Field-Level Access Checking

You can use RACF® to control which users can access data in RACF profiles at the field level through field-level access checking. To do this, you create profiles in the FIELD class and permit users to the profiles.

Using field-level access checking, you can:
  • Allow a user or group to modify a particular field (or segment) in all profiles of a particular type. For example, you can define a profile to control access to the UID field of the OVM segment of user profiles. If you give a user UPDATE authority to this profile, the user can modify the UID field in all user profiles.
  • Allow all users to read or modify a particular field (or segment) of their own user profiles. To do this, specify ID(&RACUID) on the PERMIT command.
Note: RACF command processors and panels support field-level access checking only for fields in segments other than the base segments of RACF profiles, that is, the OVM segment of user and group profiles. However, the ICHEINTY and RACROUTE REQUEST=EXTRACT macros can support field-level access checking for fields in any segment of any RACF profile. If your installation has written its own programs that use these macros to access the RACF database, you can modify these programs to implement field-level access checking.

To use field-level access checking, take the following steps:

  1. Define profiles in the FIELD class: 
    RDEFINE  FIELD  profile-name  UACC(NONE)
    where profile-name has the following format: 
    profiletype.segmentname.fieldname
    where:
    profiletype
    is one of the following:
    • USER for user profiles
    • GROUP for group profiles
    • Class name for general resource profiles.
    segmentname
    is one of the following:
    • OVM for OVM segments
    • BASE for BASE segments (this is supported only by user-written code).
    Note:
    1. This operand is also used on RACF commands to work with the segment.
    2. See Setting Up Field-Level Access for the OVM Segment for examples of field-level access checking for OVM segments.
    fieldname
    is the name of the field to be protected as described in Table 1.

    When you specify a UACC of NONE, you prevent all users from accessing the OVM segment in all user profiles, including their own. Likewise, if you specify a UACC of READ, you allow all users to read the information contained in all fields of the OVM segment for all user profiles.

    Attention:
    Note that the profile name USER.OVM.* is a generic profile name. Before you issue the above command, generic profile checking for the FIELD class must be active. If it is not active, issue the SETROPTS GENERIC(FIELD) command before defining the generic profile.
    To control access to specific fields in the OVM segment of user profiles, issue the RDEFINE command and specify the specific field as the third qualifier in the profile name. Use Table 1 to determine which qualifier to use. For example, when changing the account number field in a OVM segment, users specify the UID suboperand on the OVM operand of the ALTUSER command: 
    ALTUSER userid OVM(UID(account-number))
    According to Table 1, to control access to the UID suboperand, create a profile using the OVMADM qualifier: 
    RDEFINE  FIELD  USER.OVM.OVMADM  UACC(NONE)
  2. Allow specific users or groups to have the appropriate access to the FIELD profile: 
    PERMIT USER.OVM.UID CLASS(FIELD) ID(OVMADM)
       ACCESS(UPDATE)
    Note: You can also specify the value &RACUID with the ID operand on the PERMIT command for FIELD profiles. When you enter this value on the PERMIT command, you allow all users access to the specified field or segment of their own user profiles. For example, if you issue the following command, you allow all users to read the UID field in the OVM segment of their own user profiles. 
    PERMIT USER.OVM.UID CLASS(FIELD) ID(&RACUID)
       ACCESS(READ)
  3. When you are ready to start using the protection defined in the profiles, activate the FIELD class: 
    SETROPTS  CLASSACT(FIELD)
    Note: If you do not activate the FIELD class, only SPECIAL users can access fields in segments (other than the base segment) of RACF profiles.
  4. It is recommended that you activate SETROPTS RACLIST processing for the FIELD general resource class. When you activate this function, you improve performance because I/O to the RACF database is reduced. For a complete description of this function, see SETROPTS RACLIST Processing. 
    SETROPTS  RACLIST(FIELD)
    Note: If you activate SETROPTS RACLIST processing for the FIELD class, any time you make a change to a FIELD profile, you must also refresh SETROPTS RACLIST processing for the FIELD class for the change to take effect. 
    SETROPTS  RACLIST(FIELD)  REFRESH
Table 1. Relationship of RACF Command Suboperands to FIELD Profile Names
OVM Segment in: To control the use of this suboperand: Use this qualifier in FIELD profiles:
User Profiles UID HOME PROGRAM FSROOT UID HOME PROGRAM FSROOT
Group Profiles GID GID