Perform the following steps to prevent users from using their SUPERUSER.FILESYS authority to access file system resources they are specifically unauthorized to access through the ACL:

1. Define a resource called SUPERUSER.FILESYS.ACLOVERRIDE in the UNIXPRIV class with UACC(NONE). To prevent all users, do not permit any users or groups.
   Example:

   RDEFINE UNIXPRIV SUPERUSER.FILESYS.ACLOVERRIDE UACC(NONE)

   ______________________________________________________________________

2. If needed, grant exceptions to certain users or groups to allow them to gain access based on their SUPERUSER.FILESYS authority. Add those users or groups to the access list with the same level of access they require for the SUPERUSER.FILESYS resource.
   Example:

   PERMIT SUPERUSER.FILESYS.ACLOVERRIDE CLASS(UNIXPRIV) ID(PER) ACCESS(READ)

   See z/OS UNIX System Services Planning for details about authorizing users for the SUPERUSER.FILESYS resource.

   ______________________________________________________________________

3. Refresh the UNIXPRIV class to activate changes from Steps 1 and 2.
   Example:

   SETROPTS RACLIST(UNIXPRIV) REFRESH

   ______________________________________________________________________

SUPERUSER.FILESYS.ACLOVERRIDE is checked only when a user's access was denied by a matching ACL entry based on the user's UID or one of the user's GIDs. If the user's access was denied by the file's permission bits, SUPERUSER.FILESYS is checked. See Authorizing access to z/OS UNIX files and directories for details.