|
Purpose Use the PERMIT command to maintain
the lists of users and groups authorized to access a particular resource. RACF® provides two types of access
lists: standard and conditional.
Standard Access List: The
standard access list includes the user IDs and group names authorized
to access the resource and the level of access granted to each.
Conditional
Access List: The conditional access list includes the user
IDs and group names authorized to access the resource and the level
of access granted to each when a certain condition is met. The conditions
that can be specified are: - The name of the program the user must be executing
- The name of the terminal by which the user entered the system
- The name of the JES input device through which the user entered
the system
- The name of the system console from which the request was originated
- The name of the APPC partner LU (logical unit) from which the
transaction program originated
- The system identifier (SMFID) of the system on which the user
is loading the controlled program
- The SERVAUTH profile name that protected the network access security
zone name containing the IP address by which the user entered the
system
- An application-specific CRITERIA name and value.
RACF considers
the conditional access list if one of the following is true: - The class specified in the condition is active (for the SERVAUTH,
TERMINAL, JESINPUT, CONSOLE, or APPCPORT conditions).
- The RACF program control
facility is active (for the PROGRAM or the SYSID condition). The RACF program control facility is
activated by your installation using SETROPTS WHEN(PROGRAM) command.
- An application-specific CRITERIA name and value is specified on
the RACROUTE REQUEST=FASTAUTH request.
If one of the criteria above is met, RACF uses both the standard and conditional
access lists when it checks a user's authority to access a resource;
otherwise RACF uses only the
standard access list. For more information on conditional access lists
or program control, see z/OS Security Server RACF Security Administrator's Guide.
You
can maintain either the standard access list or the conditional access
list with a single PERMIT command. Changing both requires you to issue
PERMIT twice, with one exception. You can change individual names
in one access list and copy the other access list from another profile
on one PERMIT command.
Using PERMIT, you can make the following
changes to either a standard access list or a conditional access list: - Give authority to access a discrete or generic resource profile
to specific RACF-defined users or groups
- Remove authority to access a discrete or generic resource profile
from specific users or groups
- Change the level of access authority to a discrete or generic
resource profile for specific users or groups
- Copy the list of authorized users from one discrete or generic
resource profile to another profile of either type and modify the
new list as you require
- Delete an existing access list.
Using PERMIT to modify an automatic TAPEVOL profile changes the
profile to nonautomatic. For more information about TAPEVOL profiles,
see z/OS Security Server RACF Security Administrator's Guide.
To
have changes take effect after updating a user's access to a generic
profile, one of the following steps is required: - If the command was issued for a data set profile, the user of
the data set issues the LISTDSD command:
LISTDSD DA(data-set-protected-by-the-profile) GENERIC
Note: Use
the data set name, not the profile name.
- The security administrator issues the SETROPTS command:
SETROPTS GENERIC(class-name) REFRESH
See
SETROPTS command for authorization requirements.
- The user of the data set or resource logs off and logs on again.
Issuing options The following table identifies
the eligible options for issuing the PERMIT command:
As a RACF TSO command? |
As a RACF operator command? |
With command direction? |
With automatic command direction? |
From the RACF parameter library? |
---|
Yes |
Yes |
Yes |
Yes |
Yes |
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
You
must be logged on to the console to issue this command as a RACF operator command.
Authorization required When issuing this command
as a RACF operator command,
you might require sufficient authority to the proper resource in the
OPERCMDS class. For details about OPERCMDS resources, see "Controlling the use of operator commands" in z/OS Security Server RACF Security Administrator's Guide.
To
perform any of the PERMIT functions, you must have sufficient authority
over the resource. RACF makes
the following checks until one of the conditions is met: - You have the SPECIAL attribute.
- The profile is within the scope of a group in which you have the
group-SPECIAL attribute.
- You are the owner of the resource.
- If the resource belongs to the DATASET class, the high-level qualifier
of the profile name (or the qualifier supplied by the naming conventions
routine or a command installation exit) is your user ID.
- If the resource belongs to the DATASET class, you must be the
current owner of the profile or have the SPECIAL attribute, or the
profile must be within the scope of a group in which you have the
group-SPECIAL attribute.
- If the profile is in the FILE or DIRECTRY class, the second qualifier
of the profile name is your user ID.
- For a discrete profile, you are on the standard access list for
the resource and you have ALTER authority.
- For a discrete profile, your current connect group (or, if list-of-groups
checking is active, any group to which you are connected) is on the
standard access list and has ALTER authority.
- For a discrete profile, the universal access authority is ALTER.
To specify the AT keyword, you must have READ authority
to the DIRECT.node resource in the RRSFDATA class and a user
ID association must be established between the specified node.userid pair(s).
To
specify the ONLYAT keyword you must have the SPECIAL attribute, the userid specified
on the ONLYAT keyword must have the SPECIAL attribute, and a user
ID association must be established between the specified node.userid pair(s)
if the user IDs are not identical.
When you are copying a list
of authorized users from one resource profile to another, you must
have sufficient authority, as described in the preceding list, to
both of the resources.
Syntax For
the key to the symbols used in the command syntax diagrams, see Syntax of RACF commands and operands. The complete syntax of the PERMIT
command is:
|
|
---|
[subsystem-prefix]{PERMIT
| PE} |
|
profile-name-1 |
|
[ ACCESS(access-authority)
| DELETE ] |
|
[ AT([node].userid
…) | ONLYAT([node].userid
…) ] |
|
[ CLASS(profile-name-1-class)
] |
|
[ FCLASS(profile-name-2-class)
] |
|
[ FGENERIC ] |
|
[ FROM(profile-name-2)
] |
|
[ FVOLUME(volume-serial)
] |
|
[ GENERIC ] |
|
[ ID( {name … |*}
) ] |
|
[ RESET [ (ALL | STANDARD
| WHEN) ] |
|
[ VOLUME(volume-serial)
] |
|
[ WHEN(
[ APPCPORT( {partner-luname … | *} ) ]
[ CONSOLE( {console-id … | *} ) ]
[ CRITERIA( criteria-name ( {criteria-value | * } ))]
[ JESINPUT( {JES-input-device-name … | *} ) ]
[ PROGRAM( {program-name … | *} ) ]
[ SERVAUTH( {SERVAUTH-profile-name … | *} ) ]
[ SYSID( {system-identifier … | *} ) ]
[ TERMINAL( {terminal-id … | *} ) ]
) ]
|
For information on issuing this command
as a RACF TSO command, refer
to RACF TSO commands.
For
information on issuing this command as a RACF operator command, refer to RACF operator commands.
Parameters - subsystem-prefix
- Specifies that the RACF subsystem
is the processing environment of the command. The subsystem
prefix can be either the installation-defined prefix for RACF (1 - 8 characters)
or, if no prefix has been defined, the RACF subsystem
name followed by a blank. If the command prefix was registered with
CPF, you can use the MVS command D OPDATA to display it or you can
contact your RACF security
administrator.
Only specify the subsystem prefix when issuing
this command as a RACF operator
command. The subsystem prefix is required when issuing RACF operator commands.
- profile-name-1
- Specifies
the name of an existing discrete or generic profile whose access list
you want to modify. You can specify only one profile.
This operand
is required and must be the first operand following PERMIT.
If
the name specified is a tape volume serial number that is a member
of a tape volume set, the authorization assigned by this command applies
to all the volumes in the volume set.
If the profile does not
belong to the DATASET class, you must also specify CLASS.
Mixed-case
profile names are accepted and preserved when CLASS refers to a class
defined in the static class descriptor table with CASE=ASIS or in
the dynamic class descriptor table with CASE(ASIS).
- AT
| ONLYAT
- The AT and ONLYAT keywords are only valid when the command is
issued as a RACF TSO command.
- AT([node].userid
…)
- Specifies
that the command is to be directed to the node specified by node,
where it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed to the local node.
- ONLYAT([node].userid
…)
- Specifies
that the command is to be directed only to the node specified by node where
it runs under the authority of the user specified by userid in
the RACF subsystem address
space.
If node is not specified, the
command is directed only to the local node.
- ACCESS
| DELETE
-
- ACCESS(access-authority)
- Specifies the access authority
you want to associate with the names that you identify on the ID operand. RACF sets the access authority
in the standard access list.
If you specify WHEN, RACF sets the access authority in the conditional
access list.
The valid access authorities are NONE, EXECUTE
(for DATASET, PROGRAM, or APPCTP class only), READ, UPDATE, CONTROL,
and ALTER. If you need more information, see z/OS Security Server RACF Security Administrator's Guide.
If
you specify ACCESS and omit access-authority,
the default value is ACCESS(READ).
If you specify the ID operand
and omit both ACCESS and DELETE, the default value is ACCESS(READ).
If
you specify both ACCESS and DELETE, RACF uses
the last operand you specify.
- DELETE
- Specifies
that you are removing the names you identify on the ID operand from
an access list for the resource. RACF deletes
the names from the standard access list.
If you specify WHEN, RACF deletes the names from the
conditional access list.
If you specify the ID operand and
omit both ACCESS and DELETE, the default value is ACCESS(READ).
If
you specify both ACCESS and DELETE, RACF uses
the last operand you specify.
- CLASS(profile-name-1-class)
- Specifies
the name of the class to which profile-name-1 belongs.
The valid class names are DATASET and those classes defined in the
class descriptor table. For a list of general
resource classes defined in the class descriptor table supplied by IBM®, see Supplied RACF resource classes.
If you omit CLASS, the
default is DATASET.
- FCLASS(profile-name-2-class)
- Specifies
the name of the class to which profile-name-2 belongs.
The valid class names are DATASET and those classes defined in the
class descriptor table. For a list of general
resource classes defined in the class descriptor table supplied by IBM, see Supplied RACF resource classes.
If you specify FROM and
omit FCLASS, RACF assumes that
the class for profile-name-2 is same as
the class for profile-name-1. This operand
is valid only when you also specify the FROM operand; otherwise, RACF ignores it.
- FGENERIC
- Specifies
that RACF is to treat profile-name-2 as
a generic name, even if it is fully qualified (meaning that it does
not contain any generic characters). This operand is only needed if profile-name-2 is
a DATASET profile.
- FROM(profile-name-2)
- Specifies the name of the existing
discrete or generic profile that contains the access lists RACF is to copy as the access lists
for profile-name-1. If you specify FROM
and omit FCLASS, RACF assumes
that profile-name-2 is the name of a profile
in the same class as profile-name-1.
Mixed-case
profile names are accepted and preserved when FCLASS refers to a class
defined in the static class descriptor table with CASE=ASIS or in
the dynamic class descriptor table with CASE(ASIS).
If profile-name-2 contains
a standard access list, RACF copies
it to the profile you are changing. If profile-name-2 contains
a conditional access list, RACF copies
it to the profile you are changing.
RACF modifies the access list for profile-name-1 as
follows: - Authorizations for profile-name-2 are
added to the access list for profile-name-1.
Note: The
following conditional access list conditions are valid only for specific
classes. Entries in the conditional access list of profile-name-2 for
these conditions are copied to the conditional access list of profile-name-1 only
if the condition is valid for the class of profile-name-1.
- WHEN(SYSID) is valid only for the PROGRAM class. SYSID entries
are copied only when the class of profile-name-1 is
PROGRAM.
- WHEN(PROGRAM) is valid only for data sets and the SERVAUTH class.
PROGRAM entries are copied only when profile-name-1 is
a data set profile or a SERVAUTH class profile.
- WHEN(CRITERIA) is valid only for general resource classes (not
data sets). CRITERIA entries are not copied when profile-name-1 is
a data set profile.
- If a group or user appears in both lists, RACF uses the authorization granted in profile-name-1.
- If you specify a group or user on the ID operand and that group
or user also appears in the profile-name-2 access
list, RACF uses the authorization
granted on the ID operand.
To specify FROM, you must have sufficient authority to both profile-name-1 and profile-name-2,
as described under Authorization required.
- FVOLUME(volume-serial)
- Specifies
the volume RACF is to use to
locate profile-name-2. This is the volume
on which the non-VSAM DASD data set, the tape data set, or the catalog
for the VSAM data set resides.
If you specify FVOLUME and RACF does not find profile-name-2 on
that volume, the command fails. If you omit this operand and profile-name-2 appears
more than once in the RACF data
set, the command fails.
FVOLUME is valid only when FCLASS either
specifies or defaults to DATASET and when profile-name-2 specifies
a discrete profile. Otherwise, RACF ignores
FVOLUME.
- GENERIC
- Specifies
that RACF is to treat profile-name-1 as
a generic name, even if it does not contain any generic characters.
This operand is only needed if profile-name-1 is
a DATASET profile.
- ID(name
… | *)
- Specifies
the user IDs and group names of RACF-defined users or groups whose
authority to access the resource you are giving, removing, or changing.
If you omit this operand, RACF ignores
the ACCESS and DELETE operands.
ID( *) can be
used with standard or conditional access lists. You might specify
ID( *) with a conditional access list, as follows:
PERMIT 'resource' ID(*) WHEN(PROGRAM(XYZ)) ACCESS(READ)
This
command, depending on other environmental factors, may allow all RACF-defined
users and groups READ access to the specified data set when executing
program XYZ. RACF grants access
to the data set, using the conditional access list, with the authority
you specify on the ACCESS operand. The value specified with ACCESS
is used only if no more specific values are found. If you do not specify
the ACCESS operand, or if you specify ACCESS without an access authority, RACF uses a default value of ACCESS(READ).
See z/OS Security Server RACF Security Administrator's Guide for
more information on program access to data sets.
For profiles
in the FIELD class, you may also specify the value &RACUID for
the name variable with the ID operand on
the PERMIT command. When you enter this value on the PERMIT command,
you allow all users access to the specified field or segment of their
own user profiles.
- RESET
-
- RESET | RESET(ALL)
- Specifies
that RACF is to delete from
the profile both the entire current standard access list and the entire
current conditional access list.
RACF deletes
both access lists before it processes any operands (ID and ACCESS
or FROM) that create new entries in an access list. If you delete
both access lists and specify FROM when profile-name-2 contains
two access lists, the PERMIT command copies both access lists to profile-name-1.
In any other situation, you cannot, on one PERMIT command, add entries
to both access lists.
If you specify RESET and do not specify
ALL, STANDARD, or WHEN, the default value is RESET(ALL).
If
you specify RESET or RESET(ALL), add entries, and omit WHEN, RACF deletes both access lists,
then adds entries to the standard access list.
If you specify
RESET or RESET(ALL), add entries, and specify WHEN, RACF deletes both access lists, then adds entries
to the conditional access list.
For profiles that include two
access lists, use RESET and RESET(ALL) carefully. Unless you are copying
both lists from another profile, it is a good practice to use RESET(STANDARD)
to maintain the standard access list and RESET(WHEN) to maintain the
conditional access list.
- RESET(STANDARD)
- Specifies
that RACF is to delete the
entire current standard access list from the profile.
If you specify
RESET(STANDARD) with ID and ACCESS or with FROM, RACF deletes the current standard access list
from the profile before it adds the new names.
If you specify
RESET(STANDARD) with ID and DELETE, RACF ignores
RESET(STANDARD) and deletes only the names that you specify.
If
you specify RESET(STANDARD) without ID and ACCESS, or without FROM,
the resulting standard access list is empty. An empty standard access
list means that, for a general resource or a group data set profile,
you must be the owner or have the SPECIAL attribute, or the profile
must be within the scope of a group in which you have the group-SPECIAL
attribute, in order to update the access list again.
For a
DATASET profile, an empty conditional access list means that no users
or groups can access the data set by executing a program.
- RESET(WHEN)
- Specifies
that RACF is to delete the
entire current conditional access list from the profile.
If you
specify RESET(WHEN) with ID and ACCESS or with FROM, RACF deletes the current conditional access
list from the profile before it adds the new names.
If you
specify RESET(WHEN) with ID, DELETE, and WHEN, RACF ignores RESET(WHEN) and deletes only the
names that you specify.
If you specify RESET(WHEN) without
ID and ACCESS, or without FROM, the resulting conditional access list
is empty.
- VOLUME(volume-serial)
- Specifies
the volume on which the tape data set, the non-VSAM DASD data set,
or the catalog for the VSAM data set resides.
If you specify VOLUME
and volume-serial does not appear in the
profile for the data set, the command fails.
If you omit VOLUME
and the data set name appears more than once in the RACF data set, the command fails.
This
operand is valid only for CLASS(DATASET). RACF ignores it for all other CLASS values.
If profile-name-1 is
a generic profile, RACF ignores
this operand.
- WHEN(APPCPORT(partner-luname
… | *))
- Specifies
that the indicated users or groups have the specified access authority
when executing commands and jobs originating from the specified partner
LU.
Specify one or more LU names. No generic names or profile names
are supported.
WHEN(APPCPORT(*)) deletes all
APPCPORT entries for the specified users or groups. It is valid only
with the DELETE operand.
- WHEN(CONSOLE(console-id
… | *))
- Specifies
that the indicated users or groups have the specified access authority
when executing commands and jobs originating from the specified system
console.
Specify one or more console identifiers. No generic names
or profile names are supported.
WHEN(CONSOLE(*))
deletes all CONSOLE entries for the specified users or groups. It
is valid only with the DELETE operand.
- WHEN(CRITERIA(criteria-name (criteria-value | *)))
- Specifies
that the indicated users or groups have the specified access authority
when they are defined in an application that uses the specified criteria.
Applications, such as DB2®, can
execute the RACROUTE REQUEST=FASTAUTH request to check user and group
authority to access a resource associated with a particular criteria,
such as a DB2 role.
Important: Specify
the same criteria name and value that the application specifies on
the RACROUTE REQUEST=FASTAUTH request. For details about valid criteria
names and values, see your application documentation. For information
about RACROUTE, see z/OS Security Server RACROUTE Macro Reference.
The criteria-name is
a string of 1 - 8
characters. The string can contain any combination of A - Z, 0 - 9, # (X'7B'), $ (X'5B'),
or @ (X'7C'). It must not contain blanks.
Lowercase alphabetic characters in the criteria-name are
translated to upper case.
The criteria-value is
a string of 1 - 235
characters of any combination. If the criteria-value consists
of a single asterisk (*), you can optionally enclose
it in single quotation marks. If the criteria-value contains
blanks or other special characters, you must enclose the entire string
in single quotation marks.
When the criteria-value is
enclosed in single quotation marks, the following rules apply. - The string must contain at least one non-blank character.
- The string must not contain blanks between the last character
and the ending quote.
- If a single quotation mark is intended to be part of the criteria-value,
use two single quotation marks together for each single quotation
mark within the string, and enclose the entire string within single
quotation marks.
The criteria-value is
stored in the RACF database
exactly as you specify it: - Both uppercase and lowercase characters are preserved in the case
in which they are specified.
- Leading blanks are preserved when the string is quoted.
- WHEN(CRITERIA(SQLROLE(DB2-role-name)))
- Beginning with DB2 Version
9, you can authorize conditional access to DB2 resources for users and groups associated
(in DB2) with a DB2 role by specifying SQLROLE as the criteria-name and
a DB2 role name as the criteria-value.
Specify DB2-role-name to match a DB2-defined role name. (For more
information about using DB2 roles,
see the DB2 Version 9 publication
library.)
Example: WHEN(CRITERIA(SQLROLE(TELLER)))
WHEN(CRITERIA(SQLROLE(*)))
and WHEN(CRITERIA(SQLROLE('*'))) delete all SQLROLE
CRITERIA entries for the specified users or groups.
- WHEN(JESINPUT(JES-input-device-name
… | *))
- Specifies
that the indicated users or groups have the specified access authority
when entering the system through the specific JES input device.
Specify
one or more device names. No generic names or profile names are supported.
WHEN(JESINPUT(*))
deletes all JESINPUT entries for the specified users or groups. It
is valid only with the DELETE operand.
- WHEN(PROGRAM(program-name
… | *))
- Specifies
that you want to create or delete entries in the conditional access
list of the specified data set or SERVAUTH profile. This operand applies
only to resources in the data set and SERVAUTH classes.
Specify
one or more program names. No generic names or profile names are supported.
For
example, if you enter the following command: PERMIT 'XXX.YYY' ID(SMITH) ACCESS(READ) WHEN(PROGRAM(ABC))
RACF allows user SMITH READ access
to the data set protected by profile XXX.YYY when executing program
ABC. RACF grants access, through
the conditional access list, with the authority you specify on the
ACCESS operand. If you do not specify the ACCESS operand, or if you
specify ACCESS without an access authority, RACF uses a default value of ACCESS(READ).
See z/OS Security Server RACF Security Administrator's Guide for
more information on data set access and program access to SERVAUTH
resources when program control is active.
WHEN(PROGRAM) affects only
users and groups specified on the ID operand; it has no effect on
names copied from a standard access list in another profile (using
the FROM operand). Thus, you can copy a standard access list from
another profile that contains only a standard access list and add
or delete names in the conditional access list on a single PERMIT
command.
To delete an entry from the conditional access list
of a data set profile, issue the PERMIT command as follows: PERMIT 'XXX.YYY' ID(JONES) DELETE WHEN(PROGRAM(ABC))
When
you issue this command, RACF no
longer allows user JONES access to the data set protected by profile
XXX.YYY when executing program ABC. If you specify WHEN(PROGRAM( *))
with DELETE, RACF deletes all
program names for each user or group specified on the ID operand.
See
also the description of the ID operand.
WHEN(PROGRAM(*))
deletes all PROGRAM entries for the specified users or groups. It
is valid only with the DELETE operand.
- WHEN(SERVAUTH(SERVAUTH-profile-name
… | *))
-
- WHEN(SERVAUTH(SERVAUTH-profile-name …))
- Specifies that the indicated users or groups have the specified
access authority when using an IP address protected by the named SERVAUTH
profile. The profile name may be generic; however, it must match exactly
the name of a profile to allow access.
Guideline: Use careful
consideration before specifying the SERVAUTH profile name * on
the RDEFINE and PERMIT WHEN(SERVAUTH(…) commands. The SERVAUTH profile
name * cannot be removed from the conditional access
list without deleting all SERVAUTH entries for the specified users
or groups. Instead, we recommend that you create the profile ** in
the SERVAUTH class. Then use the ** profile name
for the conditional access list.
- WHEN(SERVAUTH(*)
- Deletes all SERVAUTH entries for the specified users or groups
when specified with the DELETE operand.
- WHEN(SYSID(system-identifier
… | *))
- Specifies
that the indicated users or groups have the specified access authority
when loading this controlled program on the specified system.
Specify
one or more system identifiers. No generic names or profile names
are supported.
This operand applies only to resources in the
PROGRAM class. The system-identifier is
the 4-character value specified for the SID parameter of the SMFPRMxx
member of SYS1.PARMLIB. See z/OS MVS Initialization and Tuning Reference for
additional information on SMFPRMxx.
WHEN(SYSID(*))
deletes all SYSID entries for the specified users or groups. It is
valid only with the DELETE operand.
- WHEN(TERMINAL(terminal-id
… | *))
- Specifies
that the indicated users or groups have the specific access authority
when logged on to the named terminal.
Specify one or more terminal
identifiers. No generic names or profile names are supported.
WHEN(TERMINAL(*))
deletes all TERMINAL entries for the specified users or groups. It
is valid only with the DELETE operand.
Examples
|
|
|
---|
Example 1 |
Operation |
User WJE10 wants to give UPDATE access authority
to data set WJE10.DEPT2.DATA to all the users in the group RESEARCH.
Data set WJE10.DEPT2.DATA is protected by a discrete profile. |
Known |
User WJE10 and group RESEARCH are RACF-defined.
Data set WJE10.DEPT2.DATA is RACF-defined.
User WJE10 wants
to issue the command as a RACF TSO
command.
|
Command |
PERMIT 'WJE10.DEPT2.DATA' ID(RESEARCH)
ACCESS(UPDATE) |
Defaults |
CLASS(DATASET) |
|
Example 2 |
Operation |
User WRH0 wants to give all users authorized to
access the data set RESEARCH.PROJ01.DATA on volume DASD22 the authority
to access RESEARCH.PROJ01.DATA on volume DASD11. User WRH0 also wants
to give user AEH10 READ authority to RESEARCH.PROJ01.DATA. |
Known |
User WRH0 has ALTER access to both RESEARCH.PROJ01.DATA
data sets. Both data sets are protected by discrete profiles. User
WRH0 wants to issue the command as a RACF TSO
command. |
Command |
PERMIT 'RESEARCH.PROJ01.DATA' ID(AEH10)
FROM('RESEARCH.PROJ01.DATA') VOLUME(DASD11) FVOLUME(DASD22) |
Defaults |
ACCESS(READ) CLASS(DATASET) FCLASS(DATASET) |
|
Example 3 |
Operation |
User LAB2 wants to delete user MMC02's access
to tape volume TAP8X. |
Known |
User LAB2 is the owner of the profile for tape
volume TAP8X. User LAB2 wants to issue the command as a RACF operator command, and the RACF subsystem prefix is @. |
Command |
@PERMIT TAP8X CLASS(TAPEVOL) ID(MMC02)
DELETE |
Defaults |
None. |
|
Example 4 |
Operation |
User ADM1 wants to delete the existing standard
access list from the discrete profile protecting the data set SALES.EUROPE.ABC,
then copy the standard access list from the generic profile SALES.*.ABC
to the discrete profile for SALES.EUROPE.ABC User ADM1 wants to direct
the command to run under the authority of user THB11. |
Known |
User THB11 has the SPECIAL attribute. SALES.EUROPE.ABC
is in the DATASET class. User ADM1 wants to issue the command as a RACF TSO command. ADM1 and
THB11 have an already established user ID association.
|
Command |
PERMIT 'SALES.EUROPE.ABC' FROM('SALES.*.ABC')
RESET(STANDARD) AT(.THB11) |
Defaults |
CLASS (DATASET) FCLASS(DATASET) Command direction
defaults to the local node.
|
|
Example 5 |
Operation |
User ADM1 wants to replace the conditional access
list in the discrete profile that protects the data set SALES.EUROPE.ABC.
Two users, TH01 and TH03, are to be allowed to update the data set
when executing the program named FUTURE. |
Known |
User ADM1 has the SPECIAL attribute. Users TH01
and TH03 are defined to RACF.
The program FUTURES has been defined to RACF as
a controlled program. User ADM1 wants to issue the command as a RACF TSO command. |
Command |
PERMIT 'SALES.EUROPE.ABC' RESET(WHEN)
ID(TH01 TH03) ACCESS(UPDATE) WHEN(PROGRAM(FUTURES)) |
Defaults |
CLASS(DATASET) |
|
Example 6 |
Operation |
User ADM1 wants to control the access of shared
user IDs PUBLIC and RESELL to data sets containing sales data. All
users working within the company need access to sales data along with
RESELL, but PUBLIC cannot have access. |
Known |
User ADM1 has the SPECIAL attribute. User IDs
PUBLIC and RESELL have the RESTRICTED attribute. SALES RESELL.* is
a generic data set with a UACC(READ). |
Command |
PERMIT 'SALES.RESELL.*' ID(RESELL) ACCESS(READ) |
Defaults |
None. |
|
Example 7 |
Operation |
Rui wants to authorize user JEAN to alter a DB2 table owned by ZHAOHUI only
when JEAN is assigned in DB2 to
the role called TELLER. |
Known |
Rui has the SPECIAL attribute. A general resource
called DSN.ZHAOHUI.TABLE.ALTER is defined in the MDSNTB class with
UACC(NONE). The user JEAN is assigned in DB2 to
the role called TELLER. The installation uses the RACF access control module (ACM) with DB2. The ACM is configured for multiple-subsystem
scope and the DB2 subsystem
is operational. |
Command |
PERMIT DSN.ZHAOHUI.TABLE.ALTER CLASS(MDSNTB) ID(JEAN) ACCESS(READ)
WHEN(CRITERIA(SQLROLE(TELLER)))
|
Defaults |
None. |
|