To control who can add or delete APF list entries for a library
name, the RACF® security administrator
can take the following steps:
- To establish a profile for the library name for the FACILITY class,
issue RDEFINE:
RDEFINE FACILITY CSVAPF.libname UACC(NONE)
where
libname is
the fully qualified data set name of the library (without quotation
marks). For example,
CSVAPF.SYS1.SUPER.UTILS
The
length of the RACF profile
including qualifiers should not exceed 39 characters. Otherwise,
if the length of the library name is greater than 32 characters, RACF truncates the profile to 39
characters.
You can use generic characters for the qualifiers
in the library name. For example,
CSVAPF.*.SUPER.UTILS
If
you have RACF 1.9 or higher
installed, you can use the following generic to cover all APF library
names:
CSVAPF.**
To ensure that generic
profile checking is in effect for the class FACILITY, issue the following
command:
SETROPTS GENERIC(FACILITY)
For
complete coverage of APF-authorized library names, check the names
currently specified in the IEAAPFxx or PROGxx SYS1.PARMLIB members.
- To permit the user (in this example user OPER1) to add or delete
the library name, issue the following:
PERMIT CSVAPF.libname CLASS(FACILITY) ID(OPER1) ACCESS(UPDATE)
OPER1
must be the name of a RACF-defined user or group profile.
Note: Instead
of specifying individual userids, you can specify the name of a RACF group profile and connect
authorized users to the group. See
Defining RACF profiles.
- If the FACILITY class is not already active, issue the SETROPTS
command as follows:
SETROPTS CLASSACT(FACILITY)
(To
ensure that the FACILITY class is active, you can issue the SETROPTS
LIST command.)
- To refresh the FACILITY resource class, issue SETROPTS RACLIST:
SETROPTS RACLIST(FACILITY) REFRESH
If
any library name is not covered by a RACF profile
and a user has access to the SETPROG or SET PROG command, MVS™ accepts the command. To ensure that only
authorized users can perform the operation, you might define a generic
profile for all library names (CSVAPF.**) with UACC(NONE), then define
specific RACF profiles for
each set of libraries that the user has authorization to control.