Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Using SETROPTS PROTECTALL and SETROPTS GENERIC(DATASET) together z/OS Security Server RACF Security Administrator's Guide SA23-2289-00 |
|
If PROTECTALL is in effect at your installation, generic
profile checking should also be in effect. This allows you to create
or access a data set if one of the following conditions is met:
For users with alter authority, RACF® allows renaming a data set from a name covered by a global entry to another name covered by a global entry. Similarly, renaming is allowed from a name covered by one generic profile to a name covered by another generic profile. Renaming is not allowed from a name covered by a generic profile to one covered by a global entry, because this could allow the user to remove protection from the data set. If PROTECTALL is in effect and generic profile checking is not, only users who have ADSP or specify PROTECT=YES can create new data sets. After defining, altering, or deleting a generic profile, the following
command ensures that the profile is in effect during authorization
checking:
RACF is invoked whenever a data set is accessed (whether or not the data set is RACF-indicated) and whenever DASD space is allocated for a data set (whether or not the user has the ADSP attribute or has specified PROTECT=YES on the JCL statement). When RACF is invoked for a data set that is not RACF-indicated, RACF checks only predefined generic profiles and the global access checking table. If PROTECTALL is not in effect and RACF cannot find an appropriate generic profile or a matching entry in the global access checking table, RACF accepts the access request by default. Important: Data sets that are not RACF-indicated
but are protected by a generic profile
are not protected if they are transferred (in any way) or
available (such as through shared DASD) to another system that does
not have RACF and appropriate
predefined generic profiles.
|
Copyright IBM Corporation 1990, 2014
|