Resource Access Control Facility (RACF), U01-0576-0
MVS RACF
Examples
RACF Report Writer
Additional Information
The RACF Commands
The Resource Access Control Facility (RACF), an IBM program
product, controls access to all protected MVS resources. The
protected resources include the MVS system itself, the identification
of membership and the administrator of each group, and disk data
sets. Therefore, the RACF database includes USER, GROUP and DATASET
profiles. At this time tape data sets are not protected by RACF.
A USER profile defines an individual user
and stores, in an encrypted form, that user's current password
plus the four most recent passwords.
The profile
name is of the form Pxxxxxx, where xxxxxx is the UTCC-assigned
research worker code. Only UTCC can create and delete a USER
profile.
A GROUP profile defines a UTCC project code for MVS and
the users connected to that group. There is one GROUP
profile for each project code. The profile name is of the form
Jxxxxxx, where xxxxxx is the UTCC-assigned project code. Only UTCC
can create, modify or delete a GROUP profile. The project
administrator may access statistics about MVS jobs which were run
under that group. In the GROUP profile, the universal access (UACC)
setting, the setting for all MVS users not belonging to the group,
is NONE. That setting will carry over to DATASET profiles of the
group if UACC is not specifically set to some other value.
A DATASET profile controls access to data sets belonging
to a group. A DATASET profile name is of the form 'Jxxxxxx.yyy', where
yyy either (1) completes an individual data set name to control access
to a single data set, or (2) contains one or more wildcards,
* or %, to control access to a group of data sets.
A particular DATASET profile specifies information about what
groups and/or users have access, what type of access they have,
and what information should be recorded about accesses.
Access settings within a DATASET profile control access by
one or more of the following:
owner group
other groups
individual users
all MVS users (universal access)
Possible access settings are:
NONE allows no access to the data set.
READ allows user to read the contents of the data set.
UPDATE allows user to read or write to the data set.
ALTER allows user to read, write to, create, or
delete the data set.
The project director is, by default, the project administrator, and
as such, has sole authority to grant others access to the group's MVS
disk data sets. Project directors may request that UTCC
designate someone else in the group as the project administrator by
contacting their UTCC
consultants. The project administrator is made the owner of the
group's DATASET profiles. This also means that after the group
profile is created, only the project administrator may create, modify
and delete any of the group's DATASET profiles.
So that the research workers assigned to a particular group,
(the "owner group") can create, delete, update or read MVS disk
data sets associated with that group, a PERMIT command was issued by
UTCC when the initial DATASET profile for the group was created which
gives the entire group ALTER access to data sets not otherwise
protected. Auditing was set to record all accesses to data sets
protected by the profile, both successful and unsuccessful.
The "list of groups" access checking feature of RACF
has been turned on. This means that access to a protected
resource is granted if the user has access through any of the
groups to which he/she is connected and is not just based on the
group under which the user's job is running.
To allow access to a group's data sets by other groups or
individual users outside that group, the project administrator of
the owner group must issue a PERMIT command. An alternative is to
change the UACC setting from the default of NONE to either READ,
UPDATE, or ALTER, thereby giving all MVS users that level of access.
The UTCC User Services consultants (group J2200) have had a
PERMIT command issued by UTCC to allow them to continue offering
assistance with MVS disk data sets. A project administrator may
change that access permission. New project codes will have
the option of denying access to their data sets by User Services by
checking a box on the Request for Services form. When a new
project code is opened, GROUP and DATASET profiles are created,
e.g., if project code 999991 is opened, GROUP profile J999991 and
DATASET profile 'J999991.*' are created. The DATASET profile will
include access permission for group J2200 unless the box denying
that access was checked on the application.
The universal access (UACC) setting in each RACF DATASET
profile determines what access level all MVS users and groups
other than the owner group have to a data set or group of data sets.
The UACC settings that can be assigned are NONE, READ, UPDATE and
ALTER. The initial DATASET profile created by UTCC for each group's
data sets (profile name 'Jxxxxxx.*') has a UACC setting of NONE.
Users may use RACF Report Writer (see below) to obtain
information about accesses and attempts to access their projects'
MVS data sets. With this information, a project administrator can
tailor RACF data set protection to meet the group's particular needs.
With the settings of NONE, READ, UPDATE, and ALTER, different
levels of access can be provided.
Most common situations are covered in the following examples.
Note that the project administrator must modify existing or
create new DATASET profiles
only if users who are not connected to the owner group are
to be given access to one or more of a group's MVS disk data sets
or a user who is connected to the owner group is to be denied ALTER
access.
The initial DATASET profile for each
group's data sets, established by UTCC, grants ALTER access to all
users included in the group and denies access to all others except
group J2200 (UTCC User Services).
All examples assume the project administrator for group J999994
is user P999998.
Using the procedure BATCHTSO, submit a standard IBM batch job with the
appropriate RACF control statements (see examples below).
//RACF JOB ,SMITH,GROUP=J999994,USER=P999998,PASSWORD=FUDGE
/*ROUTE PRINT RMT0
//STEP1 EXEC BATCHTSO
//SYSIN DD *
(RACF control statements)
The format of RACF control statements is
operation [positional_operand] keyword_operands
The operation (RACF command) must be coded first and need not begin in
column 1. Some statements have a positional operand, a DATASET profile
name of the form 'profile_name' (note that the profile name is enclosed
within apostrophes), which must follow the operation. Keyword_operands
may be in any order, separated by one or more spaces. In Example 1,
PERMIT must occur first, 'J999994.*' is positional and must be coded
second. The other operands each contain a keyword and may be listed in
any desired order.
The following examples show several RACF control statements required to
alter access authority.
To allow programmer P123458 READ access to your group's MVS disk
data sets.
PERMIT 'J999994.*' ID(P123458) ACCESS(READ) GENERIC
To allow all programmers in group J999992 READ access to your
group's MVS disk data sets.
PERMIT 'J999994.*' ID(J999992) ACCESS(READ) GENERIC
To allow programmer P888888 ALTER access to read/write/create/delete
your group's MVS disk data sets.
PERMIT 'J999994.*' ID(P888888) ACCESS(ALTER) GENERIC
To allow programmer P89898 READ access to J999994.GOOD.STUFF
only. (You must add a data set description of a fully
qualified data set name before the permit is issued.)
ADDSD 'J999994.GOOD.STUFF' UACC(NONE) GENERIC AUDIT(ALL)
PERMIT 'J999994.GOOD.STUFF' ID(P89898) ACCESS(READ) GENERIC
To revoke permit access granted in Example 4.
PERMIT 'J999994.GOOD.STUFF' ID(P89898) DELETE GENERIC
The following examples show the RACF control statements necessary to set
access authority for your MVS disk data sets for ALL users
of the MVS system.
To allow all MVS users READ access to your group's MVS disk
data sets.
ALTDSD 'J999994.*' UACC(READ) GENERIC
To allow all MVS users ALTER access to
read/write/create/delete your group's MVS disk data sets.
ALTDSD 'J999994.*' UACC(ALTER) GENERIC
To allow all MVS users READ access to your group's MVS disk
data sets and to give programmer P89898 UPDATE access to
read and write.
ALTDSD 'J999994.*' UACC(READ) GENERIC
PERMIT 'J999994.*' ID(P89898) ACCESS(UPDATE) GENERIC
To allow all MVS users READ access to all MVS disk data sets with
data set names that start with J999994.GOOFY.
ADDSD 'J999994.GOOFY.*' UACC(READ) GENERIC
Up to this point the * has been used in the examples as a wild card for
any level of a data set name. You can also use the % as a
wild card for any single character.
To allow all MVS users READ access to all MVS disk data sets with a
data set name that starts with J999994.FUDGE.DATA and ends
with any two characters.
ADDSD 'J999994.FUDGE.DATA%%' UACC(READ) GENERIC
The next example shows how to find out which groups or
individual users have access to each of your MVS disk data
sets.
LISTDSD ID(J999994) ALL GENERIC
The same as Example 9, but provides access information for the
single data set J999994.GOOD.STUFF only.
LISTDSD DA('J999994.GOOD.STUFF') ALL GENERIC
A program called RACF Report Writer allows users to retrieve
recorded information about who has accessed their data sets.
By default, when users run RACF Report Writer,
they will receive a short summary of one line per data
set about accesses to their data sets. If they need more specific
information such as a break down of who has accessed a particular
data set, they can then request it.
The following example shows the JCL needed to request
the short summary. The user name and the MVS USER=, GROUP=, and
PASSWORD= values on the JOB statement should be specified as
appropriate for each user.
//REPORT JOB ,WILSON,GROUP=J999991,USER=P999998,CLASS=T,
// TIME=(1,0),PASSWORD=SECRET
/*ROUTE PRINT destination
//JS1 EXEC RACFRW
To override the default parameter RPT=SUM and request more
detailed information, the last line of the EXEC statement
would be changed to show the appropriate command (request the help file
on RACFRW for more information; see section below). For example,
//JS1 EXEC RACFRW,RPT=USR
The summary will be for the current month in 1987
unless otherwise requested.
MONTH='(0)' is the default parameter. Changing this to
MONTH='(-1)' will request the previous month; MONTH='(-2)' will
request the next previous month, etc.
For example, if
the February summary is requested during March, MONTH='(-1)'
is the parameter used to override the default:
//JS1 EXEC RACFRW,MONTH='(-1)'
To request reports from 1986, YEAR='YR86' must be specified.
The default parameter of MONTH='(0)' will generate the December 1986
summary. To request reports from earlier months in 1986, set
the parameter as discussed above. For example, the October 1986
summary can be requested with the following:
//JS1 EXEC RACFRW,YEAR='YR86',MONTH='(-2)'
The following is an example of how to print a help file on RACF:
//HELP JOB ,WILSON,GROUP=J999991,USER=P999998,PASSWORD=SECRET
/*ROUTE PRINT RMT0
//STEP EXEC BATCHTSO
//SYSIN DD *
HELP RACFRW
HELP ALTDSD
HELP PERMIT
One or more help files can be requested at a time.
HELP RACFRW will give information on how to use the RACF Report
Writer. HELP ALTDSD will show how to change a data set profile.
HELP PERMIT will show how to allow users or groups
access to data sets.
For more information, contact your User Services consultant or call
974-6831.
The RACF commands are given below with their valid operands
followed by a description of each operand. The
RACF command (operation) must be coded
first on the command line, sometimes
followed by a positional operand, then the keyword operands.
The operation and each of the operands are separated by one or more
spaces. Parentheses and apostrophes must be coded as given in the
commands. A slash (/) indicates a choice of the items separated
by the slash or slashes. To continue a RACF command to another line,
place, after a space, a plus sign (+)
in or before column 72 in the
incomplete statement line and begin the next line in any column.
Each command has an alias which can be used instead of the full name.
Note: ;.pf
Only GENERIC profiles are permitted. GENERIC
profiles may contain the * wildcard indicating any
number of characters or the % indicating one character. The *
wildcard may be within a data set name segment, indicating 1 to 8
characters, or may be at the end of the name, indicating any number
of segments with 1 to 8 characters each.
The ADDSD command adds GENERIC DATASET profiles to
the RACF database and can turn on the RACF indicator for the data
sets.
ADDSD ('profile-name'...)
OWNER(userid)
UACC(ALTER/UPDATE/READ/NONE)
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
GENERIC
WARNING
NOTIFY(userid)
FROM('profile-name-2')
Required - 'profile-name' - specify at least one profile name
GENERIC
Default - AUDIT(FAILURES(READ))
Alias - AD
- specifies the profiles whose descriptors are to
be added to the RACF database.
- specifies the userid of a user defined to RACF who is to be
made the profile owner.
- specifies the universal access
for the profile. If UACC is not specified, the default
universal access of your current connect group is used.
The valid subfields are:
ALTER - alter access authority
UPDATE - update access authority
READ - read access authority
NONE - no access authority
- specifies when logging is to occur for the profile. The valid
subfields are:
NONE - do not log
or one of the following:
ALL - log all accesses
FAILURES - log only access failures
SUCCESS - log only successful accesses
optionally followed by an access type in parentheses:
READ - log all access types
UPDATE - log update and alter access types
ALTER - log only alter access types
The default is AUDIT(FAILURES(READ)).
- indicates that the profile name should be treated as a
generic name, even if it does not contain any generic
characters.
- specifies that a warning message should be issued if the
access authority is insufficient, but that the request should
be allowed.
- specifies a TSO user to be notified when
this profile denies access to a data set.
- specifies the name of an existing profile
that is to be used as a model when defining the new profile.
profile-name-2 should name a GENERIC profile.
The ALTDSD command is used to modify the RACF description of one or
more generic data set profiles.
ALTDSD ('profile-name'...)
OWNER(userid)
UACC(ALTER/UPDATE/READ/NONE)
AUDIT(NONE/ALL/SUCCESS/FAILURES/(access-type))
NOTIFY(userid)/NONOTIFY
WARNING/NOWARNING
GENERIC
Required - 'profile-name' - at least one name must be entered
GENERIC
Alias - ALD
- specifies the names of the generic
data set profiles that are to be modified.
- specifies the userid of a user defined to RACF who is to be made
the profile owner.
- specifies the new universal
access for the data set. The valid subfields are:
ALTER - alter access authority
UPDATE - update access authority
READ - read access authority
NONE - no access authority
- specifies when logging is to occur for the profile. The valid
subfields are:
NONE - do not log
or one of the following:
ALL - log all accesses
FAILURES - log only access failures
SUCCESS - log only successful accesses
optionally followed by an access type in parentheses:
READ - log all access types
UPDATE - log update, control, and alter access types
ALTER - log only alter access types
- specifies a TSO user to be notified when
this profile denies access to a resource.
- specifies that a user will not be notified when this
profile denies access to a data set.
- specifies that a warning message should be issued if access
authority is insufficient, but access should be allowed.
- specifies that access should not be allowed (rather than
allowed with a warning message) if access authority is
insufficient.
- indicates that the profile name should be treated as a
generic name, even if it does not contain any generic
characters.
The DELDSD command deletes generic or model data set
profiles from the RACF data set.
DELDSD ('data-set-name'...)
GENERIC
Required - 'data-set-name' specify at least one data set name
GENERIC
Alias - DD
- specifies the data set profiles that are to be
deleted from the RACF database.
- indicates that the profile name should be treated as a
generic name, even if it does not contain any generic
characters.
The LISTDSD command is used to list the RACF description of generic
data set profiles.
LISTDSD DATASET('data-set-name'...)/ID(group-name...)/
PREFIX('character-string'...)
AUTHUSER
ALL
GENERIC
Required - none
Defaults - if neither DATASET, ID, nor PREFIX is specified, the default
is:
ID('your group name').
Alias - LD
- one or more generic data set names that are to be listed.
- specifies one or more TSO USERIDs and/or
group names. All data sets with the group name as
the first qualifier will be listed.
- specifies one or more character
strings. All data sets whose names begin with one of the
character strings will be listed.
- a list of all users and groups authorized to access the data set
(including each user's access and total access count) is listed
along with all non-optional information.
Only project administrators are authorized to produce this list.
- all possible information for the data sets is listed.
- generic names will be listed.
The LISTGRP command displays information about a
group, including
the owner of the group (project administrator), the membership of the
group, and the number of jobs run by each member.
In order to display information about
a group, you must be the project administrator.
LISTGRP (group-name...)
Required - none
Defaults - if no group is specified, the current connect group
(the group under which the job is running) is displayed.
Alias - LG
- specifies the group names of the
group(s) to be displayed. If * is
specified, all groups over which you have authority will be
displayed.
A group name is of the form Jxxxxxx where xxxxxx is the UTCC-assigned
project code with no leading zeros.
The LISTUSER command displays RACF information about one or more
users and the groups to which they are connected. In order to
display information about another user you must be the project
administrator of the user's group.
LISTUSER (userid...)
Required - none.
Defaults - if no userid is entered, your RACF information will be
displayed.
Alias - LU
- the userid(s) to be displayed.
The password command allows you to change your own current password
and password change interval.
PASSWORD PASSWORD(current-password new-password)
INTERVAL(change-interval)/NOINTERVAL
Required - none
Defaults - if INTERVAL is specified with no value given, the
interval will default to the UTCC specified maximum of 30 days.
Alias - PW
Note - Passwords may also be changed by running an MVS job
with the password parameter on the JOB statement of the form
PASSWORD=(old,new), by using MVSPASSW on CMS, or by using MVSPASSWORD
on VAX/VMS. UTCC recommends that users change their password monthly.
- specifies the current value of the MVS password and the new value
to become the password. Each must be 3 to 8 alphanumeric or national
characters. PSWD is an alias for this keyword.
- specifies the number of days that your password is valid. The
number of days must be 3 or more, with the upper limit specified by UTCC
as 30. Users receive warnings after their password is more than 30 days
old.
- specifies that the specified userid will have a password
that does not expire.
The PERMIT command adds, modifies or deletes the access
authorization of specified userids or group names in a DATASET
profile. It also has the capability of copying authorization
information from one profile to another.
PERMIT 'profile-name-1'
GENERIC
ID(userid/group-name...)
ACCESS(ALTER/UPDATE/READ/NONE)/DELETE
DELETE
RESET
FROM('profile-name-2')
Required - 'profile-name-1'
GENERIC
Defaults - ACCESS(READ)
Alias - PE
Notes - the ACCESS and DELETE keywords are ignored if the ID
keyword is not specified.
- the name of the profile whose access list is to be
modified.
- indicates that profile-name-1 should be treated as a
generic name, even if it does not contain any generic characters.
- the list of userids and/or group names which have their
authorizations added to, altered in, or deleted from the access list.
- specifies the access to be associated with the userids specified
in the ID keyword. The valid subfields are:
ALTER - alter access authority
UPDATE - update access authority
READ - read access authority
NONE - no access authority
- the userids and/or group-names specified in the ID keyword will
no longer be authorized to the data set.
- specifies that RACF is to delete the profile's
access list.
- The name of a profile whose access list is to be copied to
profile-name-1.