Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
MVS RACF
Dataset Profile Access Settings
Dataset Profile Access Settings for User or Group
Universal Access Settings
Examples
Example RACF Control Statements
RACF Report Writer
Additional Information
The RACF Commands
ADDSD
Function
Syntax
Operands
ALTDSD
Function
Syntax
Operands
DELDSD
Function
Syntax
Operands
LISTDSD
Function
Syntax
Operands
LISTGRP
Function
Syntax
Operands
LISTUSER
Function
Syntax
Operands
PASSWORD
Function
Syntax
Operands
PERMIT
Function
Syntax
Operands
MVS RACF
The Resource Access Control Facility (RACF), an IBM program product, controls access to all protected
MVS resources. The protected resources include the MVS system itself, the identification of membership
and the administrator of each group, and disk data sets. Therefore, the RACF database includes USER,
GROUP and DATASET profiles. At this time tape data sets are not protected by RACF. A USER profile
defines an individual user and stores, in an encrypted form, that user's current password plus the four most
recent passwords. The profile name is of the form Pxxxxxx, where xxxxxx is the UTCC-assigned research
worker code. Only UTCC can create and delete a USER profile. A GROUP profile defines a UTCC project
code for MVS and the users connected to that group. There is one GROUP profile for each project code.
The profile name is of the form Jxxxxxx, where xxxxxx is the UTCC-assigned project code. Only UTCC
can create, modify or delete a GROUP profile. The project administrator may access statistics about MVS
jobs which were run under that group. In the GROUP profile, the universal access (UACC) setting, the
setting for all MVS users not belonging to the group, is NONE. That setting will carry over to DATASET
profiles of the group if UACC is not specifically set to some other value. A DATASET profile controls
access to data sets belonging to a group. A DATASET profile name is of the form 'Jxxxxxx.yyy', where yyy
either (1) completes an individual data set name to control access to a single data set, or (2) contains one or
more wildcards, * or %, to control access to a group of data sets. A particular DATASET profile specifies
information about what groups and/or users have access, what type of access they have, and what
information should be recorded about accesses.
Dataset Profile Access Settings
Access settings within a DATASET profile control access by one or more of the following:
owner group
other groups
individual users
all MVS users (universal access)
Possible access settings are:
NONE
READ
UPDATE
ALTER
allows
allows
allows
allows
delete
protection to meet the group's particular needs. With the settings of NONE, READ, UPDATE, and ALTER,
different levels of access can be provided.
Examples
Most common situations are covered in the following examples. Note that the project administrator must
modify existing or create new DATASET profiles only if users who are not connected to the owner group
are to be given access to one or more of a group's MVS disk data sets or a user who is connected to the
owner group is to be denied ALTER access. The initial DATASET profile for each group's data sets,
established by UTCC, grants ALTER access to all users included in the group and denies access to all
others except group J2200 (UTCC User Services). All examples assume the project administrator for group
J999994 is user P999998.
Example IBM Batch Job
Using the procedure BATCHTSO, submit a standard IBM batch job with the appropriate RACF control
statements (see examples below).
//RACF JOB ,SMITH,GROUP=J999994,USER=P999998,PASSWORD=FUDGE
/*ROUTE PRINT RMT0
//STEP1 EXEC BATCHTSO
//SYSIN DD *
(RACF control statements)
Example RACF Control Statements
The format of RACF control statements is
operation [positional_operand] keyword_operands
The operation (RACF command) must be coded first and need not begin in column 1. Some statements
have a positional operand, a DATASET profile name of the form 'profile_name' (note that the profile name
is enclosed within apostrophes), which must follow the operation. Keyword_operands may be in any order,
separated by one or more spaces. In Example 1, PERMIT must occur first, 'J999994.*' is positional and
must be coded second. The other operands each contain a keyword and may be listed in any desired order.
The following examples show several RACF control statements required to alter access authority.
Example 1:
To allow programmer P123458 READ access to your group's MVS disk data sets.
PERMIT 'J999994.*' ID(P123458) ACCESS(READ) GENERIC
Example 2:
To allow all programmers in group J999992 READ access to your group's MVS disk data sets.
PERMIT 'J999994.*' ID(J999992) ACCESS(READ) GENERIC
Example 3:
To allow programmer P888888 ALTER access to read/write/create/delete your group's MVS disk data sets.
PERMIT 'J999994.*' ID(P888888) ACCESS(ALTER) GENERIC
Example 4:
To allow programmer P89898 READ access to J999994.GOOD.STUFF only. (You must add a data set
description of a fully qualified data set name before the permit is issued.)
ADDSD 'J999994.GOOD.STUFF' UACC(NONE) GENERIC AUDIT(ALL)
PERMIT 'J999994.GOOD.STUFF' ID(P89898) ACCESS(READ) GENERIC
Example 5:
To revoke permit access granted in Example 4.
PERMIT 'J999994.GOOD.STUFF' ID(P89898) DELETE GENERIC
The following examples show the RACF control statements necessary to set access authority for your MVS
disk data sets for ALL users of the MVS system.
Example 6:
To allow all MVS users READ access to your group's MVS disk data sets.
ALTDSD 'J999994.*' UACC(READ) GENERIC
Example 7:
To allow all MVS users ALTER access to read/write/create/delete your group's MVS disk data sets.
//SYSIN DD *
HELP RACFRW
HELP ALTDSD
HELP PERMIT
One or more help files can be requested at a time. HELP RACFRW will give information on how to use the
RACF Report Writer. HELP ALTDSD will show how to change a data set profile. HELP PERMIT will
show how to allow users or groups access to data sets. For more information, contact your User Services
consultant or call 974-6831.
The RACF Commands
The RACF commands are given below with their valid operands followed by a description of each operand.
The RACF command (operation) must be coded first on the command line, sometimes followed by a
positional operand, then the keyword operands. The operation and each of the operands are separated by
one or more spaces. Parentheses and apostrophes must be coded as given in the commands. A slash (/)
indicates a choice of the items separated by the slash or slashes. To continue a RACF command to another
line, place, after a space, a plus sign (+) in or before column 72 in the incomplete statement line and begin
the next line in any column. Each command has an alias which can be used instead of the full name.
Note: ;.pf Only GENERIC profiles are permitted. GENERIC profiles may contain the * wildcard indicating
any number of characters or the % indicating one character. The * wildcard may be within a data set name
segment, indicating 1 to 8 characters, or may be at the end of the name, indicating any number of segments
with 1 to 8 characters each.
ADDSD
Function
The ADDSD command adds GENERIC DATASET profiles to the RACF database and can turn on the
RACF indicator for the data sets.
Syntax
ADDSD
('profile-name'...)
OWNER(userid)
UACC(ALTER/UPDATE/READ/NONE)
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
GENERIC
WARNING
NOTIFY(userid)
FROM('profile-name-2')
Alias
- ALD
Operands
'profile-name'...
- specifies the names of the generic data set profiles that are to be modified.
OWNER(userid)
- specifies the userid of a user defined to RACF who is to be made the profile owner.
UACC(ALTER/UPDATE/READ/NONE)
- specifies the new universal access for the data set. The valid subfields are:
ALTER
- alter access authority
UPDATE
- update access authority
READ
- read access authority
NONE
- no access authority
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
- specifies when logging is to occur for the profile. The valid subfields are:
NONE - do not log
or one of the following:
ALL
- log all accesses
FAILURES - log only access failures
SUCCESS
('data-set-name'...)
GENERIC
DATASET('data-set-name'...)/ID(group-name...)/
PREFIX('character-string'...)
AUTHUSER
ALL
GENERIC
Required - none
Defaults - if neither DATASET, ID, nor PREFIX is specified, the default is:
ID('your group name').
Alias - LD
Operands
DATASET('data-set-name'...)
- one or more generic data set names that are to be listed.
ID(group-name...)
- specifies one or more TSO USERIDs and/or group names. All data sets with the group name as the first
qualifier will be listed.
PREFIX('character-string'...)
- specifies one or more character strings. All data sets whose names begin with one of the character strings
will be listed.
AUTHUSER
- a list of all users and groups authorized to access the data set (including each user's access and total access
count) is listed along with all non-optional information. Only project administrators are authorized to
produce this list.
ALL
- all possible information for the data sets is listed.
GENERIC
- generic names will be listed.
LISTGRP
Function
The LISTGRP command displays information about a group, including the owner of the group (project
administrator), the membership of the group, and the number of jobs run by each member. In order to
display information about a group, you must be the project administrator.
Syntax
LISTGRP (group-name...)
Required - none
Defaults - if no group is specified, the current connect group (the group under which the job is running) is
displayed.
Alias - LG
Operands
group-name ...
- specifies the group names of the group(s) to be displayed. If * is specified, all groups over which you
have authority will be displayed. A group name is of the form Jxxxxxx where xxxxxx is the UTCCassigned project code with no leading zeros.
LISTUSER
Function
The LISTUSER command displays RACF information about one or more users and the groups to which
they are connected. In order to display information about another user you must be the project administrator
of the user's group.
Syntax
LISTUSER (userid...)
Required - none.
Defaults - if no userid is entered, your RACF information will be displayed.
Alias - LU
Operands
userid...
- the userid(s) to be displayed.
PASSWORD
Function
The password command allows you to change your own current password and password change interval.
Syntax
PASSWORD
PASSWORD(current-password new-password)
INTERVAL(change-interval)/NOINTERVAL
Required - none
Defaults - if INTERVAL is specified with no value given, the interval will default to the UTCC specified
maximum of 30 days.
Alias - PW
Note - Passwords may also be changed by running an MVS job with the password parameter on the JOB
statement of the form PASSWORD=(old,new), by using MVSPASSW on CMS, or by using
MVSPASSWORD on VAX/VMS. UTCC recommends that users change their password monthly.
Operands
PASSWORD(current-password new-password)
- specifies the current value of the MVS password and the new value to become the password. Each must
be 3 to 8 alphanumeric or national characters. PSWD is an alias for this keyword.
INTERVAL(change-interval)
- specifies the number of days that your password is valid. The number of days must be 3 or more, with the
upper limit specified by UTCC as 30. Users receive warnings after their password is more than 30 days old.
NOINTERVAL
- specifies that the specified userid will have a password that does not expire.
PERMIT
Function
The PERMIT command adds, modifies or deletes the access authorization of specified userids or group
names in a DATASET profile. It also has the capability of copying authorization information from one
profile to another.
Syntax
PERMIT
'profile-name-1'
GENERIC
ID(userid/group-name...)
ACCESS(ALTER/UPDATE/READ/NONE)/DELETE
DELETE
RESET
FROM('profile-name-2')
Required - 'profile-name-1'
GENERIC
Defaults - ACCESS(READ)
Alias - PE
Notes - the ACCESS and DELETE keywords are ignored if the ID keyword is not specified.
Operands
'profile-name-1'
- the name of the profile whose access list is to be modified.
GENERIC
- indicates that profile-name-1 should be treated as a generic name, even if it does not contain any generic
characters.
ID(userid/group-name ...)
- the list of userids and/or group names which have their authorizations added to, altered in, or deleted from
the access list.
ACCESS(ALTER/UPDATE/READ/NONE)
- specifies the access to be associated with the userids specified in the ID keyword. The valid subfields are:
ALTER
- alter access authority
UPDATE - update access authority
READ
- read access authority
NONE
- no access authority
DELETE
- the userids and/or group-names specified in the ID keyword will no longer be authorized to the data set.
RESET
- specifies that RACF is to delete the profile's access list.
FROM('profile-name-2')
- The name of a profile whose access list is to be copied to profile-name-1.