z/OS MVS Planning: Operations
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Controlling how to add or delete APF list entries for a library

z/OS MVS Planning: Operations
SA23-1390-00

To control who can add or delete APF list entries for a library name, the RACF® security administrator can take the following steps:

  1. To establish a profile for the library name for the FACILITY class, issue RDEFINE: 
    RDEFINE FACILITY CSVAPF.libname UACC(NONE)
    where libname is the fully qualified data set name of the library (without quotation marks). For example, 
    CSVAPF.SYS1.SUPER.UTILS

    The length of the RACF profile including qualifiers should not exceed 39 characters. Otherwise, if the length of the library name is greater than 32 characters, RACF truncates the profile to 39 characters.

    You can use generic characters for the qualifiers in the library name. For example, 
    CSVAPF.*.SUPER.UTILS
    If you have RACF 1.9 or higher installed, you can use the following generic to cover all APF library names: 
    CSVAPF.**
    To ensure that generic profile checking is in effect for the class FACILITY, issue the following command: 
    SETROPTS GENERIC(FACILITY)

    For complete coverage of APF-authorized library names, check the names currently specified in the IEAAPFxx or PROGxx SYS1.PARMLIB members.

  2. To permit the user (in this example user OPER1) to add or delete the library name, issue the following: 
    PERMIT CSVAPF.libname CLASS(FACILITY) ID(OPER1) ACCESS(UPDATE)

    OPER1 must be the name of a RACF-defined user or group profile.

    Note: Instead of specifying individual userids, you can specify the name of a RACF group profile and connect authorized users to the group. See Defining RACF profiles.
  3. If the FACILITY class is not already active, issue the SETROPTS command as follows: 
    SETROPTS CLASSACT(FACILITY)

    (To ensure that the FACILITY class is active, you can issue the SETROPTS LIST command.)

  4. To refresh the FACILITY resource class, issue SETROPTS RACLIST: 
    SETROPTS RACLIST(FACILITY) REFRESH

    If any library name is not covered by a RACF profile and a user has access to the SETPROG or SET PROG command, MVS™ accepts the command. To ensure that only authorized users can perform the operation, you might define a generic profile for all library names (CSVAPF.**) with UACC(NONE), then define specific RACF profiles for each set of libraries that the user has authorization to control.

Parent topic: Using RACF to control APF lists

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014