ADDSD (Add data set profile)
Purpose
Use the ADDSD command to add RACF® protection to data sets with either discrete or generic profiles.
- The user of the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use the data set name, not the profile name. - The security administrator issues the SETROPTS command:
SETROPTS GENERIC(DATASET) REFRESH
See SETROPTS command for authorization requirements.
- The user of the data set logs off and logs on again.
For more information, refer to z/OS Security Server RACF Security Administrator's Guide.
Issuing options
The following table identifies the eligible options for issuing the ADDSD command:
As a RACF TSO command? | As a RACF operator command? | With command direction? | With automatic command direction? | From the RACF parameter library? |
---|---|---|---|---|
Yes | Yes | Yes | Yes | Yes |
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
You must be logged on to the console to issue this command as a RACF operator command.
Related commands
- To change a data set profile, see ALTDSD (Alter data set profile).
- To delete a data set profile, see DELDSD (Delete data set profile).
- To permit or deny access to a data set profile, see PERMIT (Maintain resource access lists).
- To obtain a list of data set profiles, see SEARCH (Search RACF database).
- To list a data set profile, see LISTDSD (List data set profile).
Authorization required
When issuing this command as a RACF operator command, you might require sufficient authority to the proper resource in the OPERCMDS class. For details about OPERCMDS resources, see Controlling the use of operator commands in z/OS Security Server RACF Security Administrator's Guide.
- You need not have the SPECIAL attribute to specify the OWNER operand.
- To specify the AT keyword, you must have READ authority to the DIRECT.node resource in the RRSFDATA class and a user ID association must be established between the specified node.userid pair(s).
- To specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified on the ONLYAT keyword must have the SPECIAL attribute, and a user ID association must be established between the specified node.userid pair(s) if the user IDs are not identical.
- To protect a user data set with RACF, one of the
following must be true:
- The high-level qualifier of the data set name (or the qualifier supplied by the RACF naming conventions table or by a command installation exit) must match your user ID.
- You must have the SPECIAL attribute.
- The user ID for the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute.
- To protect a group data set with RACF, one of the
following must be true:
- You must have at least CREATE authority in the group.
- You must have the SPECIAL attribute.
- You must have the OPERATIONS attribute and not be connected to the group.
- The data set profile must be within the scope of the group in which you have the group-SPECIAL attribute.
- The data set profile must be within the scope of the group in which you have the
group-OPERATIONS attribute, and you must not be connected to the group.
- If you have the OPERATIONS or group-OPERATIONS attribute and are connected to a group, you must have at least CREATE authority in that group to protect a group data set.
- When creating a group data set profile, the profile creator's user ID is placed on the access list with ALTER authority unless the creation was allowed due to OPERATIONS or group-OPERATIONS authority or unless the SETROPTS NOADDCREATOR option is in effect.
- To define to RACF a data set that was brought from
another system where it was RACF-indicated and RACF-protected with a discrete profile, one of the
following must be true:
- You must either have the SPECIAL attribute, or the data set's profile is within the scope of a group in which you have the group-SPECIAL attribute
- Your user ID must be the high-level qualifier of the data set name (or the qualifier supplied by the naming conventions routine or a command installation exit).
- To assign a security category to a profile, you must have the SPECIAL attribute or have the category in your user profile.
- To assign a security level to a profile, you must have the SPECIAL attribute or, in your own profile, a security level that is equal to or greater than the security level you are defining.
- To assign a security label to a profile, you must have the SPECIAL attribute or READ authority to the security label profile. However, the security administrator can limit the ability to assign security labels to only users with the SPECIAL attribute.
- To access the DFP or TME segment, field-level access checking is required.
- When either a user or group uses modeling to protect a data set with a discrete profile, RACF copies the following fields from the model profile: the level number, audit flags, global audit flags, the universal access authority (UACC), the owner, the warning, the access list, installation data, security category names, the security level name, the user to be notified, the retention period for a tape data set, and the erase indicator.
- To add a discrete profile for a VSAM data set already RACF-protected by a generic profile, you must have ALTER access authority to the catalog or to the data set through the generic profile.
- You have the SPECIAL attribute.
- The from profile is within the scope of a group in which you have the group-SPECIAL attribute.
- You are the owner of the from profile.
- The high-level qualifier of the profile name (or the qualifier supplied by the naming conventions routine or a command installation exit routine) is your user ID.
- For a discrete profile, you are on the access list in the from profile with ALTER authority. (If you have any lower level of authority, you cannot use the profile as a model.)
- For a discrete profile, your current connect group (or, if list-of-groups checking is active, any group to which you are connected) is on the access list in the from profile with ALTER authority.
- For a discrete profile, the UACC is ALTER.
Syntax
For the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the ADDSD command is:
[subsystem-prefix]{ADDSD | AD} |
(profile-name-1 [/password] ...) |
[ ADDCATEGORY(category-name ...) ]
|
[ AT([node].userid ...) | ONLYAT([node].userid ...) ]
|
[ AUDIT(access-attempt[(audit-access-level)] ...) ]
|
[ CSDATA( [ custom-field-name(custom-field-value) | NOcustom-field-name ] ... ) | NOCSDATA ] |
[ DATA('installation-defined-data') ]
|
[ DFP(RESOWNER(userid or group-name) ][ DATAKEY(CKDS key label) ] ) ]
|
[ ERASE ]
|
[ FCLASS(profile-name-2-class) ]
|
[ FGENERIC ]
|
[ FILESEQ(number) ]
|
[ FROM(profile-name-2) ]
|
[ FVOLUME(profile-name-2-serial) ]
|
[ {GENERIC | MODEL | TAPE} ]
|
[ LEVEL(nn) ]
|
[ {SET | SETONLY | NOSET} ]
|
[ NOTIFY[(userid)] ]
|
[ OWNER(userid or group-name) ]
|
[ RETPD(nnnnn) ]
|
[ SECLABEL(security-label) ]
|
[ SECLEVEL(security-level) ]
|
[ TME([ ROLES(role-access-specification ...) ]) ]
|
[ UACC(access-authority) ]
|
[ UNIT(type) ]
|
[ VOLUME(volume-serial ...) ]
|
[ WARNING ]
|
For information on issuing this command as a RACF TSO command, refer to RACF TSO commands.
For information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters
- subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing this command as a RACF operator command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name-1
- Specifies the name of the discrete or generic profile to be
added to the RACF database. If you specify more than one
name, the list of names must be enclosed in parentheses.
The format of the profile name should follow the TSO/E data set naming conventions, except that the high-level qualifier of the profile name (or the qualifier determined by the naming conventions table or by a command installation exit) must be a user ID or a group name. See z/OS Security Server RACF Security Administrator's Guide for more information about the TSO/E data set naming conventions.
To specify a user ID other than your own, you must have the SPECIAL attribute, or the data set profile must be within the scope of a group in which you have the group-SPECIAL attribute. To define a group data set, you must have at least CREATE authority in the specified group, or the SPECIAL attribute, or the data set must be within the scope of a group in which you have the group-SPECIAL attribute.
This operand is required and must be the first operand following ADDSD. Note that, because RACF uses the RACF database and not the system catalog, you cannot use alias data set names.
For additional information, see Profile names for data sets and the section describing rules for defining data set profiles in z/OS Security Server RACF Security Administrator's Guide.
Tape data set: If you are defining a discrete profile that protects a tape data set, you must specify TAPE. If you are defining more than one tape data set profile, the data sets must all reside on the same volume, and you must specify the profile names in an order that corresponds to the file sequence numbers of the data sets on the volume.
VSAM data set: All of the components of a VSAM data set are protected by the profile that protects the cluster name. It is not necessary to create profiles that protect the index and the data components of the cluster.
Data sets cataloged by an indirect VOLSER: When you catalog a data set using an indirect VOLSER - using asterisks (
******
) or a symbolic such as&SYSRS
in place of the VOLSER - you can protect the data set with a generic profile (preferred method) or else with one or more discrete data set profiles that contain the real unit and volume for each data set covered by the catalog entry. The latter must be done while the data set is online.- /password
- Specifies the data set password if you are protecting an existing
password-protected data set. If you specify a generic or model profile, RACF ignores this operand.
For a non-VSAM password-protected data set, the WRITE level password must be specified.
For a VSAM data set that is not password-protected, you do not need the password or RACF access authority for the catalog.
A password is not required when you specify NOSET.
If the command is executing in the foreground and you omit the password for a password-protected data set, the logon password is used. You are prompted if the password you enter or the logon password is incorrect. (If it is a non-VSAM multivolume data set, you are prompted once for each volume on which the data set resides.)
If the command is executing in a batch job and you either omit the password for a password-protected data set or supply an incorrect password, the operator is prompted. (If it is a non-VSAM multivolume data set, the operator is prompted once for each volume on which the data set resides.)
- ADDCATEGORY(category-name ...)
- Specifies one or
more names of installation-defined security categories. The names you specify must be defined as
members of the CATEGORY profile in SECDATA class. (For information on defining security categories,
see z/OS Security Server RACF Security Administrator's Guide.)
When the SECDATA class is active and you specify ADDCATEGORY, RACF performs security category checking in addition to its other authorization checking. If a user requests access to a data set, RACF compares the list of security categories in the user's profile with the list of security categories in the data set profile. If RACF finds any security category in the data set profile that is not in the user's profile, RACF denies access to the data set. If the user's profile contains all the required security categories, RACF continues with other authorization checking.
Note: RACF does not perform security category checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits. - AT | ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid ...)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed to the local node.
- ONLYAT([node].userid ...)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the command is directed only to the local node.
- AUDIT(access-attempt[(audit-access-level)]...)
- Specifies
which access attempts and access levels you want logged to the SMF
data set.
- access-attempt
- Specifies which access attempts you want logged to the SMF data
set. The following options are available:
- ALL
- Specifies that you want to log both authorized accesses and detected unauthorized access attempts.
- FAILURES
- Specifies that you want to log detected unauthorized attempts. FAILURES is the default value if you omit access-attempt.
- NONE
- Specifies that you do not want any logging to be done.
- SUCCESS
- Specifies that you want to log authorized accesses.
- audit-access-level
- Specifies which access levels you want
logged to the SMF data set. The levels you can specify are:
- ALTER
- Logs ALTER access-level attempts only.
- CONTROL
- Logs access attempts at the CONTROL and ALTER levels.
- READ
- Logs access attempts at any level. READ is the default value if you omit audit-access-level.
- UPDATE
- Logs access attempts at the UPDATE, CONTROL, and ALTER levels.
FAILURES(READ) is the default value if you omit the AUDIT operand. You cannot audit access attempts at the EXECUTE level.
- CSDATA | NOCSDATA
-
- CSDATA
- Specifies information to add, change, or remove a custom
field for this data set.
- custom-field-name ... | NOcustom-field-name ...
-
- custom-field-name(custom-field-value) ...
- Specifies the name and value of a custom field for this user. You can specify values for
multiple custom fields with a single ADDSD command.
Usage for each custom field is defined using the CFDEF operand of the RDEFINE command for resource profiles in the CFIELD class. Contact your security administrator to see how custom fields are used at your installation. For more information about custom fields, see z/OS Security Server RACF Security Administrator's Guide.
Rules:- You must use the same custom-field-name as defined by the CFIELD profile named DATASET.CSDATA.custom-field-name. (The CFIELD profile is defined using the CFDEF operand of the RDEFINE command.)
- You must specify a custom-field-value that is valid for the attributes of this custom field. (The attributes, such as data type, are defined in the CFDEF segment of the CFIELD profile.)
- NOcustom-field-name ...
- Removes the custom field information for this data set.
You can remove values for multiple custom fields with a single ADDSD command.
When you append the prefix NO to the name of the custom field, you delete the value for that custom field from the data sets profile. For example, if your installation has defined a custom field named ADDRESS and you want to remove the ADDRESS field from the profile of the user SHANNON, you might issue the following command:
Example:ADDSD SHANNON CSDATA(NOADDRESS)
- NOCSDATA
- Deletes the CSDATA segment from the data set profile.
- DATA('installation-defined-data')
- Specifies
up to 255 characters of installation-defined data to be stored in
the data set profile and must be enclosed in single quotation marks.
It might also contain double-byte character set (DBCS) data.
Use the LISTDSD command to list this information.
- DFP
- Specifies
that for an SMS-managed data set, you can enter the following information:
- RESOWNER(userid or group-name)
- Specifies the user ID or group of the actual owner of the
data sets protected by the profile specified in profile-name-1. This name must be that of a
RACF-defined user or group. (The data set resource owner, specified with RESOWNER, is distinguished
from the owner specified with OWNER, which represents the user or group that owns the data set
profile).
If RESOWNER is not specified, the user or group represented by the high level qualifier of the data set profile is assigned as the owner of data sets protected by the profile when SMS needs to determine the RESOWNER.
- DATAKEY(CKDS key label)
- Specifies the CKDS key label that SMS will associate with a data set protected by the profile
specified in profile-name-1 at the time of allocation. The label name cannot exceed 64 characters.
The first character must be an alphabetic character or a national character (#, @, or $). Subsequent
characters can be a period character (.) or any alphanumeric or national character.
If DATAKEY is not specified, no CKDS key label will be associated with a data set protected by the profile specified in profile-name-1 at the time of allocation.
- ERASE
- Specifies
that when SETROPTS ERASE is active, data management is to physically
erase the contents of deleted data sets and scratched or released
DASD extents. Erasing the data set means overwriting its contents
with binary zeroes so that it cannot be read. Restrictions: The ERASE operand is ignored when any of the following conditions exist:
- When the data set is a tape data set and your installation did not activate the TAPEAUTHDSN option in the DEVSUPxx member of SYS1.PARMLIB. See Erasing scratched or released data (ERASE option) in z/OS Security Server RACF Security Administrator's Guide for more information.
- When SETROPTS NOERASE is active for your installation. (User and data set profile definitions are overridden.)
- FCLASS(profile-name-2-class)
- Specifies the name of the class to which profile-name-2 belongs. The valid class names are DATASET and those classes defined in the class descriptor table. If you omit this operand, RACF assumes the DATASET class. This operand is valid only when you also specify the FROM operand; otherwise, RACF ignores it.
- FGENERIC
- Specifies that RACF is to treat profile-name-2 as a generic name, even if it is fully qualified (meaning that it does not contain any generic characters). This operand is only needed when profile-name-2 is a DATASET profile.
- FILESEQ(number)
- Specifies
the file sequence number for a tape data set. The number can range
from 1 through 65535.
If you specify more than one profile name, RACF assigns the file sequence number that you specify to the first profile name, then increments the number by one for each additional name. Thus, be sure to specify profile names in the order of their file sequence numbers.
If you omit FILESEQ, the default is FILESEQ(1). If you omit VOLUME, RACF retrieves the volume serial number from the catalog.
If you omit TAPE, RACF ignores FILESEQ.
- FROM(profile-name-2)
- Specifies the
name of an existing discrete or generic profile that RACF is
to use as a model for the new profile. The model profile name you specify on the FROM operand
overrides any model name specified in your user or group profile. If you specify FROM and omit
FCLASS, RACF assumes that
profile-name-2 is the name of a profile in the DATASET class.
To specify FROM, you must have sufficient authority to both profile-name-1 and profile-name-2, as described in Authorization required.
Naming conventions processing affects profile-name-2 in the same way that it affects profile-name-1.
Mixed-case profile names are accepted and preserved when FCLASS refers to a class defined in the static class descriptor table with CASE=ASIS or in the dynamic class descriptor table with CASE(ASIS).
If the profile being added is for a group data set and the user has the GRPACC attribute for that group, RACF places the group on the access list with UPDATE access authority. Otherwise, if the group is already on the access list, RACF changes the group's access authority to UPDATE.
Possible Changes to Copied Profiles When Modeling Occurs: When a profile is copied during profile modeling, the new profile could differ from the model in the following ways:- Certain conditional access list conditions are valid only for specific classes. For example, WHEN(SYSID) is valid only for the PROGRAM class and WHEN(CRITERIA) is valid only for general resource classes (not data sets). When copying the conditional access list from profile-name-2 to profile-name-1, the profile might differ if the condition is not valid for the data set class. For example, if profile-name-2 is a PROGRAM profile with SYSID or CRITERIA entries in the conditional access list, those entries are not copied to the new data set profile (profile-name-1).
- RACF places the user on the access list with ALTER access
authority or, if the user is already on the access list, changes the user's access authority to
ALTER. This does not occur if the NOADDCREATOR option is in effect.
If the profile being added is for a group data set and the user has the GRPACC attribute for that group, RACF places the group on the access list with UPDATE access authority. If the group is already on the access list, RACF changes the group's access authority to UPDATE. These access list changes do not occur if the data set profile is created only because the user has the OPERATIONS attribute.
- The security label, if specified in the model profile, is not copied. Instead, the user's current security label is used.
- Information in the non-BASE segments (for example, the DFP segment) is not copied.
- FVOLUME(profile-name-2-serial)
- Specifies
the volume RACF is to use to
locate the model profile (profile-name-2).
If you specify FVOLUME and RACF does not find profile-name-2 associated with that volume, the command fails. If you omit this operand and the data set name appears more than once in the RACF database, the command fails.
FVOLUME is valid only when FCLASS either specifies or defaults to DATASET and when profile-name-2 specifies a discrete profile. Otherwise, RACF ignores FVOLUME.
- GENERIC | MODEL | TAPE
-
- GENERIC
- Specifies that RACF is to treat profile-name-1 as a fully qualified generic name, even if it does not contain any generic characters.
- MODEL
- Specifies that you are defining a
model profile to be used when new data sets are created. The SETROPTS command (specifying MODEL
operand with either GROUP or USER) controls whether this profile is used for data sets with group
names or user ID names.
When you specify MODEL, you can omit UNIT and VOLUME.
When you specify MODEL, the SET, GENERIC, and TAPE operands are ignored, and NOSET is used as the default.
MODEL and GENERIC operands are mutually exclusive. You cannot specify a generic profile for automatic profile modelling through the MODEL operand of ADDUSER, ALTUSER, ADDGROUP, or ALTGROUP. However, you can explicitly use a generic profile as a model with the FROM operand, and if needed, the FGENERIC operand of the ADDSD command.
For information about automatic profile modeling, refer to z/OS Security Server RACF Security Administrator's Guide.
- TAPE
- Specifies that the data set profile is to protect a tape data set. If tape data set protection is not active, RACF treats TAPE as an invalid operand and issues an appropriate error message. If profile-name-1 is a generic profile name, RACF ignores this operand. (RACF processes a tape data set protected by a generic profile in the same way as it processes a DASD data set protected by a generic profile.)
- LEVEL(nn)
- Specifies
a level indicator, where nn is an integer
from 0 and 99. The default is 0.
Your installation assigns the meaning of the value.
RACF includes it in all records that log data set accesses and in the LISTDSD command display.
- SET | SETONLY | NOSET
- If you do not specify SET, SETONLY, or NOSET, the default
value is SET.
- SET
- Specifies that the data set is to be RACF-indicated. SET is the default value when you are RACF-protecting a data set. If the indicator is already on, the command fails. If you specify a generic profile name or the GENERIC operand, RACF ignores this operand.
- SETONLY
- Specifies
that for a tape data set, RACF is
to create only an entry in the TVTOC; it is not to create a discrete
data set profile. Specifying SETONLY allows you to protect a tape
data set with a TVTOC and a generic profile.
Thus, you would normally specify SETONLY with TAPE, and, when you do, RACF ignores the OWNER, UACC, AUDIT, DATA, WARNING, LEVEL, and RETPD operands. If you specify SETONLY without TAPE, RACF treats SETONLY as SET.
- NOSET
- Specifies
that the data set is not to be RACF-indicated.
For a DASD data set, use NOSET when you are defining a data set to RACF that has been brought from another system where it was RACF-protected. (The data set is already RACF-indicated.)
For a tape data set, use NOSET when, because of a previous error, the TVTOC indicates that the data set is RACF-indicated, but the discrete profile is missing.
If you specify NOSET, for a discrete profile, when the data set is not already RACF-indicated, RACF access control to that data set is not enforced.
If you specify NOSET, the volumes on which the data set or catalog resides need not be online, and the password in the first operand of this command is not required.
To use NOSET, one of the following must be true:- You must have the SPECIAL attribute
- The profile must fall within the scope of a group in which you have the group-SPECIAL attribute
- The high-level qualifier of the data set name (or the qualifier supplied by a command installation exit routine) must be your user ID.
If you specify a generic profile name, RACF ignores this operand.
Note: If you specify a profile name that exists as a generation data group (GDG) data set base name with NOSET - but do not specify a unit and volume, RACF creates a model profile for the data set instead of a discrete profile. In this situation, the model profile provides the same protection as a discrete profile.
- NOTIFY[(userid)]
- Specifies
the user ID of a RACF-defined user to be notified whenever RACF uses this profile to deny
access to a data set. If you specify NOTIFY without userid, RACF takes your user ID as the
default; you are notified whenever the profile denies access to a
data set.
A user who is to receive NOTIFY messages should log on frequently, both to take action in response to the unauthorized access attempts the messages describe and to clear the messages from the SYS1.BRODCAST data set. (When the profile also includes WARNING, RACF might have granted access to the data set to the user identified in the message.)
Note: The user ID specified on the NOTIFY operand is not notified when the profile disallows creation or deletion of a data set. NOTIFY is used only for resource access checking, not for resource creation or deletion. - OWNER(userid or group-name)
- Specifies
a RACF-defined user or group to be assigned as the owner of the data
set profile. When you define a group data set, the user you designate
as owner must have at least USE authority in the group specified by
the high-level qualifier of the data set name (or the qualifier determined
by the naming conventions routine or by a command installation exit
routine).
If you omit this operand, you are defined as the owner of the data set profile. However, if the high-level qualifier is a user ID that is different from your user ID, the OWNER of the profile is the user ID specified in the high-level qualifier. In addition, if you are using naming convention processing, either through the naming convention table or an exit, the owner of the profile is determined by the naming convention processing. If you have the SPECIAL attribute and define a profile for a group data set while SETROPTS ADDCREATOR is in effect, your user ID is added to the access list for the data set with ALTER access authority, whether or not you specify the OWNER operand. If you have the SPECIAL attribute and define a profile for a user data set, your user ID is not added to the access list for the data set.
If you specify OWNER(userid), the user you specify as the owner does not automatically have access to the data set. Use the PERMIT command to add the owner to the access list as desired. If you specify OWNER(group-name), RACF treats any users who have the group-SPECIAL attribute in the group as owners of the data set profile.
- RETPD(nnnnn)
- Specifies the RACF security retention period for a tape data set. The security
retention period is the number of days that must elapse before a tape data set profile expires.
(Note that, even though the data set profile expires, RACF-protection for data sets protected by the
profile is still in effect. For more information, see z/OS Security Server RACF Security Administrator's Guide.
The number you specify, nnnnn must be one to five digits in the range of 0 through 65533. To indicate a data set that never expires, specify nnnnn as 99999. When 99999 is used, the SETROPTS command stores it internally as 65534.
The RACF security retention period is the same as the data set retention period specified by the EXPDT/RETPD parameters on the JCL DD statement only when the data set profile is discrete and you do not modify the RACF security retention period.
When the TAPEVOL class is active, RACF checks the RACF security retention period before it allows a data set to be overwritten. RACF adds the number of days in the retention period to the creation date for the data set. If the result is less than the current date, RACF continues to protect the data set.
When the TAPEVOL class is not active, RACF ignores the RETPD operand.
If you omit RETPD and your installation has established a default security retention period (through the RETPD operand on the SETROPTS command), RACF uses the default. If you omit RETPD and your installation has not established a default, RACF uses 0 as a default.
Specifying this operand for a DASD data set does not cause an error, but it has no meaning because RACF ignores the operand during authorization checking.
- SECLABEL(security-label)
- Specifies
the name of an installation-defined security label representing an
association between a particular security level and a set of zero
or more categories.
A security label corresponds to a particular security level (such as CONFIDENTIAL) with a set of zero or more security categories (such as PAYROLL or PERSONNEL).
RACF stores the name of the security label you specify in the data set profile if you are authorized to use that label.
If you are not authorized to use the security label or if the name you had specified is not defined as a SECLABEL profile in the SECLABEL class, the data set profile is not created.
- SECLEVEL(security-level)
- Specifies
the name of an installation-defined security level. This name corresponds
to the number that is the minimum security level a user must have
to access the data set. security-level must
be a member of the SECLEVEL profile in the SECDATA class.
When you specify SECLEVEL and the SECDATA class is active, RACF adds security level access checking to its other authorization checking. If global access checking does not grant access, RACF compares the security level allowed in the user profile with the security level required in the data set profile. If the security level in the user profile is less than the security level in the data set profile, RACF denies the access. If the security level in the user profile is equal to or greater than the security level in the data set profile, RACF continues with other authorization checking.
Note: RACF does not perform security level checking for a started task or user that has the RACF privileged or trusted attribute. The RACF privileged or trusted attribute can be assigned to a started task through the RACF started procedures table or STARTED class, or to other users by installation-supplied RACF exits.If the SECDATA class is not active, RACF still stores the security-level you specified in the data set profile, but cannot perform security level checking until you have activated the SECDATA class. If the name you specify is not defined as a SECLEVEL profile and the SECDATA class is active, you are prompted to provide a valid name for security-level.
- TME
- Specifies
that information for the Tivoli® Security
Management Application is to be added. Note: The TME segment fields are intended to be updated only by the Tivoli Security Management application, which manages updates, permissions, and cross references. A security administrator should only directly update TME fields on an exception basis.
- ROLES(role-access-specification ...)
- Specifies
a list of roles and associated access levels related to this profile.
One or more role-access-specification values can be specified, each separated by blanks. Each value should contain no imbedded blanks and should have the following format:
where role-name is a discrete general resource profile defined in the ROLE class. The authority is the access authority (NONE, EXECUTE, READ, UPDATE, CONTROL, or ALTER) with which groups in the role definition should be permitted to the resource.role-name:authority[:conditional-class:conditional-profile]
The conditional-class is a class name (APPCPORT, CONSOLE, JESINPUT, PROGRAM, TERMINAL, or SYSID) for conditional access permission, and is followed by the conditional-profile value, a resource profile defined in the conditional class.
- UACC(access-authority)
- Specifies the universal
access authority to be associated with the data sets. The universal
access authorities are ALTER, CONTROL, UPDATE, READ, EXECUTE, and
NONE. If you omit UACC or specify UACC with no access authority, RACF uses the default value in
your current connect group. If you specify CONTROL for a tape data
set or a non-VSAM DASD data set, RACF treats
the access authority as UPDATE. If you specify EXECUTE for a tape
data set, or a DASD data set not used as a program library, RACF treats the access authority
as NONE.
If a user accessing a data set has the RESTRICTED attribute, RACF treats the universal access authority (UACC) as NONE for that access attempt.
- UNIT(type)
- Specifies the
unit type on which a tape data set or a non-VSAM DASD data set resides.
You can specify an installation-defined unit name, a generic device
type, or a specific device address. If you specify UNIT and VOLUME
for a DASD data set, RACF assumes
that the data set is a non-VSAM data set; therefore, do not use UNIT
and VOLUME for a VSAM data set.
If the data set is not cataloged, UNIT and VOLUME are required. You must specify UNIT and VOLUME for data sets cataloged with an esoteric name (such as an installation-defined unit name).
If you specify a generic or model profile name, RACF ignores this operand.
- VOLUME(volume-serial ...)
- Specifies
the volumes on which a tape data set or a non-VSAM DASD data set resides.
If you specify UNIT and VOLUME for a DASD data set, RACF assumes that the data set is a non-VSAM
data set; therefore, do not use UNIT and VOLUME for a VSAM data set.
If the data set is not cataloged, UNIT and VOLUME are required. You must specify UNIT and VOLUME for data sets cataloged with an esoteric name (such as an installation-defined unit name).
If you specify a tape data set profile name, you can specify only one volume.
If you specify a generic or model profile name, RACF ignores this operand.
- WARNING
- Specifies
that even if access authority is insufficient, RACF is to issue a warning message and allow
access to the resource. RACF also
records the access attempt in the SMF record if logging is specified
in the profile.
When SETROPTS MLACTIVE(FAILURES) is in effect: A user or task can access a data set that is in WARNING mode and has no security label even when MLACTIVE(FAILURES) is in effect and the class requires security labels. The user or task receives a warning message and gains access.
Examples
Example | Activity label | Description |
---|---|---|
1 | Operation | User ADM1 wants to create a generic profile to protect all data sets having the high-level qualifier SALES. Only users with a security level of CONFIDENTIAL or higher are to be able to access the data sets. |
Known | User ADM1 has the SPECIAL attribute and the installation has defined CONFIDENTIAL as a valid security level name. User ADM1 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'SALES.*' UACC(READ) AUDIT(ALL(READ))
SECLEVEL(CONFIDENTIAL) |
|
Defaults | OWNER(ADM1) LEVEL(0) | |
2 | Operation | User AEH0 wants to protect the data set AEH0.DEPT1.DATA with a discrete RACF profile. |
Known | User AEH0 is RACF-defined. AEH0.DEPT1.DATA is not cataloged. It resides on volume USER03 which is a 3330 volume. User AEH0 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'AEH0.DEPT1.DATA' UNIT(3330) VOLUME(USER03) |
|
Defaults | OWNER(AEH0) UACC(UACC of user AEH0 in current connect group) AUDIT(FAILURES(READ)) LEVEL(0) SET | |
3 | Operation | User ADM1 wants to RACF-define the DASD data set SYS1.ICH02.DATA which was brought from another system where it was protected by a discrete RACF profile and was RACF-indicated. On the new system, only users with a security category of DEPT1 are to be allowed to access the data set. |
Known | User ADM1 has the SPECIAL attribute. SYS1.ICH02.DATA is cataloged. User ADM1 has create authority in group SYS1 and is connected to group SYS1 with the group-SPECIAL attribute. The installation has defined DEPT1 as a valid security category. User ADM1 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'SYS1.ICH02.DATA' OWNER(SYS1) UACC(NONE)
AUDIT(ALL) NOSET CATEGORY(DEPT1) |
|
Defaults | LEVEL(0) | |
4 | Operation | User AEHO wants to create a model profile for group RSC and place an installation-defined description in the profile. |
Known | User AEHO has at least CREATE authority in group RSC. User AEHO wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'RSC.ACCESS.PROFILE' MODEL DATA('PROFILE
THAT CONTAINS MODELING INFORMATION') |
|
Defaults | OWNER(AEHO), UACC(the UACC of user AEHO in current group) AUDIT(FAILURES(READ)) LEVEL(0) | |
5 | Operation | User AEH1 wants to protect the tape data set named AEH1.TAPE.RESULTS with a discrete RACF profile. |
Known | User AEH1 is a RACF-defined user. Data set AEH1.TAPE.RESULTS is cataloged, and tape data set protection is active. User AEH1 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'AEH1.TAPE.RESULTS' UACC(NONE) AUDIT(ALL(READ))
TAPE NOTIFY FILESEQ(1) RETPD(100) |
|
Defaults | LEVEL(0) | |
6 | Operation | User AEH1 wants to protect the tape data set named AEH1.TAPE.FUTURES with a discrete RACF profile, which is so much like the profile created for AEH1.TAPE.RESULTS (Example 5) that AEH1 can use the existing profile as a model for the new profile. |
Known | User AEH1 is a RACF-defined user. Data set AEH1.TAPE.FUTURES is cataloged, and tape data set protection is active. User AEH1 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'AEH1.TAPE.FUTURES' FROM('AEH1.TAPE.RESULTS')
FILESEQ(2) |
|
Defaults | LEVEL(0) | |
7 | Operation | User ADM1 wants to create a generic profile to
protect all data sets having the high-level qualifier PROJECTA. The
data sets protected by the profile will be managed by DFP. Group TEST4
will be assigned as the actual owner of the data sets protected by
the profile. The profile will have a universal access authority of
READ. User ADM1 wants to direct the command to run at the local node under the authority of user DAP02 and prohibit the command from being automatically directed to other nodes. |
Known | Users ADM1 and DAP02 have the SPECIAL attribute. TEST4 is a RACF-defined group. Users ADM1 and DAP02 have an already established user ID association. User ADM1 wants to issue the command as a RACF TSO command. | |
Command | ADDSD 'PROJECTA.*' UACC(READ) DFP(RESOWNER(TEST4))
ONLYAT(.DAP02) |
|
Defaults | OWNER(ADM1) LEVEL(0) AUDIT(FAILURES(READ)) | |
Results | The command is only processed on the local node and not automatically directed to any other nodes in the RRSF configuration. | |
8 | Operation | User TSO7 wants to create a generic profile to
protect all data sets having the high-level qualifier PROJECTB with
a security label of CONF. User TSO7 is authorized to the security
label. User TSO7 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @ . |
Known | User TSO7 is a RACF-defined user. | |
Command | @ADDSD 'PROJECTB.*' SECLABEL(CONF) |
|
Defaults | None. |