|
If you are the owner of a data set, you might want to determine
what protection the data set has. For example, you might want to find
out what users and groups can access the data set.
Note: Contact your security administrator if any problems occur with
your data set protection.
To see how a data set is protected:
- Determine whether a
discrete profile protects the data set by issuing the LISTDSD command
as follows:
LISTDSD DATASET('dataset-name') ALL
You will see one of the following results on your screen: - A listing for that profile, if the data set is protected by a
discrete profile.
- A listing for the generic profile, if the data set is not protected
by a discrete profile but is protected by a fully-qualified generic
profile, and generic profile command processing is active. (A generic
profile is identified by a "G" in parentheses following the profile
name.)
- A message stating that no profile was found, if the data set is
not protected by a discrete profile.
Note: If generic profile checking
is active, and you get the message that no profile was found, you
must do Step 2 to check for generic
profiles.
If the command succeeds, you will see a listing of the
profile similar to that shown in Figure 1.
- Determine whether the data set
is protected by a generic profile by entering the LISTDSD command
with the GENERIC operand as follows:
LISTDSD DATASET('dataset-name') ALL GENERIC
You will see one of the following results on your screen: - A listing for that profile, if the data set is protected by a
fully-qualified generic profile.
- A listing for the most specific generic profile that protects
the data set, if the data set is not protected by a fully-qualified
generic profile but is protected by a generic profile.
- A message stating that no profile was found, if the data set is
not protected by a generic profile.
If the command succeeds, you will see a listing of the profile,
similar to that shown in Figure 1.
If
the command indicates that a profile is not found, protect the data
set with a discrete or generic profile. See Creating a discrete profile to protect a data set or Creating a generic profile to protect a data set for more information. If the command
fails, contact your RACF® security
administrator.
Figure 1. LISTDSD command:
sample outputINFORMATION FOR DATASET profile-name
LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE
----- ----- ---------------- ------- -----
00 SMITH READ NO NO
AUDITING
----------
SUCCESS(UPDATE)
NOTIFY
--------
NO USER TO BE NOTIFIED
YOUR ACCESS CREATION GROUP DATASET TYPE
-------------- ---------------- --------------
READ DEPTD60 NON-VSAM
VOLUMES ON WHICH DATASET RESIDES UNIT
---------------------------------- ------
21345 SYSDA
INSTALLATION DATA
-------------------
PL/1 LINK LIBRARY
SECURITY LEVEL
------------------------------------------------
NO SECURITY LEVEL
CATEGORIES
-----------
NOCATEGORIES
SECLABEL
-----------
NO SECLABEL
CREATION DATE LAST REFERENCE DATE LAST CHANGE DATE
(DAY) (YEAR) (DAY) (YEAR) (DAY) (YEAR)
------------- ------------------- ---------------
070 95 090 98 090 98
ALTER COUNT CONTROL COUNT UPDATE COUNT READ COUNT
----------- ------------- ------------ ----------
00000 00000 00002 00000
ID ACCESS ACCESS COUNT
-------- -------- --------------
JONES UPDATE 00009
ID ACCESS ACCESS COUNT CLASS ENTITY NAME
-------- ------- -------------- -------- -----------------------
NO ENTRIES IN CONDITIONAL ACCESS LIST
DFP INFORMATION
RESOWNER
--------
SMITH
Check the following fields for the most important security information
about how the data set is protected: - LEVEL field (if used at your installation)
- OWNER field
- UNIVERSAL ACCESS field
- WARNING field
- SECURITY LEVEL field (if used at your installation)
- CATEGORIES field (if used at your installation)
- SECLABEL field (if used at your installation)
- ID field and its related ACCESS and ACCESS COUNT fields
- PROGRAM field and its related ID, ACCESS, and ACCESS COUNT fields
Here are detailed descriptions of the fields appearing in the output:
- INFORMATION FOR DATASET profile-name
- This phrase appears for each data set profile listed.
Note: If
the profile is a generic profile, the phrase looks
like the following sample: INFORMATION FOR DATASET profile-name (G)
- LEVEL
- A security classification indicator used by each individual installation.
If anything other than 00 appears in this field, see your RACF security administrator for
an explanation of the number.
- OWNER
- Each RACF-defined data set has an owner, which can be a user ID
or a group. When you create a data set and then RACF-protect the data
set without specifying an owner, RACF names
you as the owner of the data set profile. The owner of the profile
can modify the data set profile.
- UNIVERSAL ACCESS
- Each data set protected by RACF has
a universal access authority (UACC). The UACC permits users or groups
to use the data set in the manner specified in this field. In this
example, the UACC is READ. Anyone can read this data set. (The only
exception is if the user or group is specifically named in the access
list with ACCESS of NONE.)
- WARNING
- If this field contains YES, RACF permits
a user to access this resource even though his or her access authority
is insufficient. RACF issues
a warning message to the user who is attempting access; you
are notified only if your user ID is the NOTIFY user ID.
If this
field contains NO, RACF denies
access to users with insufficient authority to access this resource.
- ERASE
- If this field contains YES, and erase-on-scratch is in effect
on your system, data management physically erases the DASD data set
extents when the data set is deleted. If this field contains NO, data
management does not erase DASD data set extents when the data set
is deleted.
Note: Your installation could specify erase-on-scratch
for all data sets that have a security level equal to or greater than
the security level specified by the installation. If this data set's
security level is equal to or greater than the security level specified
by the installation, this data set will be erased even if the ERASE
field in the profile contains NO.
- AUDITING
- The type of access attempts that are recorded. In this example,
the AUDITING is SUCCESS(UPDATE). RACF records
all successful attempts to update the data set.
- NOTIFY
- The user ID of a RACF-defined user that RACF notifies when denying access to a data
set protected by this profile.
- YOUR ACCESS
- How you can access this data set.
If you must work with the
listed data set but do not have the required authority, ask the owner
(OWNER field) to issue a PERMIT command to give you access to the
data set.
- CREATION GROUP
- The group under which the profile was created.
- DATASET TYPE
- The data set type. It can be either VSAM, NON-VSAM, MODEL, or
TAPE.
- VOLUME ON WHICH THE DATASET RESIDES
- The volume on which a non-VSAM data set resides or the volume
on which the catalog for a VSAM data set resides.
- UNIT
- The unit type for a non-VSAM data set.
- INSTALLATION-DATA
- Any information your installation keeps in this data set profile.
- CREATION DATE
- The date the profile was created.
- SECURITY-LEVEL
- Your installation can define its own security levels. This security
level is a name associated with the numeric value shown in the LEVEL
field earlier in this output. The security level displayed is the
minimum security level you need to access a data set protected by
this profile.
- CATEGORIES
- Your installation can define its own security categories. The
names displayed are the security categories you need to access a data
set protected by this profile.
- SECURITY-LABEL
- Your installation can define its own security labels. This security
label is a name used to represent the association between a particular
security level and a set of zero or more security categories. The
security label displayed is the minimum security label you need to
access a data set protected by this profile.
- LAST REFERENCE DATE
- The last time the profile was accessed.
- LAST CHANGE DATE
- The last time the profile was changed.
- ALTER COUNT
- The total number of times the data set protected by the profile
was altered (not present for generic profiles).
Note: If your RACF security administrator has
chosen not to record statistics for the DATASET class, this value
does not change.
- CONTROL COUNT
- The total number of times the data set protected by the profile
was successfully accessed with CONTROL authority (not present for
generic profiles).
Note: If your RACF security
administrator has chosen not to record statistics for the DATASET
class, this value does not change.
- UPDATE COUNT
- The total number of times the data set protected by the profile
was successfully accessed with UPDATE authority (not present for generic
profiles).
Note: If your RACF security
administrator has chosen not to record statistics for the DATASET
class, this value does not change.
- READ COUNT
- The total number of times the data set protected by the profile
was successfully accessed with READ authority (not present for generic
profiles).
Note: If your RACF security
administrator has chosen not to record statistics for the DATASET
class, this value does not change.
- ID, ACCESS, and ACCESS COUNT
- These
fields describe the standard access list. ID is the user ID or group
name given the access authority listed in the ACCESS field. ACCESS
COUNT is the number of times the user listed in the ID field accessed
the data set (ACCESS COUNT is not present for generic profiles).
Note: If
your RACF security administrator
has chosen not to record statistics for the DATASET class, this value
does not change.
- ID, ACCESS, ACCESS COUNT, CLASS, and ENTITY NAME
- These
fields refer to entries in the conditional access list. A conditional
access list is an access list in the data set profile that specifies
another condition which must be satisfied for a user to get the specified
access authority.
The CLASS and ENTITY NAME fields describe one
of the following conditions which must be satisfied before authorization
to the data set is granted to the user in the ID field.
- If CLASS is APPCPORT, the ENTITY NAME is the name of the APPC
port of entry, or logical unit (LU), through which the user must enter
the system.
- If CLASS is CONSOLE, the ENTITY NAME is the name of the system
console from which the request must be sent.
- If CLASS is JESINPUT, the ENTITY NAME is the name of the JES input
device through which the user must enter the system.
- If CLASS is PROGRAM, the ENTITY NAME is the name of the program
the user must be running.
- If CLASS is TERMINAL, the ENTITY NAME is the name of the terminal
through which the user must enter the system.
ACCESS is the level of access to the data set that RACF grants when the condition
is satisfied.
ACCESS COUNT is the number of times the user
has accessed the data set under the condition described (ACCESS COUNT
is not present for generic profiles).
Note: If your RACF security administrator has chosen not to
record statistics for the DATASET class, the ACCESS COUNT value does
not change.
- DFP INFORMATION / RESOWNER
- The RESOWNER field contains the user ID or group name of the owner
of the resource. In this case, the resource is the data set; the owner
of the data set need not be the same as the owner of the profile.
|