Using the FSACCESS class profile to restrict access

Using the FSACCESS class profile to restrict access provides a coarse-grained control to z/OS UNIX file systems and acts as a gatekeeper to the z/OS® UNIX file system. When the user is permitted to access the file system, any subsequent decisions to allow file access are based on z/OS UNIX permissions and ACLs. If a security decision is needed during access validation, the ck_access (IRRSKA00) callable service is used to determine whether they have access to the file system. RACF® provides authorization checking and auditing and then returns control to the file system. For more information about the ck_access callable service, see z/OS Security Server RACF Callable Services.

The basic steps to restrict access to the z/OS UNIX file system are to create a resource with the identical z/OS UNIX file system name in the FSACCESS class profile, permit selected z/OS UNIX users with UPDATE access to the resource, and then activate the FSACCESS class. When the FSACCESS class profile is active, RACF first uses the FSACCESS class profile resources to determine whether the user is authorized to access the file system. If the user is authorized to access the file system resource, then RACF uses the permission bits, access ACLs, and various UNIXPRIV class profiles to determine whether the user is authorized to access the individual file system objects with the requested access level. Read the section on protecting file system resources in z/OS Security Server RACF Security Administrator's Guide for details on how RACF uses FSACCESS when enforcing file system security.

Restriction: If the OMVS address space is not marked as trusted, you will need to update the profiles to ensure that the user ID has the appropriate access.