PERMIT (Maintain resource access lists)

Purpose

Use the PERMIT command to maintain the lists of users and groups authorized to access a particular resource. RACF® provides two types of access lists: standard and conditional.

Standard Access List: The standard access list includes the user IDs and group names authorized to access the resource and the level of access granted to each.

Conditional Access List: The conditional access list includes the user IDs and group names authorized to access the resource and the level of access granted to each when a certain condition is met. The conditions that can be specified are:

The name of the program the user must be executing
The name of the terminal by which the user entered the system
The name of the JES input device through which the user entered the system
The name of the system console from which the request was originated
The name of the APPC partner LU (logical unit) from which the transaction program originated
The system identifier (SMFID) of the system on which the user is loading the controlled program
The SERVAUTH profile name that protected the network access security zone name containing the IP address by which the user entered the system
An application-specific CRITERIA name and value.

RACF considers the conditional access list if one of the following is true:

The class specified in the condition is active (for the SERVAUTH, TERMINAL, JESINPUT, CONSOLE, or APPCPORT conditions).
The RACF program control facility is active (for the PROGRAM or the SYSID condition). The RACF program control facility is activated by your installation using SETROPTS WHEN(PROGRAM) command.
An application-specific CRITERIA name and value is specified on the RACROUTE REQUEST=FASTAUTH request.

If one of the criteria above is met, RACF uses both the standard and conditional access lists when it checks a user's authority to access a resource; otherwise RACF uses only the standard access list. For more information on conditional access lists or program control, see z/OS Security Server RACF Security Administrator's Guide.

You can maintain either the standard access list or the conditional access list with a single PERMIT command. Changing both requires you to issue PERMIT twice, with one exception. You can change individual names in one access list and copy the other access list from another profile on one PERMIT command.

Using PERMIT, you can make the following changes to either a standard access list or a conditional access list:

Give authority to access a discrete or generic resource profile to specific RACF-defined users or groups
Remove authority to access a discrete or generic resource profile from specific users or groups
Change the level of access authority to a discrete or generic resource profile for specific users or groups
Copy the list of authorized users from one discrete or generic resource profile to another profile of either type and modify the new list as you require
Delete an existing access list.

Using PERMIT to modify an automatic TAPEVOL profile changes the profile to nonautomatic. For more information about TAPEVOL profiles, see z/OS Security Server RACF Security Administrator's Guide.

To have changes take effect after updating a user's access to a generic profile, one of the following steps is required:

If the command was issued for a data set profile, the user of the data set issues the LISTDSD command:
```
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
```
Note: Use the data set name, not the profile name.
The security administrator issues the SETROPTS command:
```
SETROPTS GENERIC(class-name) REFRESH
```
See SETROPTS command for authorization requirements.
The user of the data set or resource logs off and logs on again.

Note: For more information, refer to z/OS Security Server RACF Security Administrator's Guide.

Issuing options

The following table identifies the eligible options for issuing the PERMIT command:

As a RACF TSO command?	As a RACF operator command?	With command direction?	With automatic command direction?	From the RACF parameter library?
Yes	Yes	Yes	Yes	Yes

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

You must be logged on to the console to issue this command as a RACF operator command.

Related commands

To specify the UACC for a data set profile, see ADDSD (Add data set profile) (when creating a new profile), or ALTDSD (Alter data set profile) (to change an existing profile).
To specify the UACC for a general resource (such as a terminal), see RDEFINE (Define general resource profile) (when creating a new profile), or RALTER (Alter general resource profile) (to change an existing profile).
To obtain a list of profiles, see SEARCH (Search RACF database).
To list a data set profile, see LISTDSD (List data set profile).
To list a general resource profile, see RLIST (List general resource profile). (General resources include terminals, and other resources defined in the class descriptor table.)

Authorization required

When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.

To perform any of the PERMIT functions, you must have sufficient authority over the resource. RACF makes the following checks until one of the conditions is met:

You have the SPECIAL attribute.
The profile is within the scope of a group in which you have the group-SPECIAL attribute.
You are the owner of the resource.
If the resource belongs to the DATASET class, the high-level qualifier of the profile name (or the qualifier supplied by the naming conventions routine or a command installation exit) is your user ID.
If the resource belongs to the DATASET class, you must be the current owner of the profile or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute.
If the profile is in the FILE or DIRECTRY class, the second qualifier of the profile name is your user ID.
For a discrete profile, you are on the standard access list for the resource and you have ALTER authority.
For a discrete profile, your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the standard access list and has ALTER authority.
For a discrete profile, the universal access authority is ALTER.

To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).

To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.

When you are copying a list of authorized users from one resource profile to another, you must have sufficient authority, as described in the preceding list, to both of the resources.

Syntax

For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the PERMIT command is:


[subsystem-prefix]{PERMIT \| PE}
	*profile-name-1*
	[ ACCESS(access-authority) \| DELETE ]
	[ AT([node].userid …) \| ONLYAT([node].userid …) ]
	[ CLASS(profile-name-1-class) ]
	[ FCLASS(profile-name-2-class) ]
	[ FGENERIC ]
	[ FROM(profile-name-2) ]
	[ FVOLUME(volume-serial) ]
	[ GENERIC ]
	[ ID( {name … \|`*`} ) ]
	[ RESET [ (ALL \| STANDARD \| WHEN) ]
	[ VOLUME(volume-serial) ]
	[ WHEN( [ APPCPORT( {partner-luname … \| ``} ) ] [ CONSOLE( {console-id … \| ``} ) ] [ CRITERIA( criteria-name ( {criteria-value \| `` } ))] [ JESINPUT( {JES-input-device-name … \| ``} ) ] [ PROGRAM( {program-name … \| ``} ) ] [ SERVAUTH( {SERVAUTH-profile-name … \| ``} ) ] [ SYSID( {system-identifier … \| ``} ) ] [ TERMINAL( {terminal-id … \| ``} ) ] ) ]

For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.

For information on issuing this command as a RACF operator command, refer to RACF operator commands.

Parameters

subsystem-prefix

Specifies that the RACF subsystem is the processing environment of the command. The subsystem prefix can be either the installation-defined prefix for RACF (1 - 8 characters) or, if no prefix has been defined, the RACF subsystem name followed by a blank. If the command prefix was registered with CPF, you can use the MVS command D OPDATA to display it or you can contact your RACF security administrator.

Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.

profile-name-1

Specifies the name of an existing discrete or generic profile whose access list you want to modify. You can specify only one profile.

This operand is required and must be the first operand following PERMIT.

If the name specified is a tape volume serial number that is a member of a tape volume set, the authorization assigned by this command applies to all the volumes in the volume set.

If the profile does not belong to the DATASET class, you must also specify CLASS.

Mixed-case profile names are accepted and preserved when CLASS refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).

AT | ONLYAT

The AT and ONLYAT keywords are only valid when the command is issued as a RACF TSO command.

AT([node].userid …): Specifies that the command is to be directed to the node specified by node, where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed to the local node.
ONLYAT([node].userid …): Specifies that the command is to be directed only to the node specified by node where it runs under the authority of the user specified by userid in the RACF subsystem address space.
If node is not specified, the command is directed only to the local node.

ACCESS | DELETE

ACCESS(access-authority)

Specifies the access authority you want to associate with the names that you identify on the ID operand. RACF sets the access authority in the standard access list.

If you specify WHEN, RACF sets the access authority in the conditional access list.

The valid access authorities are NONE, EXECUTE (for DATASET, PROGRAM, or APPCTP class only), READ, UPDATE, CONTROL, and ALTER. If you need more information, see z/OS Security Server RACF Security Administrator's Guide.

If you specify ACCESS and omit access-authority, the default value is ACCESS(READ).

If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).

If you specify both ACCESS and DELETE, RACF uses the last operand you specify.

DELETE

Specifies that you are removing the names you identify on the ID operand from an access list for the resource. RACF deletes the names from the standard access list.

If you specify WHEN, RACF deletes the names from the conditional access list.

If you specify the ID operand and omit both ACCESS and DELETE, the default value is ACCESS(READ).

If you specify both ACCESS and DELETE, RACF uses the last operand you specify.

CLASS(profile-name-1-class)

Specifies the name of the class to which profile-name-1 belongs. The valid class names are DATASET and those classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.

If you omit CLASS, the default is DATASET.

FCLASS(profile-name-2-class)

Specifies the name of the class to which profile-name-2 belongs. The valid class names are DATASET and those classes defined in the class descriptor table. For a list of general resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.

If you specify FROM and omit FCLASS, RACF assumes that the class for profile-name-2 is same as the class for profile-name-1. This operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.

FGENERIC

Specifies that RACF is to treat profile-name-2 as a generic name, even if it is fully qualified (meaning that it does not contain any generic characters). This operand is only needed if profile-name-2 is a DATASET profile.

FROM(profile-name-2)

Specifies the name of the existing discrete or generic profile that contains the access lists RACF is to copy as the access lists for profile-name-1. If you specify FROM and omit FCLASS, RACF assumes that profile-name-2 is the name of a profile in the same class as profile-name-1.

Mixed-case profile names are accepted and preserved when FCLASS refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).

If profile-name-2 contains a standard access list, RACF copies it to the profile you are changing. If profile-name-2 contains a conditional access list, RACF copies it to the profile you are changing.

RACF modifies the access list for profile-name-1 as follows:

Authorizations for profile-name-2 are added to the access list for profile-name-1.
Note: The following conditional access list conditions are valid only for specific classes. Entries in the conditional access list of profile-name-2 for these conditions are copied to the conditional access list of profile-name-1 only if the condition is valid for the class of profile-name-1.
- WHEN(SYSID) is valid only for the PROGRAM class. SYSID entries are copied only when the class of profile-name-1 is PROGRAM.
- WHEN(PROGRAM) is valid only for data sets and the SERVAUTH class. PROGRAM entries are copied only when profile-name-1 is a data set profile or a SERVAUTH class profile.
- WHEN(CRITERIA) is valid only for general resource classes (not data sets). CRITERIA entries are not copied when profile-name-1 is a data set profile.
If a group or user appears in both lists, RACF uses the authorization granted in profile-name-1.
If you specify a group or user on the ID operand and that group or user also appears in the profile-name-2 access list, RACF uses the authorization granted on the ID operand.

To specify FROM, you must have sufficient authority to both profile-name-1 and profile-name-2, as described under Authorization required.

FVOLUME(volume-serial)

Specifies the volume RACF is to use to locate profile-name-2. This is the volume on which the non-VSAM DASD data set, the tape data set, or the catalog for the VSAM data set resides.

If you specify FVOLUME and RACF does not find profile-name-2 on that volume, the command fails. If you omit this operand and profile-name-2 appears more than once in the RACF data set, the command fails.

FVOLUME is valid only when FCLASS either specifies or defaults to DATASET and when profile-name-2 specifies a discrete profile. Otherwise, RACF ignores FVOLUME.

GENERIC

Specifies that RACF is to treat profile-name-1 as a generic name, even if it does not contain any generic characters. This operand is only needed if profile-name-1 is a DATASET profile.

ID(name … | *)

Specifies the user IDs and group names of RACF-defined users or groups whose authority to access the resource you are giving, removing, or changing. If you omit this operand, RACF ignores the ACCESS and DELETE operands.

ID(*) can be used with standard or conditional access lists. You might specify ID(*) with a conditional access list, as follows:

PERMIT 'resource' ID(*) WHEN(PROGRAM(XYZ)) ACCESS(READ)

This command, depending on other environmental factors, may allow all RACF-defined users and groups READ access to the specified data set when executing program XYZ. RACF grants access to the data set, using the conditional access list, with the authority you specify on the ACCESS operand. The value specified with ACCESS is used only if no more specific values are found. If you do not specify the ACCESS operand, or if you specify ACCESS without an access authority, RACF uses a default value of ACCESS(READ). See z/OS Security Server RACF Security Administrator's Guide for more information on program access to data sets.

For profiles in the FIELD class, you may also specify the value &RACUID for the name variable with the ID operand on the PERMIT command. When you enter this value on the PERMIT command, you allow all users access to the specified field or segment of their own user profiles.

RESET

RESET | RESET(ALL)

Specifies that RACF is to delete from the profile both the entire current standard access list and the entire current conditional access list.

RACF deletes both access lists before it processes any operands (ID and ACCESS or FROM) that create new entries in an access list. If you delete both access lists and specify FROM when profile-name-2 contains two access lists, the PERMIT command copies both access lists to profile-name-1. In any other situation, you cannot, on one PERMIT command, add entries to both access lists.

If you specify RESET and do not specify ALL, STANDARD, or WHEN, the default value is RESET(ALL).

If you specify RESET or RESET(ALL), add entries, and omit WHEN, RACF deletes both access lists, then adds entries to the standard access list.

If you specify RESET or RESET(ALL), add entries, and specify WHEN, RACF deletes both access lists, then adds entries to the conditional access list.

For profiles that include two access lists, use RESET and RESET(ALL) carefully. Unless you are copying both lists from another profile, it is a good practice to use RESET(STANDARD) to maintain the standard access list and RESET(WHEN) to maintain the conditional access list.

RESET(STANDARD)

Specifies that RACF is to delete the entire current standard access list from the profile.

If you specify RESET(STANDARD) with ID and ACCESS or with FROM, RACF deletes the current standard access list from the profile before it adds the new names.

If you specify RESET(STANDARD) with ID and DELETE, RACF ignores RESET(STANDARD) and deletes only the names that you specify.

If you specify RESET(STANDARD) without ID and ACCESS, or without FROM, the resulting standard access list is empty. An empty standard access list means that, for a general resource or a group data set profile, you must be the owner or have the SPECIAL attribute, or the profile must be within the scope of a group in which you have the group-SPECIAL attribute, in order to update the access list again.

For a DATASET profile, an empty conditional access list means that no users or groups can access the data set by executing a program.

RESET(WHEN)

Specifies that RACF is to delete the entire current conditional access list from the profile.

If you specify RESET(WHEN) with ID and ACCESS or with FROM, RACF deletes the current conditional access list from the profile before it adds the new names.

If you specify RESET(WHEN) with ID, DELETE, and WHEN, RACF ignores RESET(WHEN) and deletes only the names that you specify.

If you specify RESET(WHEN) without ID and ACCESS, or without FROM, the resulting conditional access list is empty.

VOLUME(volume-serial)

Specifies the volume on which the tape data set, the non-VSAM DASD data set, or the catalog for the VSAM data set resides.

If you specify VOLUME and volume-serial does not appear in the profile for the data set, the command fails.

If you omit VOLUME and the data set name appears more than once in the RACF data set, the command fails.

This operand is valid only for CLASS(DATASET). RACF ignores it for all other CLASS values.

If profile-name-1 is a generic profile, RACF ignores this operand.

WHEN(APPCPORT(partner-luname … | *))

Specifies that the indicated users or groups have the specified access authority when executing commands and jobs originating from the specified partner LU.

Specify one or more LU names. No generic names or profile names are supported.

WHEN(APPCPORT(*)) deletes all APPCPORT entries for the specified users or groups. It is valid only with the DELETE operand.

Note: The LU name must be qualified with the network name if the installation is using the network qualified names feature on the APPC connection. For more information, refer to z/OS Security Server RACF Security Administrator's Guide.

WHEN(CONSOLE(console-id … | *))

Specifies that the indicated users or groups have the specified access authority when executing commands and jobs originating from the specified system console.

Specify one or more console identifiers. No generic names or profile names are supported.

WHEN(CONSOLE(*)) deletes all CONSOLE entries for the specified users or groups. It is valid only with the DELETE operand.

WHEN(CRITERIA(criteria-name (criteria-value | *)))

Specifies that the indicated users or groups have the specified access authority when they are defined in an application that uses the specified criteria. Applications, such as DB2®, can execute the RACROUTE REQUEST=FASTAUTH request to check user and group authority to access a resource associated with a particular criteria, such as a DB2 role.

Important: Specify the same criteria name and value that the application specifies on the RACROUTE REQUEST=FASTAUTH request. For details about valid criteria names and values, see your application documentation. For information about RACROUTE, see z/OS Security Server RACROUTE Macro Reference.

The criteria-name is a string of 1 - 8 characters. The string can contain any combination of A - Z, 0 - 9, # (X'7B'), $ (X'5B'), or @ (X'7C'). It must not contain blanks. Lowercase alphabetic characters in the criteria-name are translated to upper case.

The criteria-value is a string of 1 - 235 characters of any combination. If the criteria-value consists of a single asterisk (*), you can optionally enclose it in single quotation marks. If the criteria-value contains blanks or other special characters, you must enclose the entire string in single quotation marks.

When the criteria-value is enclosed in single quotation marks, the following rules apply.

The string must contain at least one non-blank character.
The string must not contain blanks between the last character and the ending quote.
If a single quotation mark is intended to be part of the criteria-value, use two single quotation marks together for each single quotation mark within the string, and enclose the entire string within single quotation marks.

The criteria-value is stored in the RACF database exactly as you specify it:

Both uppercase and lowercase characters are preserved in the case in which they are specified.
Leading blanks are preserved when the string is quoted.

WHEN(CRITERIA(SQLROLE(DB2-role-name)))

Beginning with DB2 Version 9, you can authorize conditional access to DB2 resources for users and groups associated (in DB2) with a DB2 role by specifying SQLROLE as the criteria-name and a DB2 role name as the criteria-value. Specify DB2-role-name to match a DB2-defined role name. (For more information about using DB2 roles, see the DB2 Version 9 publication library.)

Example: WHEN(CRITERIA(SQLROLE(TELLER)))

WHEN(CRITERIA(SQLROLE(*))) and WHEN(CRITERIA(SQLROLE('*'))) delete all SQLROLE CRITERIA entries for the specified users or groups.

WHEN(JESINPUT(JES-input-device-name … | *))

Specifies that the indicated users or groups have the specified access authority when entering the system through the specific JES input device.

Specify one or more device names. No generic names or profile names are supported.

WHEN(JESINPUT(*)) deletes all JESINPUT entries for the specified users or groups. It is valid only with the DELETE operand.

WHEN(PROGRAM(program-name … | *))

Specifies that you want to create or delete entries in the conditional access list of the specified data set or SERVAUTH profile. This operand applies only to resources in the data set and SERVAUTH classes.

Specify one or more program names. No generic names or profile names are supported.

For example, if you enter the following command:

PERMIT 'XXX.YYY' ID(SMITH) ACCESS(READ) WHEN(PROGRAM(ABC))

RACF allows user SMITH READ access to the data set protected by profile XXX.YYY when executing program ABC. RACF grants access, through the conditional access list, with the authority you specify on the ACCESS operand. If you do not specify the ACCESS operand, or if you specify ACCESS without an access authority, RACF uses a default value of ACCESS(READ).

See z/OS Security Server RACF Security Administrator's Guide for more information on data set access and program access to SERVAUTH resources when program control is active.

WHEN(PROGRAM) affects only users and groups specified on the ID operand; it has no effect on names copied from a standard access list in another profile (using the FROM operand). Thus, you can copy a standard access list from another profile that contains only a standard access list and add or delete names in the conditional access list on a single PERMIT command.

To delete an entry from the conditional access list of a data set profile, issue the PERMIT command as follows:

PERMIT 'XXX.YYY' ID(JONES) DELETE WHEN(PROGRAM(ABC))

When you issue this command, RACF no longer allows user JONES access to the data set protected by profile XXX.YYY when executing program ABC. If you specify WHEN(PROGRAM(*)) with DELETE, RACF deletes all program names for each user or group specified on the ID operand.

See also the description of the ID operand.

WHEN(PROGRAM(*)) deletes all PROGRAM entries for the specified users or groups. It is valid only with the DELETE operand.

WHEN(SERVAUTH(SERVAUTH-profile-name … | *))

WHEN(SERVAUTH(SERVAUTH-profile-name …)): Specifies that the indicated users or groups have the specified access authority when using an IP address protected by the named SERVAUTH profile. The profile name may be generic; however, it must match exactly the name of a profile to allow access.
Guideline: Use careful consideration before specifying the SERVAUTH profile name * on the RDEFINE and PERMIT WHEN(SERVAUTH(…) commands. The SERVAUTH profile name * cannot be removed from the conditional access list without deleting all SERVAUTH entries for the specified users or groups. Instead, we recommend that you create the profile ** in the SERVAUTH class. Then use the ** profile name for the conditional access list.
WHEN(SERVAUTH(*): Deletes all SERVAUTH entries for the specified users or groups when specified with the DELETE operand.

WHEN(SYSID(system-identifier … | *))

Specifies that the indicated users or groups have the specified access authority when loading this controlled program on the specified system.

Specify one or more system identifiers. No generic names or profile names are supported.

This operand applies only to resources in the PROGRAM class. The system-identifier is the 4-character value specified for the SID parameter of the SMFPRMxx member of SYS1.PARMLIB. See z/OS MVS Initialization and Tuning Reference for additional information on SMFPRMxx.

WHEN(SYSID(*)) deletes all SYSID entries for the specified users or groups. It is valid only with the DELETE operand.

WHEN(TERMINAL(terminal-id … | *))

Specifies that the indicated users or groups have the specific access authority when logged on to the named terminal.

Specify one or more terminal identifiers. No generic names or profile names are supported.

WHEN(TERMINAL(*)) deletes all TERMINAL entries for the specified users or groups. It is valid only with the DELETE operand.

Examples


Example 1	Operation	User WJE10 wants to give UPDATE access authority to data set WJE10.DEPT2.DATA to all the users in the group RESEARCH. Data set WJE10.DEPT2.DATA is protected by a discrete profile.
	Known	User WJE10 and group RESEARCH are RACF-defined. Data set WJE10.DEPT2.DATA is RACF-defined. User WJE10 wants to issue the command as a RACF TSO command.
	Command	`PERMIT 'WJE10.DEPT2.DATA' ID(RESEARCH) ACCESS(UPDATE)`
	Defaults	CLASS(DATASET)

Example 2	Operation	User WRH0 wants to give all users authorized to access the data set RESEARCH.PROJ01.DATA on volume DASD22 the authority to access RESEARCH.PROJ01.DATA on volume DASD11. User WRH0 also wants to give user AEH10 READ authority to RESEARCH.PROJ01.DATA.
	Known	User WRH0 has ALTER access to both RESEARCH.PROJ01.DATA data sets. Both data sets are protected by discrete profiles. User WRH0 wants to issue the command as a RACF TSO command.
	Command	`PERMIT 'RESEARCH.PROJ01.DATA' ID(AEH10) FROM('RESEARCH.PROJ01.DATA') VOLUME(DASD11) FVOLUME(DASD22)`
	Defaults	ACCESS(READ) CLASS(DATASET) FCLASS(DATASET)

Example 3	Operation	User LAB2 wants to delete user MMC02's access to tape volume TAP8X.
	Known	User LAB2 is the owner of the profile for tape volume TAP8X. User LAB2 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is `@`.
	Command	`@PERMIT TAP8X CLASS(TAPEVOL) ID(MMC02) DELETE`
	Defaults	None.

Example 4	Operation	User ADM1 wants to delete the existing standard access list from the discrete profile protecting the data set SALES.EUROPE.ABC, then copy the standard access list from the generic profile SALES`.*.`ABC to the discrete profile for SALES.EUROPE.ABC User ADM1 wants to direct the command to run under the authority of user THB11.
	Known	User THB11 has the SPECIAL attribute. SALES.EUROPE.ABC is in the DATASET class. User ADM1 wants to issue the command as a RACF TSO command. ADM1 and THB11 have an already established user ID association.
	Command	`PERMIT 'SALES.EUROPE.ABC' FROM('SALES.*.ABC') RESET(STANDARD) AT(.THB11)`
	Defaults	CLASS (DATASET) FCLASS(DATASET) Command direction defaults to the local node.

Example 5	Operation	User ADM1 wants to replace the conditional access list in the discrete profile that protects the data set SALES.EUROPE.ABC. Two users, TH01 and TH03, are to be allowed to update the data set when executing the program named FUTURE.
	Known	User ADM1 has the SPECIAL attribute. Users TH01 and TH03 are defined to RACF. The program FUTURES has been defined to RACF as a controlled program. User ADM1 wants to issue the command as a RACF TSO command.
	Command	`PERMIT 'SALES.EUROPE.ABC' RESET(WHEN) ID(TH01 TH03) ACCESS(UPDATE) WHEN(PROGRAM(FUTURES))`
	Defaults	CLASS(DATASET)

Example 6	Operation	User ADM1 wants to control the access of shared user IDs PUBLIC and RESELL to data sets containing sales data. All users working within the company need access to sales data along with RESELL, but PUBLIC cannot have access.
	Known	User ADM1 has the SPECIAL attribute. User IDs PUBLIC and RESELL have the RESTRICTED attribute. SALES RESELL.`*` is a generic data set with a UACC(READ).
	Command	`PERMIT 'SALES.RESELL.*' ID(RESELL) ACCESS(READ)`
	Defaults	None.

Example 7	Operation	Rui wants to authorize user JEAN to alter a DB2 table owned by ZHAOHUI only when JEAN is assigned in DB2 to the role called TELLER.
	Known	Rui has the SPECIAL attribute. A general resource called DSN.ZHAOHUI.TABLE.ALTER is defined in the MDSNTB class with UACC(NONE). The user JEAN is assigned in DB2 to the role called TELLER. The installation uses the RACF access control module (ACM) with DB2. The ACM is configured for multiple-subsystem scope and the DB2 subsystem is operational.
	Command	`PERMIT DSN.ZHAOHUI.TABLE.ALTER CLASS(MDSNTB) ID(JEAN) ACCESS(READ) WHEN(CRITERIA(SQLROLE(TELLER)))`
	Defaults	None.