Field-level access checking

You can use RACF® to control which users can access data in RACF profiles at the field level through field-level access checking. To do this, you create profiles in the FIELD class and permit users to the profiles.

Using field-level access checking, you can:
  • Allow a user or group to modify a particular field (or segment) in all profiles of a particular type. For example, you can define a profile to control access to the ACCTNUM field of the TSO segment of user profiles. If you give a user UPDATE authority to this profile, the user can modify the ACCTNUM field in all user profiles.
  • Allow all users to read or modify a particular field (or segment) of their own user profiles. To do this, specify ID(&RACUID) on the PERMIT command.
  • Allow a user to modify or list a particular field (or segment) only in profiles that they have RACF command processor authority to modify BASE segment data.

You need not use field-level access checking to authorize READ access for users with the SPECIAL, AUDITOR or ROAUDIT attribute. These users are authorized to list all fields of all segments for any RACF profile.

Note: RACF command processors and panels support field-level access checking only for fields in segments other than the base segments of RACF profiles. However, the ICHEINTY and RACROUTE REQUEST=EXTRACT macros can support field-level access checking for fields in any segment of any RACF profile. If your installation has written its own programs that use these macros to access the RACF database, you can modify these programs to implement field-level access checking.
To use field-level access checking, perform the following steps:
  1. Define profiles in the FIELD class: 
    RDEFINE FIELD profile-name UACC(NONE)
    where profile-name has the following format: 
    profile-type.segment-name.field-name
    where:
    profile-type
    is one of the following:
    • DATASET for data set profiles
    • GROUP for group profiles
    • USER for user profiles
    • class-name for general resource profiles
    segment-name
    is one of the following:
    • BASE for BASE segments (this is supported only by user-written code)
    • CDTINFO for CDTINFO segments
    • CFDEF for CFDEF segments
    • CICS® for CICS segments
    • CSDATA for CSDATA segments
    • DCE for DCE segments
    • DFP for DFP segments
    • DLFDATA for DLFDATA segments
    • EIM for EIM segments
    • ICSF for ICSF segments
    • ICTX for ICTX segments
    • Start of changeJES for JES segmentsEnd of change
    • KERB for KERB segments
    • LANGUAGE for LANGUAGE segments
    • LNOTES for LNOTES segments
    • MFA for MFA segments
    • MFPOLICY for MFPOLICY segments
    • NDS for NDS segments
    • NETVIEW for NETVIEW segments
    • OMVS for OMVS segments
    • OPERPARM for OPERPARM segments
    • PROXY for PROXY segments
    • OVM for OVM segments
    • SESSION for SESSION segments
    • SIGVER for SIGVER segments
    • SSIGNON for SSIGNON segments
    • STDATA for STDATA segments
    • SVFMR for SystemView segments
    • TME for TME segments
    • TSO for TSO segments
    • WORKATTR for WORKATTR segments
    Note: This is also the operand used on RACF commands to work with the segment.
    field-name
    is the name associated with the field in the RACF profile segment to be controlled.
    Each field is administered by a RACF command operand. To find the field name that corresponds to a command operand, see Table 1.
    Example: To control access to all fields in the TSO segment of all user profiles, issue the RDEFINE command and specify USER.TSO.* as the profile name. Before issuing this command, however, see the following note. 
    RDEFINE FIELD USER.TSO.* UACC(NONE)
    Note: The profile name USER.TSO.* is a generic profile name. Before you issue the RDEFINE command, generic profile checking for the FIELD class must be active. If it is not active, issue the SETROPTS GENERIC(FIELD) command before you define the generic profile.

    When you specify a UACC of NONE, you prevent all users from accessing the TSO segment in all user profiles, including their own. Likewise, if you specify a UACC of READ, you allow all users to read the information contained in all fields of the TSO segment for all user profiles.

    To control access to a specific field in the TSO segment of user profiles, issue the RDEFINE command and specify the name associated with the field as the third qualifier in the profile name.

    Example: Based on Table 1, to control access to the ACCTNUM field, create a profile specifying TACCNT as the field-name qualifier: 
    RDEFINE FIELD USER.TSO.TACCNT UACC(NONE)
    Note: A user with UPDATE access to this profile is authorized to change the account number field in a TSO segment by specifying the ACCTNUM operand on the TSO option of the ALTUSER command: 
    ALTUSER userid TSO(ACCTNUM(account-number))
  2. Allow specific users or groups to have the appropriate access to the field. For example: 
    PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(TSOADM) ACCESS(UPDATE)

    This example shows how to authorize user ID TSOADM to change the logon procedure (TLPROC field) in the profiles of all TSO users.

    Note: You can also specify the value &RACUID with the ID operand on the PERMIT command for FIELD profiles. When you enter this value on the PERMIT command, you allow all users access to the specified field or segment of their own user profiles. For example, if you issue the following command, you allow all users to read the TLPROC field in the TSO segment of their own user profiles. 
    PERMIT USER.TSO.TLPROC CLASS(FIELD) ID(&RACUID) ACCESS(READ)
  3. When you are ready to start using the protection defined in the profiles, activate the FIELD class: 
    SETROPTS CLASSACT(FIELD)
    Note: If you do not activate the FIELD class and you activate SETROPTS RACLIST processing for the FIELD class, only SPECIAL users can access fields in segments (other than the base segment) of RACF profiles.
  4. You must activate SETROPTS RACLIST processing for the FIELD general resource class. For a complete description of this function, see SETROPTS RACLIST processing. 
    SETROPTS RACLIST(FIELD)
    Note: Once you activate SETROPTS RACLIST processing for the FIELD class, any time you make a change to a FIELD profile, you must refresh SETROPTS RACLIST processing for the FIELD class for the change to take effect. 
    SETROPTS RACLIST(FIELD) REFRESH

A user with access to a FIELD class profile for a given segment or field can manipulate that field in all profiles. Field level access can be optionally restricted such that access to a particular segment or field, as granted by FIELD profiles, is limited to profiles to which the user has BASE-segment access. BASE-segment access is obtained by way of profile ownership, group-special, or other means, as determined by the RACF command being processed.

To activate the optional BASE-segment authority requirement to field-level access checking, define a new profile in the FIELD class.

RDEFINE FIELD FLAC.SKIP.BASECHECK UACC(NONE)

If the FLAC.SKIP.BASECHECK profile exists, and a command-issuing user lacks READ access to it, the field level access is granted only if the user performing the profile operation has BASE-segment access as well as authorization to the appropriate FIELD class profile. The ability to list or modify the DATA('data') field of a profile can be used as an indicator of having sufficient BASE-segment access.

Examples:

GSADM1 already has GROUP-SPECIAL authority to the group which is the OWNER of user2 and has no administrative authority over user1. Set up field level access checking on GSADM1 to manage the TSO segment for user2, but not user1.
SETROPTS CLASSACT(FIELD) GENERIC(FIELD) RACLIST(FIELD)
REDEFINE FIELD USER.TSO.* UACC(NONE)
REDEFINE FIELD FLAC.SKIP.BASECHECK UACC(NONE)
PERMIT USER.TSO.* CLASS(FIELD) ID(GSADM1) ACCESS(UPDATE)
SETROPTS GENERIC(FIELD) RACLIST(FIELD) REFRESH
(from GSADM1)
ALTUSER USER2 TSO(PROC(OMVSPROC))
(success)
ALTUSER USER1 TSO(PROC(OMVSPROC))

IRR52127I Field level access checking failed for segment segment-name.
ICH51012I RACF AUTHORITY DENIED BY FIELD LEVEL ACCESS CHECKING.
ICH21004I {userid | DFLTGRP | OWNER | USER} NOT ALTERED.

There are two ways to set up the FLAC.SKIP.BASECHECK profile. If the profile is defined with UACC(READ), field-level-access checking processes without taking BASE-segment authorization into consideration. Namely, anyone with FIELD access to a particular field may access that field for all profiles defined to RACF. If there is a need to scope the administrative abilities of selected administrators to access non-BASE fields based on profile ownership or group-special, the administrator's access should be specified with the value NONE using the PERMIT command.

Alternatively, the FLAC.SKIP.BASECHECK profile can be given UACC(NONE). This immediately limits all use of field-level-access to users who have BASE-segment access in accordance to the profile manipulation rules as specified by the command processors. Users who require system-wide access to non-BASE fields, should be given READ access to FLAC.SKIP.BASECHECK using the PERMIT command.

Use of the FLAC.SKIP.BASECHECK option is only compatible with the following RACF command processors.
  • ADDUSER
  • ALTUSER
  • LISTUSER
  • ADDGROUP
  • ALTGROUP
  • LISTGROUP
  • RDEFINE
  • RALTER
  • RLIST
  • ADDSD
  • ALTDSD
  • LISTSDS
Other programs which use ICHEINTY or RACROUTE REQUEST=EXTRACT to manipulate non-base segments and fields behave differently than the commands previously listed, because the RACF command processors listed are the final arbiters of whether or not a user has access to manipulate the BASE-segment of a profile. Additional programs, such as those utilizing the ICHEINTY or RACROUTE REQUEST=EXTRACT interfaces, cannot make this determination.

If a user defined program uses ICHEINTY or RACROUTE to manipulate non-BASE segment and other data, and the FLAC.SKIP.BASECHECK profile is defined, users with READ access to FLAC.SKIP.BASECHECK execute successfully after considering the user's access to profiles in the FIELD class. Users with access of NONE to FLAC.SKIP.BASECHECK will fail to manipulate all non-BASE segment and field information, even if they are allowed to perform the same operations using the RACF commands. If the FLAC.SKIP.BASECHECK profile is not defined, a call to ICHEINTY is executed as if the user has READ access to FLAC.SKIP.BASECHECK.

Users with access of NONE to FLAC.SKIP.BASECHECK are still able to alter the fields in their own user profiles that have UPDATE permission granted to &RACUID. The new scoping rules in effect due to having NONE access to FLAC.SKIP.BASECHECK do not apply when using ALTUSER to alter an individual's own profile and when &RACUID is on the access list of the fields being updated.

Users with access of NONE to FLAC.SKIP.BASECHECK are still able to list those fields in their own user profiles to which they have been granted READ permission. The new scoping rules in effect due to having NONE access to FLAC.SKIP.BASECHECK do not apply when using LISTUSER to list an individual's own profile.

Table 1. Fields in RACF segments that correspond to RACF command operands
To control the use of this operand: 1 Specify this value as the field-name qualifier:
CDTINFO segment in general resource profiles (CDT class):
CASE
DEFAULTRC
DEFAULTUACC
FIRST
GENERIC
GENLIST
GROUP
KEYQUALIFIERS
MACPROCESSING
MAXLENGTH
MAXLENX
MEMBER
OPERATIONS
OTHER
POSIT
PROFILESALLOWED
RACLIST
SECLABELSREQUIRED
SIGNAL
CDTCASE
CDTDFTRC
CDTUACC
CDTFIRST
CDTGEN
CDTGENL
CDTGROUP
CDTKEYQL
CDTMAC
CDTMAXLN
CDTMAXLX
CDTMEMBR
CDTOPER
CDTOTHER
CDTPOSIT
CDTPRFAL
CDTRACL
CDTSLREQ
CDTSIGL
CFDEF segment in general resource profiles (CFIELD class):
TYPE
MAXLENGTH
MAXVALUE
MINVALUE
FIRST
OTHER
MIXED
HELP
LISTHEAD
CFDTYPE
CFMXLEN
CFMXVAL
CFMNVAL
CFFIRST
CFOTHER
CFMIXED
CFHELP
CFLIST
CICS segment in user profiles:
OPCLASS
OPIDENT
OPPRTY
RSLKEY
TIMEOUT
TSLKEY
XRFSOFF
OPCLASS and OPCLASSN 2
OPIDENT
OPPRTY
RSLKEY and RSLKEYN 2
TIMEOUT
TSLKEY and TSLKEYN 2
XRFSOFF
CSDATA segment in user and group profiles:
custom-field-name
custom-field-name
DCE segment in user profiles:
AUTOLOGIN
DCENAME
HOMECELL
HOMEUUID
UUID
DCEFLAGS
DCENAME
HOMECELL
HOMEUUID
UUID
DFP segment in data set profiles:
RESOWNER
RESOWNER
DATAKEY DATAKEY
DFP segment in user and group profiles:
DATAAPPL
DATACLAS
MGMTCLAS
STORCLAS
DATAAPPL
DATACLAS
MGMTCLAS
STORCLAS
DLFDATA segment in DLFCLASS class profiles:
RETAIN
JOBNAMES
RETAIN
JOBNAMES and JOBNMCNT 2
EIM segment in user profiles:
LDAPPROF LDAPPROF
EIM segment in FACILITY and LDAPBIND class profiles:
DOMAINDN
KERBREGISTRY
LOCALREGISTRY
OPTIONS
X509REGISTRY
DOMAINDN
KERBREG
LOCALREG
OPTIONS
X509REG
ICSF segment in CSFKEYS, GCSFKEYS, XCSFKEY, and GXCSFKEY class profiles:
ASYMUSAGE
SYMEXPORTABLE
SYMEXPORTCERTS
SYMEXPORTKEYS
SYMCPACFWRAP
SYMCPACFRET
CSFAUSE
CSFSEXP
CSFSCLBS and CSFSCLCT 2
CSFSKLBS and CSFSKLCT 2
CSFSCPW
CSFSCPR
ICTX segment in LDAPBIND class profiles:
USEMAP
DOMAP
MAPREQUIRED
MAPPINGTIMEOUT
USEMAP
DOMAP
MAPREQ
MAPTIMEO
Start of changeJES segment in JESJOBS class profiles:End of change
Start of change
KEYLABEL
End of change		 Start of change
KEYLABEL
End of change
KERB segment in user profiles:
ENCRYPT
KERBNAME
MAXTKTLFE
ENCRYPT
KERBNAME
MAXTKTLFE
KERB segment in REALM class profiles:
CHECKADDRS
DEFTKTLFE
ENCRYPT
KERBNAME
MAXTKTLFE
MINTKTLFE
CHKADDRS
DEFTKTLFE
ENCRYPT
KERBNAME
MAXTKTLFE
MINTKTLFE
LANGUAGE segment in user profiles:
PRIMARY
SECONDARY
USERNL1
USERNL2
LNOTES segment in user profiles:
SNAME
SNAME
MFA segment in MFADEF class profiles:
MFA
MFDATA
MFPOLICY segment in MFADEF class profiles:
MFPOLICY
MFDATA
NDS segment in user profiles:
UNAME
UNAME
NETVIEW segment in user profiles:
IC
CONSNAME
CTL
MSGRECVR
OPCLASS
DOMAINS
NGMFADMN
NGMFVSPN
IC
CONSNAME
CTL
MSGRECVR
OPCLASS and OPCLASSN 2
DOMAINS and DOMAINSN 2
NGMFADMN
NGMFVSPN
OMVS segment in group profiles:
GID GID
OMVS segment in user profiles:
ASSIZEMAX
CPUTIMEMAX
FILEPROCMAX
HOME
MEMLIMIT
MMAPAREAMAX
PROCUSERMAX
PROGRAM
SHMEMMAX
THREADSMAX
UID
ASSIZE
CPUTIME
FILEPROC
HOME
MEMLIMIT
MMAPAREA
PROCUSER
PROGRAM
SHMEMMAX
THREADS
UID
OPERPARM segment in user profiles:
ALTGRP 3
AUTH
AUTO
CMDSYS
DOM
KEY
HC
INTIDS
LEVEL
LOGCMDRESP
MFORM
MIGID 3
MONITOR
MSCOPE
ROUTCODE
STORAGE
UD  3
UNKNIDS
OPERALTG
OPERAUTH
OPERAUTO
OPERCMDS
OPERDOM
OPERKEY
OPERHC
OPERINT
OPERLEVL
OPERLOGC
OPERMFRM
OPERMGID
OPERMON
OPERMSCP and OPERMCNT  2
OPERROUT
OPERSTOR
OPERUD
OPERUNKN
OVM segment in group profiles:
GID
GID
OVM segment in user profiles:
FSROOT
HOME
PROGRAM
UID
  
FSROOT
HOME
PROGRAM
UID
    
PROXY segment in user and FACILITY class profiles:
BINDDN
LDAPHOST
BINDDN
LDAPHOST
SESSION segment in APPCLU class profiles:
CONVSEC
INTERVAL
LOCK
SESSKEY
CONVSEC
KEYINTVL
SLSFLAGS
SESSKEY
SIGVER segment in PROGRAM class profiles:
SIGREQUIRED
FAILLOAD
SIGAUDIT
SIGREQD
FAILLOAD
SIGAUDIT  4
SSIGNON segment in PTKTDATA class profiles:
KEYENCRYPTED
KEYMASKED
Start of changeENCRYPTKEY
KEYLABELEnd of change
Start of changeNOLEGACYKEY
EPTKEYLABEL
TYPE
TIMEOUT
REPLAYEnd of change
SSKEY
SSKEY
Start of changeSSKEY
SSKEYEnd of change
Start of changeSSKEY
PTKEYLAB
PTTYPE
PTTIMEO
PTREPLAYEnd of change
STDATA segment in STARTED class profiles:
USER
GROUP
PRIVILEGED
TRACE
TRUSTED
STUSER
STGROUP
FLAGPRIV
FLAGTRAC
FLAGTRUS
SVFMR segment in SYSMVIEW class profiles:
PARMNAME
SCRIPTNAME
PARMN
SCRIPTN
TME segment in group and data set profiles:
ROLES
ROLES and ROLEN 2
TME segment in general resource profiles:
ROLES
GROUPS
RESOURCE
CHILDREN
PARENT
ROLES and ROLEN  2
GROUPS and GROUPN 2
RESOURCE and RESN 2
CHILDREN and CHILDN 2
PARENT
TSO segment in user profiles:
ACCTNUM
COMMAND
DEST
HOLDCLASS
JOBCLASS
PROC
MAXSIZE
MSGCLASS
SECLABEL
SIZE
SYS
UNIT
USERDATA
TACCNT
TCOMMAND
TDEST
THCLASS
TJCLASS
TLPROC
TMSIZE
TMCLASS
TSOSLABL
TLSIZE
TSCLASS
TUNIT
TUDATA
WORKATTR segment in user profiles:
WANAME
WABLDG
WADEPT
WAROOM
WAADDR1
WAADDR2
WAADDR3
WAADDR4
WAACCNT
WAEMAIL
WANAME
WABLDG
WADEPT
WAROOM
WAADDR1
WAADDR2
WAADDR3
WAADDR4
WAACCNT
WAEMAIL
Note:
  1. Many operands in this table have corresponding versions that include a prefix of NO. In addition, several operands have corresponding versions that include prefixes of ADD and DEL. See the z/OS Security Server RACF Command Language Reference to identify these.
  2. For operands that are listed with two field-name qualifiers:
    • To authorize READ access, define one FIELD profile specifying the first value as the field-name qualifier. Permit users READ access.
    • To authorize UPDATE access, define two FIELD profiles. Define one profile for each of the two field-name qualifiers listed. Permit users UPDATE access to both profiles.
  3. This setting is ignored when each system sharing the RACF database runs z/OS Version 1 Release 8 or higher.
  4. The SIGAUDIT field controls the audit policy related to digital signature verification of programs. Users with the AUDITOR or ROAUDIT attribute can list the SIGAUDIT field but they cannot update it unless they have UPDATE authority through field-level access checking.