z/OS Security Server RACF General User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Finding out how a data set is protected

z/OS Security Server RACF General User's Guide
SA23-2298-00

If you are the owner of a data set, you might want to determine what protection the data set has. For example, you might want to find out what users and groups can access the data set.

Note: Contact your security administrator if any problems occur with your data set protection.

To see how a data set is protected:

  1. Determine whether a discrete profile protects the data set by issuing the LISTDSD command as follows: 
    LISTDSD DATASET('dataset-name') ALL
    You will see one of the following results on your screen:
    • A listing for that profile, if the data set is protected by a discrete profile.
    • A listing for the generic profile, if the data set is not protected by a discrete profile but is protected by a fully-qualified generic profile, and generic profile command processing is active. (A generic profile is identified by a "G" in parentheses following the profile name.)
    • A message stating that no profile was found, if the data set is not protected by a discrete profile.
      Note: If generic profile checking is active, and you get the message that no profile was found, you must do Step 2 to check for generic profiles.

    If the command succeeds, you will see a listing of the profile similar to that shown in Figure 1.

  2. Determine whether the data set is protected by a generic profile by entering the LISTDSD command with the GENERIC operand as follows: 
    LISTDSD DATASET('dataset-name') ALL GENERIC
    You will see one of the following results on your screen:
    • A listing for that profile, if the data set is protected by a fully-qualified generic profile.
    • A listing for the most specific generic profile that protects the data set, if the data set is not protected by a fully-qualified generic profile but is protected by a generic profile.
    • A message stating that no profile was found, if the data set is not protected by a generic profile.

    If the command succeeds, you will see a listing of the profile, similar to that shown in Figure 1.

    If the command indicates that a profile is not found, protect the data set with a discrete or generic profile. See Creating a discrete profile to protect a data set or Creating a generic profile to protect a data set for more information. If the command fails, contact your RACF® security administrator.

Figure 1. LISTDSD command: sample output
INFORMATION FOR DATASET profile-name

LEVEL    OWNER        UNIVERSAL ACCESS     WARNING     ERASE
-----    -----        ----------------     -------     -----
 00      SMITH            READ               NO          NO

AUDITING
----------
SUCCESS(UPDATE)

NOTIFY
--------
NO USER TO BE NOTIFIED

YOUR ACCESS          CREATION GROUP         DATASET TYPE
--------------        ----------------       --------------
   READ                   DEPTD60                NON-VSAM

VOLUMES ON WHICH DATASET RESIDES              UNIT
----------------------------------            ------
           21345                              SYSDA

INSTALLATION DATA
-------------------
PL/1 LINK LIBRARY

           SECURITY LEVEL
------------------------------------------------
NO SECURITY LEVEL

CATEGORIES
-----------
NOCATEGORIES

SECLABEL
-----------
NO SECLABEL

CREATION DATE     LAST REFERENCE DATE     LAST CHANGE DATE
(DAY)  (YEAR)      (DAY)     (YEAR)        (DAY)   (YEAR)
-------------     -------------------     ---------------
 070    95          090        98            090     98

ALTER COUNT    CONTROL COUNT    UPDATE COUNT    READ COUNT
-----------    -------------    ------------    ----------
 00000            00000            00002          00000

   ID       ACCESS      ACCESS COUNT
--------   --------    --------------
JONES       UPDATE         00009

   ID     ACCESS      ACCESS COUNT   CLASS            ENTITY NAME
--------  -------    -------------- -------- -----------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST

DFP INFORMATION

RESOWNER
--------
SMITH
Check the following fields for the most important security information about how the data set is protected:
  • LEVEL field (if used at your installation)
  • OWNER field
  • UNIVERSAL ACCESS field
  • WARNING field
  • SECURITY LEVEL field (if used at your installation)
  • CATEGORIES field (if used at your installation)
  • SECLABEL field (if used at your installation)
  • ID field and its related ACCESS and ACCESS COUNT fields
  • PROGRAM field and its related ID, ACCESS, and ACCESS COUNT fields

Here are detailed descriptions of the fields appearing in the output:

INFORMATION FOR DATASET profile-name
This phrase appears for each data set profile listed.
Note: If the profile is a generic profile, the phrase looks like the following sample: 
INFORMATION FOR DATASET profile-name (G)
LEVEL
A security classification indicator used by each individual installation. If anything other than 00 appears in this field, see your RACF security administrator for an explanation of the number.
OWNER
Each RACF-defined data set has an owner, which can be a user ID or a group. When you create a data set and then RACF-protect the data set without specifying an owner, RACF names you as the owner of the data set profile. The owner of the profile can modify the data set profile.
UNIVERSAL ACCESS
Each data set protected by RACF has a universal access authority (UACC). The UACC permits users or groups to use the data set in the manner specified in this field. In this example, the UACC is READ. Anyone can read this data set. (The only exception is if the user or group is specifically named in the access list with ACCESS of NONE.)
WARNING
If this field contains YES, RACF permits a user to access this resource even though his or her access authority is insufficient. RACF issues a warning message to the user who is attempting access; you are notified only if your user ID is the NOTIFY user ID.

If this field contains NO, RACF denies access to users with insufficient authority to access this resource.

ERASE
If this field contains YES, and erase-on-scratch is in effect on your system, data management physically erases the DASD data set extents when the data set is deleted. If this field contains NO, data management does not erase DASD data set extents when the data set is deleted.
Note: Your installation could specify erase-on-scratch for all data sets that have a security level equal to or greater than the security level specified by the installation. If this data set's security level is equal to or greater than the security level specified by the installation, this data set will be erased even if the ERASE field in the profile contains NO.
AUDITING
The type of access attempts that are recorded. In this example, the AUDITING is SUCCESS(UPDATE). RACF records all successful attempts to update the data set.
NOTIFY
The user ID of a RACF-defined user that RACF notifies when denying access to a data set protected by this profile.
YOUR ACCESS
How you can access this data set.

If you must work with the listed data set but do not have the required authority, ask the owner (OWNER field) to issue a PERMIT command to give you access to the data set.

CREATION GROUP
The group under which the profile was created.
DATASET TYPE
The data set type. It can be either VSAM, NON-VSAM, MODEL, or TAPE.
VOLUME ON WHICH THE DATASET RESIDES
The volume on which a non-VSAM data set resides or the volume on which the catalog for a VSAM data set resides.
UNIT
The unit type for a non-VSAM data set.
INSTALLATION-DATA
Any information your installation keeps in this data set profile.
CREATION DATE
The date the profile was created.
SECURITY-LEVEL
Your installation can define its own security levels. This security level is a name associated with the numeric value shown in the LEVEL field earlier in this output. The security level displayed is the minimum security level you need to access a data set protected by this profile.
CATEGORIES
Your installation can define its own security categories. The names displayed are the security categories you need to access a data set protected by this profile.
SECURITY-LABEL
Your installation can define its own security labels. This security label is a name used to represent the association between a particular security level and a set of zero or more security categories. The security label displayed is the minimum security label you need to access a data set protected by this profile.
LAST REFERENCE DATE
The last time the profile was accessed.
LAST CHANGE DATE
The last time the profile was changed.
ALTER COUNT
The total number of times the data set protected by the profile was altered (not present for generic profiles).
Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, this value does not change.
CONTROL COUNT
The total number of times the data set protected by the profile was successfully accessed with CONTROL authority (not present for generic profiles).
Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, this value does not change.
UPDATE COUNT
The total number of times the data set protected by the profile was successfully accessed with UPDATE authority (not present for generic profiles).
Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, this value does not change.
READ COUNT
The total number of times the data set protected by the profile was successfully accessed with READ authority (not present for generic profiles).
Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, this value does not change.
ID, ACCESS, and ACCESS COUNT
These fields describe the standard access list. ID is the user ID or group name given the access authority listed in the ACCESS field. ACCESS COUNT is the number of times the user listed in the ID field accessed the data set (ACCESS COUNT is not present for generic profiles).
Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, this value does not change.
ID, ACCESS, ACCESS COUNT, CLASS, and ENTITY NAME
These fields refer to entries in the conditional access list. A conditional access list is an access list in the data set profile that specifies another condition which must be satisfied for a user to get the specified access authority.

The CLASS and ENTITY NAME fields describe one of the following conditions which must be satisfied before authorization to the data set is granted to the user in the ID field.

  1. If CLASS is APPCPORT, the ENTITY NAME is the name of the APPC port of entry, or logical unit (LU), through which the user must enter the system.
  2. If CLASS is CONSOLE, the ENTITY NAME is the name of the system console from which the request must be sent.
  3. If CLASS is JESINPUT, the ENTITY NAME is the name of the JES input device through which the user must enter the system.
  4. If CLASS is PROGRAM, the ENTITY NAME is the name of the program the user must be running.
  5. If CLASS is TERMINAL, the ENTITY NAME is the name of the terminal through which the user must enter the system.

ACCESS is the level of access to the data set that RACF grants when the condition is satisfied.

ACCESS COUNT is the number of times the user has accessed the data set under the condition described (ACCESS COUNT is not present for generic profiles).

Note: If your RACF security administrator has chosen not to record statistics for the DATASET class, the ACCESS COUNT value does not change.
DFP INFORMATION / RESOWNER
The RESOWNER field contains the user ID or group name of the owner of the resource. In this case, the resource is the data set; the owner of the data set need not be the same as the owner of the profile.
Parent topic: Protecting a data set

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014