Resource Access Control Facility (RACF), U01-0576-0

Table of Contents
MVS RACF
Dataset Profile Access Settings
Dataset Profile Access Settings for User or Group
Universal Access Settings
Examples
Example RACF Control Statements
RACF Report Writer
Additional Information
The RACF Commands
ADDSD
Function
Syntax
Operands
ALTDSD
Function
Syntax
Operands
DELDSD
Function
Syntax
Operands
LISTDSD
Function
Syntax
Operands
LISTGRP
Function
Syntax
Operands
LISTUSER
Function
Syntax
Operands
PASSWORD
Function
Syntax
Operands
PERMIT
Function
Syntax
Operands
MVS RACF
The Resource Access Control Facility (RACF), an IBM program product, controls access to all protected
MVS resources. The protected resources include the MVS system itself, the identification of membership
and the administrator of each group, and disk data sets. Therefore, the RACF database includes USER,
GROUP and DATASET profiles. At this time tape data sets are not protected by RACF. A USER profile
defines an individual user and stores, in an encrypted form, that user's current password plus the four most
recent passwords. The profile name is of the form Pxxxxxx, where xxxxxx is the UTCC-assigned research
worker code. Only UTCC can create and delete a USER profile. A GROUP profile defines a UTCC project
code for MVS and the users connected to that group. There is one GROUP profile for each project code.
The profile name is of the form Jxxxxxx, where xxxxxx is the UTCC-assigned project code. Only UTCC
can create, modify or delete a GROUP profile. The project administrator may access statistics about MVS

jobs which were run under that group. In the GROUP profile, the universal access (UACC) setting, the
setting for all MVS users not belonging to the group, is NONE. That setting will carry over to DATASET
profiles of the group if UACC is not specifically set to some other value. A DATASET profile controls
access to data sets belonging to a group. A DATASET profile name is of the form 'Jxxxxxx.yyy', where yyy
either (1) completes an individual data set name to control access to a single data set, or (2) contains one or
more wildcards, * or %, to control access to a group of data sets. A particular DATASET profile specifies
information about what groups and/or users have access, what type of access they have, and what
information should be recorded about accesses.
Dataset Profile Access Settings
Access settings within a DATASET profile control access by one or more of the following:
owner group
other groups
individual users
all MVS users (universal access)
Possible access settings are:
NONE
READ
UPDATE
ALTER

allows
allows
allows
allows
delete

no access to the data set.

user to read the contents of the data set.
user to read or write to the data set.
user to read, write to, create, or
the data set.

Dataset Profile Access Settings for User or Group

The project director is, by default, the project administrator, and as such, has sole authority to grant others
access to the group's MVS disk data sets. Project directors may request that UTCC designate someone else
in the group as the project administrator by contacting their UTCC consultants. The project administrator is
made the owner of the group's DATASET profiles. This also means that after the group profile is created,
only the project administrator may create, modify and delete any of the group's DATASET profiles. So that
the research workers assigned to a particular group, (the "owner group") can create, delete, update or read
MVS disk data sets associated with that group, a PERMIT command was issued by UTCC when the initial
DATASET profile for the group was created which gives the entire group ALTER access to data sets not
otherwise protected. Auditing was set to record all accesses to data sets protected by the profile, both
successful and unsuccessful. The "list of groups" access checking feature of RACF has been turned on.
This means that access to a protected resource is granted if the user has access through any of the groups to
which he/she is connected and is not just based on the group under which the user's job is running. To allow
access to a group's data sets by other groups or individual users outside that group, the project administrator
of the owner group must issue a PERMIT command. An alternative is to change the UACC setting from the
default of NONE to either READ, UPDATE, or ALTER, thereby giving all MVS users that level of access.
The UTCC User Services consultants (group J2200) have had a PERMIT command issued by UTCC to
allow them to continue offering assistance with MVS disk data sets. A project administrator may change
that access permission. New project codes will have the option of denying access to their data sets by User
Services by checking a box on the Request for Services form. When a new project code is opened, GROUP
and DATASET profiles are created, e.g., if project code 999991 is opened, GROUP profile J999991 and
DATASET profile 'J999991.*' are created. The DATASET profile will include access permission for group
J2200 unless the box denying that access was checked on the application.
Universal Access Settings
The universal access (UACC) setting in each RACF DATASET profile determines what access level all
MVS users and groups other than the owner group have to a data set or group of data sets. The UACC
settings that can be assigned are NONE, READ, UPDATE and ALTER. The initial DATASET profile
created by UTCC for each group's data sets (profile name 'Jxxxxxx.*') has a UACC setting of NONE.
Users may use RACF Report Writer (see below) to obtain information about accesses and attempts to
access their projects' MVS data sets. With this information, a project administrator can tailor RACF data set

protection to meet the group's particular needs. With the settings of NONE, READ, UPDATE, and ALTER,
different levels of access can be provided.
Examples
Most common situations are covered in the following examples. Note that the project administrator must
modify existing or create new DATASET profiles only if users who are not connected to the owner group
are to be given access to one or more of a group's MVS disk data sets or a user who is connected to the
owner group is to be denied ALTER access. The initial DATASET profile for each group's data sets,
established by UTCC, grants ALTER access to all users included in the group and denies access to all
others except group J2200 (UTCC User Services). All examples assume the project administrator for group
J999994 is user P999998.
Example IBM Batch Job
Using the procedure BATCHTSO, submit a standard IBM batch job with the appropriate RACF control
statements (see examples below).
//RACF JOB ,SMITH,GROUP=J999994,USER=P999998,PASSWORD=FUDGE
/*ROUTE PRINT RMT0
//STEP1 EXEC BATCHTSO
//SYSIN DD *
(RACF control statements)
Example RACF Control Statements
The format of RACF control statements is
operation [positional_operand] keyword_operands
The operation (RACF command) must be coded first and need not begin in column 1. Some statements
have a positional operand, a DATASET profile name of the form 'profile_name' (note that the profile name
is enclosed within apostrophes), which must follow the operation. Keyword_operands may be in any order,
separated by one or more spaces. In Example 1, PERMIT must occur first, 'J999994.*' is positional and
must be coded second. The other operands each contain a keyword and may be listed in any desired order.
The following examples show several RACF control statements required to alter access authority.
Example 1:
To allow programmer P123458 READ access to your group's MVS disk data sets.
PERMIT 'J999994.*' ID(P123458) ACCESS(READ) GENERIC
Example 2:
To allow all programmers in group J999992 READ access to your group's MVS disk data sets.
PERMIT 'J999994.*' ID(J999992) ACCESS(READ) GENERIC
Example 3:
To allow programmer P888888 ALTER access to read/write/create/delete your group's MVS disk data sets.
PERMIT 'J999994.*' ID(P888888) ACCESS(ALTER) GENERIC
Example 4:
To allow programmer P89898 READ access to J999994.GOOD.STUFF only. (You must add a data set
description of a fully qualified data set name before the permit is issued.)
ADDSD 'J999994.GOOD.STUFF' UACC(NONE) GENERIC AUDIT(ALL)
PERMIT 'J999994.GOOD.STUFF' ID(P89898) ACCESS(READ) GENERIC
Example 5:
To revoke permit access granted in Example 4.
PERMIT 'J999994.GOOD.STUFF' ID(P89898) DELETE GENERIC
The following examples show the RACF control statements necessary to set access authority for your MVS
disk data sets for ALL users of the MVS system.
Example 6:
To allow all MVS users READ access to your group's MVS disk data sets.
ALTDSD 'J999994.*' UACC(READ) GENERIC
Example 7:
To allow all MVS users ALTER access to read/write/create/delete your group's MVS disk data sets.

ALTDSD 'J999994.*' UACC(ALTER) GENERIC

Example 8:
To allow all MVS users READ access to your group's MVS disk data sets and to give programmer P89898
UPDATE access to read and write.
ALTDSD 'J999994.*' UACC(READ) GENERIC
PERMIT 'J999994.*' ID(P89898) ACCESS(UPDATE) GENERIC
Example 9:
To allow all MVS users READ access to all MVS disk data sets with data set names that start with
J999994.GOOFY.
ADDSD 'J999994.GOOFY.*' UACC(READ) GENERIC
Up to this point the * has been used in the examples as a wild card for any level of a data set name. You can
also use the % as a wild card for any single character.
Example 10:
To allow all MVS users READ access to all MVS disk data sets with a data set name that starts with
J999994.FUDGE.DATA and ends with any two characters.
ADDSD 'J999994.FUDGE.DATA%%' UACC(READ) GENERIC
Example 11:
The next example shows how to find out which groups or individual users have access to each of your
MVS disk data sets.
LISTDSD ID(J999994) ALL GENERIC
Example 12:
The same as Example 9, but provides access information for the single data set J999994.GOOD.STUFF
only.
LISTDSD DA('J999994.GOOD.STUFF') ALL GENERIC
RACF Report Writer
A program called RACF Report Writer allows users to retrieve recorded information about who has
accessed their data sets. By default, when users run RACF Report Writer, they will receive a short summary
of one line per data set about accesses to their data sets. If they need more specific information such as a
break down of who has accessed a particular data set, they can then request it. The following example
shows the JCL needed to request the short summary. The user name and the MVS USER=, GROUP=, and
PASSWORD= values on the JOB statement should be specified as appropriate for each user.
//REPORT JOB ,WILSON,GROUP=J999991,USER=P999998,CLASS=T,
// TIME=(1,0),PASSWORD=SECRET
/*ROUTE PRINT destination
//JS1 EXEC RACFRW
To override the default parameter RPT=SUM and request more detailed information, the last line of the
EXEC statement would be changed to show the appropriate command (request the help file on RACFRW
for more information; see section below). For example,
//JS1 EXEC RACFRW,RPT=USR
The summary will be for the current month in 1987 unless otherwise requested. MONTH='(0)' is the
default parameter. Changing this to MONTH='(-1)' will request the previous month; MONTH='(-2)' will
request the next previous month, etc. For example, if the February summary is requested during March,
MONTH='(-1)' is the parameter used to override the default:
//JS1 EXEC RACFRW,MONTH='(-1)'
To request reports from 1986, YEAR='YR86' must be specified. The default parameter of MONTH='(0)'
will generate the December 1986 summary. To request reports from earlier months in 1986, set the
parameter as discussed above. For example, the October 1986 summary can be requested with the
following:
//JS1 EXEC RACFRW,YEAR='YR86',MONTH='(-2)'
Additional Information
The following is an example of how to print a help file on RACF:
//HELP JOB ,WILSON,GROUP=J999991,USER=P999998,PASSWORD=SECRET
/*ROUTE PRINT RMT0
//STEP EXEC BATCHTSO

//SYSIN DD *
HELP RACFRW
HELP ALTDSD
HELP PERMIT
One or more help files can be requested at a time. HELP RACFRW will give information on how to use the
RACF Report Writer. HELP ALTDSD will show how to change a data set profile. HELP PERMIT will
show how to allow users or groups access to data sets. For more information, contact your User Services
consultant or call 974-6831.
The RACF Commands
The RACF commands are given below with their valid operands followed by a description of each operand.
The RACF command (operation) must be coded first on the command line, sometimes followed by a
positional operand, then the keyword operands. The operation and each of the operands are separated by
one or more spaces. Parentheses and apostrophes must be coded as given in the commands. A slash (/)
indicates a choice of the items separated by the slash or slashes. To continue a RACF command to another
line, place, after a space, a plus sign (+) in or before column 72 in the incomplete statement line and begin
the next line in any column. Each command has an alias which can be used instead of the full name.
Note: ;.pf Only GENERIC profiles are permitted. GENERIC profiles may contain the * wildcard indicating
any number of characters or the % indicating one character. The * wildcard may be within a data set name
segment, indicating 1 to 8 characters, or may be at the end of the name, indicating any number of segments
with 1 to 8 characters each.
ADDSD
Function
The ADDSD command adds GENERIC DATASET profiles to the RACF database and can turn on the
RACF indicator for the data sets.
Syntax
ADDSD

('profile-name'...)
OWNER(userid)
UACC(ALTER/UPDATE/READ/NONE)
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
GENERIC
WARNING
NOTIFY(userid)
FROM('profile-name-2')

Required - 'profile-name' - specify at least one profile name GENERIC

Default - AUDIT(FAILURES(READ))
Alias - AD
Operands
'profile-name'...
- specifies the profiles whose descriptors are to be added to the RACF database.
OWNER(userid)
- specifies the userid of a user defined to RACF who is to be made the profile owner.
UACC(ALTER/UPDATE/READ/NONE)
- specifies the universal access for the profile. If UACC is not specified, the default universal access of
your current connect group is used. The valid subfields are:
ALTER
- alter access authority
UPDATE - update access authority
READ
- read access authority
NONE
- no access authority
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
- specifies when logging is to occur for the profile. The valid subfields are:
NONE - do not log

or one of the following:

ALL
- log all accesses
FAILURES - log only access failures
SUCCESS - log only successful accesses
optionally followed by an access type in parentheses:
READ
- log all access types
UPDATE
- log update and alter access types
ALTER
- log only alter access types
The default is AUDIT(FAILURES(READ)).
GENERIC
- indicates that the profile name should be treated as a generic name, even if it does not contain any generic
characters.
WARNING
- specifies that a warning message should be issued if the access authority is insufficient, but that the
request should be allowed.
NOTIFY(userid)
- specifies a TSO user to be notified when this profile denies access to a data set.
FROM('profile-name-2')
- specifies the name of an existing profile that is to be used as a model when defining the new profile.
profile-name-2 should name a GENERIC profile.
ALTDSD
Function
The ALTDSD command is used to modify the RACF description of one or more generic data set profiles.
Syntax
ALTDSD
('profile-name'...)
OWNER(userid)
UACC(ALTER/UPDATE/READ/NONE)
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
NOTIFY(userid)/NONOTIFY
WARNING/NOWARNING
GENERIC
Required -

'profile-name' - at least one name must be entered

GENERIC

Alias
- ALD
Operands
'profile-name'...
- specifies the names of the generic data set profiles that are to be modified.
OWNER(userid)
- specifies the userid of a user defined to RACF who is to be made the profile owner.
UACC(ALTER/UPDATE/READ/NONE)
- specifies the new universal access for the data set. The valid subfields are:
ALTER
- alter access authority
UPDATE
- update access authority
READ
- read access authority
NONE
- no access authority
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
- specifies when logging is to occur for the profile. The valid subfields are:
NONE - do not log
or one of the following:
ALL
- log all accesses
FAILURES - log only access failures

SUCCESS

- log only successful accesses

optionally followed by an access type in parentheses:

READ
- log all access types
UPDATE
- log update, control, and alter access types
ALTER
- log only alter access types
NOTIFY(userid)
- specifies a TSO user to be notified when this profile denies access to a resource.
NONOTIFY
- specifies that a user will not be notified when this profile denies access to a data set.
WARNING
- specifies that a warning message should be issued if access authority is insufficient, but access should be
allowed.
NOWARNING
- specifies that access should not be allowed (rather than allowed with a warning message) if access
authority is insufficient.
GENERIC
- indicates that the profile name should be treated as a generic name, even if it does not contain any generic
characters.
DELDSD
Function
The DELDSD command deletes generic or model data set profiles from the RACF data set.
Syntax
DELDSD

('data-set-name'...)
GENERIC

Required - 'data-set-name' specify at least one data set name GENERIC

Alias - DD
Operands
'data-set-name'...
- specifies the data set profiles that are to be deleted from the RACF database.
GENERIC
- indicates that the profile name should be treated as a generic name, even if it does not contain any generic
characters.
LISTDSD
Function
The LISTDSD command is used to list the RACF description of generic data set profiles.
Syntax
LISTDSD

DATASET('data-set-name'...)/ID(group-name...)/
PREFIX('character-string'...)
AUTHUSER
ALL
GENERIC

Required - none
Defaults - if neither DATASET, ID, nor PREFIX is specified, the default is:
ID('your group name').
Alias - LD
Operands

DATASET('data-set-name'...)
- one or more generic data set names that are to be listed.
ID(group-name...)
- specifies one or more TSO USERIDs and/or group names. All data sets with the group name as the first
qualifier will be listed.
PREFIX('character-string'...)
- specifies one or more character strings. All data sets whose names begin with one of the character strings
will be listed.
AUTHUSER
- a list of all users and groups authorized to access the data set (including each user's access and total access
count) is listed along with all non-optional information. Only project administrators are authorized to
produce this list.
ALL
- all possible information for the data sets is listed.
GENERIC
- generic names will be listed.
LISTGRP
Function
The LISTGRP command displays information about a group, including the owner of the group (project
administrator), the membership of the group, and the number of jobs run by each member. In order to
display information about a group, you must be the project administrator.
Syntax
LISTGRP (group-name...)
Required - none
Defaults - if no group is specified, the current connect group (the group under which the job is running) is
displayed.
Alias - LG
Operands
group-name ...
- specifies the group names of the group(s) to be displayed. If * is specified, all groups over which you
have authority will be displayed. A group name is of the form Jxxxxxx where xxxxxx is the UTCCassigned project code with no leading zeros.
LISTUSER
Function
The LISTUSER command displays RACF information about one or more users and the groups to which
they are connected. In order to display information about another user you must be the project administrator
of the user's group.
Syntax
LISTUSER (userid...)
Required - none.
Defaults - if no userid is entered, your RACF information will be displayed.
Alias - LU
Operands
userid...
- the userid(s) to be displayed.
PASSWORD
Function
The password command allows you to change your own current password and password change interval.
Syntax
PASSWORD

PASSWORD(current-password new-password)
INTERVAL(change-interval)/NOINTERVAL

Required - none
Defaults - if INTERVAL is specified with no value given, the interval will default to the UTCC specified
maximum of 30 days.
Alias - PW
Note - Passwords may also be changed by running an MVS job with the password parameter on the JOB
statement of the form PASSWORD=(old,new), by using MVSPASSW on CMS, or by using
MVSPASSWORD on VAX/VMS. UTCC recommends that users change their password monthly.
Operands
PASSWORD(current-password new-password)
- specifies the current value of the MVS password and the new value to become the password. Each must
be 3 to 8 alphanumeric or national characters. PSWD is an alias for this keyword.
INTERVAL(change-interval)
- specifies the number of days that your password is valid. The number of days must be 3 or more, with the
upper limit specified by UTCC as 30. Users receive warnings after their password is more than 30 days old.
NOINTERVAL
- specifies that the specified userid will have a password that does not expire.
PERMIT
Function
The PERMIT command adds, modifies or deletes the access authorization of specified userids or group
names in a DATASET profile. It also has the capability of copying authorization information from one
profile to another.
Syntax
PERMIT

'profile-name-1'
GENERIC
ID(userid/group-name...)
ACCESS(ALTER/UPDATE/READ/NONE)/DELETE
DELETE
RESET
FROM('profile-name-2')

Required - 'profile-name-1'
GENERIC
Defaults - ACCESS(READ)
Alias - PE
Notes - the ACCESS and DELETE keywords are ignored if the ID keyword is not specified.
Operands
'profile-name-1'
- the name of the profile whose access list is to be modified.
GENERIC
- indicates that profile-name-1 should be treated as a generic name, even if it does not contain any generic
characters.
ID(userid/group-name ...)
- the list of userids and/or group names which have their authorizations added to, altered in, or deleted from
the access list.
ACCESS(ALTER/UPDATE/READ/NONE)
- specifies the access to be associated with the userids specified in the ID keyword. The valid subfields are:
ALTER
- alter access authority
UPDATE - update access authority
READ
- read access authority
NONE
- no access authority
DELETE
- the userids and/or group-names specified in the ID keyword will no longer be authorized to the data set.

RESET
- specifies that RACF is to delete the profile's access list.
FROM('profile-name-2')
- The name of a profile whose access list is to be copied to profile-name-1.