Some SMS configuration elements, such as data class and storage group, do not require protection. No RACF® protection for storage groups is needed because your ACS routines control storage group assignment entirely. Data classes do not need RACF protection because inappropriate use of data classes is unlikely to affect your storage resources. However, use of specialized storage classes can cause high-performance cache facilities or dual copy availability services to be used to support a data set. Management class attributes mandating extra backups can be costly and should only be used for those data sets that require them. Use of these storage and management classes should be controlled by RACF or your ACS routines.

With system-managed storage, data ownership is the basis for determining who can use RACF-protected SMS resources. Previously, checking was based on the user's authority to use a resource. For system-managed data sets, the owner of the data set must be authorized to use the SMS classes. The RACF functions, such as data set protection and authorization control for data, programs, commands, and keywords, apply to databases as well.

RACF contains two resource classes: STORCLAS and MGMTCLAS. Authorize SMS storage and management classes by defining them as RACF profiles to the STORCLAS and MGMTCLAS resource classes. The profile names are the same as the names of the storage or management classes.

The following example shows the command sequence you can use to define a general resource class profile for the storage class, DBCRIT, and the database administrator's ability to use the DBCRIT. In the following example, the storage administration group is the owner of the general resource profile:

SETROPTS CLASSACT(STORCLAS) RACLIST(STORCLAS)

RDEFINE STORCLAS DBCRIT OWNER(STGADMIN) UACC(NONE)

PERMIT DBCRIT CLASS(STORCLAS) ID(DBA) ACCESS(READ)

SETROPTS REFRESH RACLIST(STORCLAS)

The RACF RESOWNER value, based on the high-level qualifier of the data set name, is the default used to check authorization to use management and storage classes. Another way to check this authorization is to use the user ID that is allocating the data set. This prevents the problems that can occur with restoring or recalling data sets that have a protected storage class and management class, and that are owned by users whose user or group IDs have been revoked.

Certain authorization functions are necessary beyond the data set level, and are outside the scope of RACF. Because of the special nature of these functions, some of them are implemented in particular database products, for example, DB2® and IMS™.