RACF® security information
determines the system resources a new user can access. The user is
assigned a group and given specific group authority to perform functions
within the default group. For more information about RACF groups, see either z/OS Security Server RACF Security Administrator's Guide,
or your systems support group.
Your installation can use security labels if RACF is installed. To define security labels
for users, you must use RACF commands.
The Information Center Facility does
not support security labels. See z/OS Security Server RACF Security Administrator's Guide for
information about defining security labels for users.
Figure 1. User Types –
View RACF Security InformationICQADE08 USER TYPES - VIEW RACF SECURITY INFORMATION
COMMAND ===>
To view the next panel, press ENTER.
USER TYPE ............ User
GROUP OWNER ..........
GROUP AUTHORITY ...... U
GROUP ACCESS ........ N
DEFAULT GROUP ........
UNIVERSAL ACCESS ..... N
AUTO DS PROTECT ...... N
OPERATOR ID CARD ..... N
SPECIAL AUTH ......... N
OPERATIONS AUTH ...... N
AUDITOR AUTH ......... N
MODEL DATA SET .......
- GROUP OWNER
- The GROUP OWNER field identifies the owner of the RACF profile that was created for the user during
enrollment. The owner can be a person or a group. If the owner is
a person, the field contains that person's user ID. If the owner
is a group, it contains the group name. If the GROUP OWNER field
is blank, the system uses the user ID of the administrator who enrolls
the person.
- GROUP AUTHORITY
- The GROUP AUTHORITY field specifies the functions the user can
perform within the default group (the group identified in the DEFAULT
GROUP field). Valid options and the authority each grants are:
- U
- USE allows the person to access data sets the group is authorized
to access, and to create and RACF-protect data sets.
- CR
- CREATE grants USE authority and allows the person to create RACF profiles for data sets that
other group members can use.
- CO
- CONNECT grants CREATE authority and permits the person to connect
other users to the group and to assign any group authority except
JOIN.
- J
- JOIN grants CONNECT authority and allows the person to add new
subgroups to the group and to assign group authorities to new members.
- GROUP ACCESS
- The GROUP ACCESS field indicates whether group data sets the person
creates are to be automatically accessible to other users in the group.
Y grants automatic access, N denies it. The field is preset to N.
- DEFAULT GROUP
- The DEFAULT GROUP field specifies the RACF-defined group to which
the person is assigned by default. If the field is blank, the person
is assigned to the current connect group of the administrator who
enrolls the person.
- UNIVERSAL ACCESS
- The UNIVERSAL ACCESS field specifies the type of access the system
grants all users by default to the data sets the person creates while
connected to the default group. Valid options and the type of access
each grants are:
- N
- NONE prevents other users from accessing the data sets.
- R
- READ allows other users to read the data sets.
- U
- UPDATE allows other users to update the data sets.
- C
- CONTROL allows other users to access VSAM data sets at the control
interval (block) level instead of the data set level.
- A
- ALTER gives other users full control of the data sets.
- AUTO DS PROTECT
- The AUTO DS PROTECT field indicates whether the system automatically
creates a discrete data set profile for each data set the person creates.
Y causes the system to create the profiles, N prevents their creation.
The field is preset to N.
- OPERATOR ID CARD
- The OPERATOR ID CARD field indicates
whether the user must insert an operator ID card in a card reader
when logging onto the system. (Some terminals have a card reader attachment
for reading operator ID cards during LOGON processing. Using operator
ID cards is a security feature.) If the field specifies Y, the administrator
enrolling the person must insert the same card during enrollment to
associate the card with the user. The field is preset to N, which
indicates no card is required.
- SPECIAL AUTH
- The SPECIAL
AUTH field indicates whether the user can issue all RACF commands and use all keywords except those
that require AUDITOR authority. Y grants SPECIAL authority, N denies
it. If the field is set to Y, only administrators who have SPECIAL
authority themselves can assign the user type during enrollment. The
field is preset to N.
- OPERATIONS AUTH
- The
OPERATIONS AUTH field indicates whether the user is authorized to
do maintenance on RACF-protected DASD data sets, tape volumes, and
DASD volumes. OPERATIONS authority, however, does not override access
restrictions imposed by access lists. Y grants OPERATIONS authority,
N denies it. The field is preset to N.
- AUDITOR AUTH
- The
AUDITOR AUTH field indicates whether the person can log attempts to
access RACF-protected resources and the RACF data
set. Y grants AUDITOR authority, N denies it. This field is preset
to N.
- MODEL DATA SET
- The MODEL
DATA SET field specifies the name of a data set profile the system
is to use when creating new profiles that have the person's user ID
as the first-level qualifier. If the field is blank, the system uses
no model.