z/OS TSO/E Administration
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF Security Information

z/OS TSO/E Administration
SA32-0977-00

RACF® security information determines the system resources a new user can access. The user is assigned a group and given specific group authority to perform functions within the default group. For more information about RACF groups, see either z/OS Security Server RACF Security Administrator's Guide, or your systems support group.

Your installation can use security labels if RACF is installed. To define security labels for users, you must use RACF commands. The Information Center Facility does not support security labels. See z/OS Security Server RACF Security Administrator's Guide for information about defining security labels for users.

Figure 1. User Types – View RACF Security Information
ICQADE08          USER TYPES - VIEW RACF SECURITY INFORMATION
COMMAND ===>

To view the next panel, press ENTER.

   USER TYPE ............ User
   GROUP OWNER ..........
   GROUP AUTHORITY ...... U
   GROUP ACCESS  ........ N
   DEFAULT GROUP ........
   UNIVERSAL ACCESS ..... N

   AUTO DS PROTECT ...... N
   OPERATOR ID CARD ..... N
   SPECIAL AUTH ......... N
   OPERATIONS AUTH ...... N
   AUDITOR AUTH ......... N

   MODEL DATA SET .......
GROUP OWNER
The GROUP OWNER field identifies the owner of the RACF profile that was created for the user during enrollment. The owner can be a person or a group. If the owner is a person, the field contains that person's user ID. If the owner is a group, it contains the group name. If the GROUP OWNER field is blank, the system uses the user ID of the administrator who enrolls the person.
GROUP AUTHORITY
The GROUP AUTHORITY field specifies the functions the user can perform within the default group (the group identified in the DEFAULT GROUP field). Valid options and the authority each grants are:
U
USE allows the person to access data sets the group is authorized to access, and to create and RACF-protect data sets.
CR
CREATE grants USE authority and allows the person to create RACF profiles for data sets that other group members can use.
CO
CONNECT grants CREATE authority and permits the person to connect other users to the group and to assign any group authority except JOIN.
J
JOIN grants CONNECT authority and allows the person to add new subgroups to the group and to assign group authorities to new members.
GROUP ACCESS
The GROUP ACCESS field indicates whether group data sets the person creates are to be automatically accessible to other users in the group. Y grants automatic access, N denies it. The field is preset to N.
DEFAULT GROUP
The DEFAULT GROUP field specifies the RACF-defined group to which the person is assigned by default. If the field is blank, the person is assigned to the current connect group of the administrator who enrolls the person.
UNIVERSAL ACCESS
The UNIVERSAL ACCESS field specifies the type of access the system grants all users by default to the data sets the person creates while connected to the default group. Valid options and the type of access each grants are:
N
NONE prevents other users from accessing the data sets.
R
READ allows other users to read the data sets.
U
UPDATE allows other users to update the data sets.
C
CONTROL allows other users to access VSAM data sets at the control interval (block) level instead of the data set level.
A
ALTER gives other users full control of the data sets.
AUTO DS PROTECT
The AUTO DS PROTECT field indicates whether the system automatically creates a discrete data set profile for each data set the person creates. Y causes the system to create the profiles, N prevents their creation. The field is preset to N.
OPERATOR ID CARD
The OPERATOR ID CARD field indicates whether the user must insert an operator ID card in a card reader when logging onto the system. (Some terminals have a card reader attachment for reading operator ID cards during LOGON processing. Using operator ID cards is a security feature.) If the field specifies Y, the administrator enrolling the person must insert the same card during enrollment to associate the card with the user. The field is preset to N, which indicates no card is required.
SPECIAL AUTH
The SPECIAL AUTH field indicates whether the user can issue all RACF commands and use all keywords except those that require AUDITOR authority. Y grants SPECIAL authority, N denies it. If the field is set to Y, only administrators who have SPECIAL authority themselves can assign the user type during enrollment. The field is preset to N.
OPERATIONS AUTH
The OPERATIONS AUTH field indicates whether the user is authorized to do maintenance on RACF-protected DASD data sets, tape volumes, and DASD volumes. OPERATIONS authority, however, does not override access restrictions imposed by access lists. Y grants OPERATIONS authority, N denies it. The field is preset to N.
AUDITOR AUTH
The AUDITOR AUTH field indicates whether the person can log attempts to access RACF-protected resources and the RACF data set. Y grants AUDITOR authority, N denies it. This field is preset to N.
MODEL DATA SET
The MODEL DATA SET field specifies the name of a data set profile the system is to use when creating new profiles that have the person's user ID as the first-level qualifier. If the field is blank, the system uses no model.
Parent topic: Accessing Currently Defined User Types

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014