | TSO account numbers. |
PERFGRP | TSO performance groups. |
TSOAUTH | TSO user authorities such as OPER and MOUNT. |
TSOPROC | TSO logon procedures. |
IBM MQ classes | |
GMXADMIN | Grouping class for IBM MQ administrative options. |
GMXNLIST | Grouping class for IBM MQ namelists. |
GMXPROC | Grouping class for IBM MQ processes. |
GMXQUEUE | Grouping class for IBM MQ queues. |
GMXTOPIC | Grouping class for IBM MQ topics. |
MXADMIN | Protects IBM MQ administrative options. |
MXNLIST | Protects IBM MQ namelists. |
MXPROC | Protects IBM MQ processes. |
MXQUEUE | Protects IBM MQ queues. |
MXTOPIC | Protects IBM MQ topics. |
z/OSMF classes | |
ZMFAPLA | Member class for z/OSMF authorization roles. |
GZMFAPLA | Grouping class for z/OSMF authorization roles. |
ZMFCLOUD | Protects z/OS cloud resources. |
classes | |
DIRACC | Controls auditing (using SETROPTS LOGOPTIONS) for access checks for read/write access to directories. This class need not be active to control auditing. 5 |
DIRSRCH | Controls auditing (using SETROPTS LOGOPTIONS) of directory searches. This class need not be active to control auditing. 5 |
FSACCESS | Controls access to z/OS UNIX file systems. |
FSEXEC | Controls execute access to z/OS UNIX file systems. |
FSOBJ | Controls auditing (using SETROPTS LOGOPTIONS) of all access checks for file system objects except directory searches. Controls auditing (using SETROPTS AUDIT) of creation and deletion of file system objects. This class need not be active to control auditing. 5 |
FSSEC | Controls auditing (using SETROPTS LOGOPTIONS) of changes to the security data (FSP) for file system objects. This class need not be active to control auditing. When this class is active, it also controls whether ACLs are used during authorization checks to files and directories. 5 |
IPCOBJ | Controls auditing (using SETROPTS LOGOPTIONS) of access checks for interprocess communication (IPC) objects and changes to security information of IPC objects. Controls auditing (using SETROPTS AUDIT) of the creation and deletion of IPC objects. This class need not be active to control auditing. 5 |
PROCACT | Controls auditing (using SETROPTS LOGOPTIONS) of functions that look at data from, or affect the processing of, processes. This class need not be active to control auditing. 5 |
PROCESS | Controls auditing (using SETROPTS LOGOPTIONS) of changes to UIDs and GIDs of processes. Controls auditing (using SETROPTS AUDIT) of dubbing and undubbing of processes. This class need not be active to control auditing. 5 |
UNIXMAP | Contains profiles that are used to map UIDs to RACF user IDs and GIDs to RACF group names. |
UNIXPRIV | Contains profiles that are used to grant privileges. |
Restrictions:
|