z/OS Security Server RACF General User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Choosing between discrete and generic profiles

z/OS Security Server RACF General User's Guide
SA23-2298-00

Data set profiles contain a description of a data set, including the authorized users and the access authority of each user. They can either be discrete or generic. Check with your security administrator to find out your installation's policy on whether to use discrete or generic profiles. Most security administrators prefer to use generic profiles.

A discrete profile protects a single data set that has unique security requirements. The name of a discrete profile must exactly match the name of the data set it protects. The data set SMITH.PAYROLL.INFO would be protected by the discrete data set profile SMITH.PAYROLL.INFO.

You would choose a discrete profile to protect one data set with unique security requirements.

To create a discrete profile, see Creating a discrete profile to protect a data set.

A generic profile protects several data sets that have a similar naming structure and security requirements. The name of a generic data set profile need not exactly match the names of the data sets it protects. Rather, it can contain generic characters that match any other characters. You can protect many data sets with similar characteristics with a generic profile. Two advantages of a generic profile are:
  • Data sets protected by a generic profile do not have to be individually defined to RACF®
  • The generic profile protects all copies of the data sets on all volumes in all locations in the system.

If a data set is protected by both a generic profile and a discrete profile, the discrete profile sets the level of protection for the data set. If a data set is protected by multiple generic profiles, the most specific generic profile sets the level of protection for the data set.

In general, given two profiles that match a data set, you can find the more specific one by comparing the profile names from left to right. Where they differ, a non-generic character is more specific than a generic character. In comparing generics, a % is more specific than an *, and an * is more specific than **. Another way to determine the most specific profile is with the SEARCH command, as there are some rare exceptions to the general rule. SEARCH always lists the profiles in the order of the most specific to the least specific.

A generic profile might already exist to protect your data set. However, that profile might not provide the exact protection you want. In this case, you can create a more specific generic profile or a discrete profile for the data set.

You would choose a generic profile for one of the following reasons:
  • To protect more than one data set with the same security requirements. The data sets protected by a generic profile must have some identical characters in their names. The profile name contains one or more generic characters (*, **, or %).
  • If you have a single data set that might be deleted, then re-created, and you want the protection to remain the same, you can create a fully-qualified generic profile. The name of a fully-qualified generic profile matches the name of the data set it protects. Unlike a discrete profile, a fully-qualified generic profile is not deleted when the data set itself is deleted. Also, with a fully-qualified generic profile, you can have multiple data sets with the same name all protected with the same profile.
To create a generic profile, see Creating a generic profile to protect a data set.
Note:
  1. Deleting a data set that is protected with a discrete profile causes RACF to delete the data set profile from the RACF database.
  2. If your installation is using automatic direction of application updates, you might receive output from an automatic direction of application update request when you take any of the following actions:
    • Define a data set when you have the ADSP attribute
    • Delete a data set that is protected with a discrete profile
    • Rename a data set that is protected with a discrete profile

    See Automatic direction of application updates for more information.

  3. All the members of a partitioned data set (PDS) are protected by the profile that protects the data set. The members of a PDS cannot have different protection. If different protection is desired, those members should be moved to a different PDS.
  4. All the components of a VSAM data set are protected by the profile that protects the cluster name. You do not need to create profiles that protect the index and data components of a cluster.
  5. For a generic profile, unit and volume information, if specified, is ignored because the data sets that are protected under the generic profile can be on many different volumes.
Parent topic: Protecting a data set

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014