RACF-protecting all data sets (PROTECTALL option)
If you have the SPECIAL attribute, you can activate PROTECTALL processing
by using the PROTECTALL operand of the SETROPTS command. If PROTECTALL
is active, a user can create or access a data set only if the data
set is RACF-protected by either a discrete or generic profile, or the
access is allowed by global access checking. Note that if PROTECTALL
is in effect, generic profile checking should also be in effect for
the DATASET class. Otherwise, users can create only data sets that
are protected by discrete profiles. The following examples show how
to specify these options:
SETROPTS PROTECTALL
SETROPTS GENERIC(DATASET)
Note:
- PROTECTALL requires that you RACF-protect all data sets. This protection includes tape data sets if your installation specifies TAPEDSN on the SETROPTS command.
- After defining, altering, or deleting a generic profile, the following
command ensures that the profile is in effect during authorization
checking:
SETROPTS GENERIC(DATASET) REFRESH
- Started procedures with the privileged or trusted attribute and users with the SPECIAL attribute can access a data set that has no RACF® profile, even if PROTECTALL is in effect. These exceptions allow recovery if a critical profile is accidentally deleted.
- If there is a global access checking table entry of
&RACUID.**/ALTER
for data sets, users can create unprotected data sets even if PROTECTALL is in effect. However, other users cannot access those data sets.
PROTECTALL also has a warning option that allows the request even
though the data set is not protected, but sends a warning message
to the user and the MVS™ console.
For example:
SETROPTS PROTECTALL(WARNING)
Guideline: Before using PROTECTALL(WARNING), perform the
following actions to reduce the number of messages generated:
- Ensure that a RACF user or group profile is defined for all catalog aliases.
- Ensure that all RACF users
and groups have a generic data set profile of the form:
'high-level-qualifier.*'
or, if SETROPTS EGN is in effect:'high-level-qualifier.**'
Note:
PROTECTALL applies to all data sets that
do not have system-generated temporary names and that do not have
names that begin with **SYSUT
. You can extend PROTECTALL
to include temporary data sets with system-generated names by using
the naming conventions table to modify the name that RACF uses to look like a permanent name. If
your installation uses nonstandard names for temporary data sets,
you must also predefine entries in the global access checking table
that allow these data sets to be created and accessed.
If you have the SPECIAL attribute, you can also deactivate PROTECTALL processing by using the NOPROTECTALL operand.
NOPROTECTALL is in effect when RACF is first initialized.