z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Access authorities for DASD data sets

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You permit users and groups to access a RACF-protected data set by:
  • Adding them to the access list of the discrete or generic profile that applies to the data set and
  • Giving them one of the access authorities described in Table 1.
Table 1 describes the access authorities associated with data set profiles. Many operations for cataloged data sets involve access not only to the data set profile protecting the data set, but also to the catalog in which the data set is cataloged. For access authorities required by users who are creating, deleting, or renaming data sets, see Controlling the creation of new data sets. For more information about authorizing users to perform data set and catalog operations with protected catalogs, see the following documents:
Table 1. Access authorities for DASD data sets
Authority Access
NONE Does not allow users to access the data set.
EXECUTE For a private load library, allows users to load and execute, but not read or copy, programs (load modules) in the library.
Note: For more information about EXECUTE authority, see Using EXECUTE access for programs and libraries in ENHANCED mode.
Note: Anyone who has READ, UPDATE, CONTROL, or ALTER authority to a protected data set can create a copy of it. As owner of the copied data set, that user has control of the security characteristics of the copied data set and can downgrade it. For this reason, you should assign a UACC of NONE, and then selectively permit a small number of users to access your data set, as their needs become known. (For information on how to permit selected users or groups to access a data set, see z/OS Security Server RACF Command Language Reference.)
READ Allows users to access the data set for reading only. (Note that users who can read the data set can copy or print it.)
UPDATE Allows users to read from, copy from, or write to the data set. However, UPDATE does not authorize a user to delete, rename, move, or scratch the data set.

Allows users to perform normal VSAM I/O (not improved control interval processing) to VSAM data sets.
CONTROL For VSAM data sets, it allows users to perform improved control interval processing. This is control-interval access (access to individual VSAM data blocks), and the ability to retrieve, update, insert, or delete records in the specified data set.

For non-VSAM data sets, CONTROL is equivalent to UPDATE.
ALTER Allows users to read, update, delete, rename, move, or scratch the data set.

When specified in a discrete profile, ALTER allows users to read, alter, and delete the profile itself including the access list.

Note: ALTER does not allow users to change the owner of the profile using the ALTDSD command. However, if a user with ALTER access authority to a discrete data set profile renames the data set, changing the high-level qualifier to his or her own user ID, then both the data set and the profile are renamed, and the OWNER of the profile is changed to the new user ID.

When specified in a generic profile, ALTER gives users no authority over the profile itself, but allows users to create new data sets that are covered by that profile.
Parent topic: Protecting DASD data sets

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014