racf protection for data sets - amazon s3 · cicsplex db2 eserver ibm ibm z ibm z systems ibm z13...

SECURITY & COMPLIANCE CONFERENCE 2016

RACF and Data Set

Protection

John Hilman

Vanguard Professional Services

BAS5 & BAS6

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Session Topics

• Types of MVS™ Data Sets

• Categories of RACF® Dataset Profiles

• Dataset Profile Naming Conventions

• Accessing Data Sets – Access Levels

– Access Lists

– Authorization Checking

• Auditing Data Sets

• RACF Commands for Data Set Protection

• Using Vanguard Administrator™ to Administer

Datasets



What is a Data Set?

• To Make a Data Set we: – group characters together to form a field

– group fields together to collect information to form a record

– place records together which results in a file

• IBM designers coined the word Data Set – – Synonymous with file

– Stored in DASD - Direct Access Storage Device


DASD

VOL123


A Single Record Contains Fields


Smith, Jane 026548791 Checking $ 3,824

Fields

bank account

number

customer

name type of bank

account balance

Record


Multiple Records Make up a Data Set


Arnold, Ben 036589294 Checking

Account $ 12,139

Black, Sally 029639211 Checking

Account $ 8,146

Mason, Bob 028538692 Checking

Account $ 9,632

Smith, Jane 026548791 Checking

Account $ 3,824

Data Set


Data Set Name Characteristics

• Length

– maximum 44 characters

• Made up of qualifiers

– 1 to 8 characters per qualifier

– qualifiers cannot start with a numeric or hyphen (–)

• High-level qualifier (HLQ) equal to RACF defined

user ID or group ID


VANGUARD PRODUCT MONTHLY REPORT FILE . . . .

qualifier separator


The Catalog Process


Master Cat

User Cat

VOL123

BILL

PAY

PROD

VANGUARD

XYZ

PAY.DATA.FILE

PAY.MASTER.LIST

PAY.SOURCE.DATA

PAY.MASTER.LIST

VTOC

Alias Entries


Defining the Alias


Master Cat

User Cat

USERCAT.VSYSB00

PAY

PAY.DATA.FILE

PAY.MASTER.LIST

PAY.SOURCE.DATA

DEFINE ALIAS (NAME(‘User_ID’) RELATE(‘User_Cat’))

DEF ALIAS (NAME(‘PAY’) RELATE(‘USERCAT.VSYSB00’))


Specifying the Volume


User Cat

VOL123

PAY.MASTER.LIST

PAY.MASTER.LIST

VTOC


Types of z/OS® Data Sets


USER DATA SET

BILL.JCL.CNTL

GROUP DATA SET

PAY.MASTER.LIST

SETR PROTECTALL(FAILURES|WARNING)

OTHER

XYZ.DATA.FILE

BILL PAY


RACF Data Set Profile Categories

1. DISCRETE PROFILE Data Set Profile Name VOLSER

PAY.MASTER.LIST VOL123

2. FULLY-QUALIFIED GENERIC PROFILE

PAY.MASTER.LIST

3. GENERIC PROFILE (Wildcards)

PAY.%%%%%%.*

4. ENHANCED GENERIC PROFILE (EGN)

PAY.*.**



Data Set Profile Naming Conventions

STANDARD DATA SET PROFILE NAMES

• Two or more qualifiers

• Each qualifier must be separated by a period

• Each qualifier can be one to eight alphanumeric or

national ($,#,@) characters and the hyphen (–)

• Each qualifier must start with an alphabetic or national

character


RACF

Data Base


Using RACF Generic Characters

RACF GENERIC CHARACTERS

• RACF generic characters (%,*,**) may be used to

substitute for one or more characters in each qualifier, and

one or more qualifiers

• RACF generic characters can not appear in the high level

qualifier

• Maximum of 44 characters, including periods and RACF

generic characters


* ** %


Generic Character %


Matches any single character in a data set name %

This Profile Protects these data sets

HLQ.D%FILE.DATA HLQ.D1FILE.DATA

HLQ.D2FILE.DATA


Generic Character *


Character at end of qualifier in middle of profile

name to match zero or more characters until end

of qualifier

Qualifier at middle of profile name to match any

one qualifier in data set name

*

HLQ.AB*.END HLQ.AB.END

HLQ.ABC.END

HLQ.ABCD.END

HLQ.*.END HLQ.DATA.END

HLQ.ABC.END

HLQ.XYZ.END


Generic Character *


Character at end of data set profile name to

match zero or more characters until end of

qualifier, zero or more qualifiers, or both

Qualifier at end of profile name to match one or

more qualifiers at the end of data set name

*

HLQ.DATA.FILE* HLQ.DATA.FILE

HLQ.DATA.FILES

HLQ.DATA.FILE.STUFF

HLQ.DATA.* HLQ.DATA.FILE

HLQ.DATA.STUFF

HLQ.DATA.FILE.STUFF


Enhanced Generic Naming


To EGN or

not to EGN?

SETROPTS EGN SETROPTS NOEGN


Generic Character * - For EGN


Character at end of data set profile name to

match zero or more characters until end of

qualifier

Qualifier at end of profile name to match one

more qualifier at the end of data set name

*

HLQ.DATA.FILE* HLQ.DATA.FILE

HLQ.DATA.FILES

HLQ.DATA.FILESTUF

HLQ.DATA.* HLQ.DATA.FILE

HLQ.DATA.STUFF

HLQ.DATA.FILESTUF


Generic Character **


Qualifier as either a middle or end qualifier in a

profile name to match zero or more qualifiers **

HLQ.DATA.** HLQ.DATA

HLQ.DATA.FILE

HLQ.DATA.FILE.STUFF

HLQ.**.FILE HLQ.FILE

HLQ.DATA.FILE

HLQ.DATA.STUFF.FILE


Rules For Generic Data Set Profiles

The HLQ CANNOT contain a

generic character.

Each qualifier must contain at least 1 character and not more

than 8 characters.

Double asterisk must stand alone as a qualifier. Must use “.**”

cannot use “HLQ.XYZ**”

ONLY ONE OCCURRENCE OF A DOUBLE ASTERISK IS

ALLOWED IN A PROFILE NAME.



Examples of EGN Data Set Profiles


PROFILE PROTECTS

HLQ.MYLIB (G) HLQ.MYLIB

HLQ.%%S*.PROD (G)

HLQ.TEST.PROD

HLQ.TESTDATA.PROD

HLQ.SYS.PROD

HLQ.*.JCLCNTL (G) HLQ.PROD.JCLCNTL

HLQ.TEST.JCLCNTL

HLQ.INV* (G) HLQ.INV

HLQ.INVOICE

HLQ.* (G) HLQ.SALES

HLQ.PROD

HLQ.*.** (G)

HLQ.SYS

HLQ.SYS.DATA

HLQ.SYS.DATA.CNTL

HLQ.** (G) HLQ

HLQ.ANYTHING


Most Specific Generics

RACF USES THE MOST SPECIFIC (BEST FITTING) GENERIC PROFILE WHEN DETERMINING WHICH PROFILE PROTECTS A DATA SET.

PROFILES DATA SETS

HLQ.DATA.* HLQ.DATA HLQ.D%TA.FILE HLQ.DATA.FILE HLQ.D*.FILE HLQ.DATA.FILE.STUFF HLQ.* HLQ.DTA.FILE HLQ.*.** HLQ.D1TA.FILE HLQ.**.FILE HLQ.MASTER.FILE HLQ.TSOIN.FILE HLQ.TEMP



Data Set Access Levels


READ

EXECUTE

NONE

UPDATE

CONTROL

ALTER

RACF

DATA

BASE


Authorization Flowchart


RACF DATA BASE I/O LINE

TRUSTED / PRIVILEGED STC

** GAC ENTRY = or >

USER ACCESSING OWN RES.

USER ID IN STD. ACC. LIST

GROUP(s) IN STD. ACC. LIST

** ID(*) IN STD. ACC. LIST

** UACC = or >

OPERATIONS ATTRIBUTE

USER ID IN COND. ACC. LIST

GROUP(s) IN COND. ACC. LIST

** ID(*) IN COND. ACC. LIST

WARNING MODE

FAIL ALLOW

PROTECTALL

(FAILURES)

NOPROTECTALL or PROTECTALL(WARNING)

** Checks in RED do not

apply to RESTRICTED

user IDs

NO

YES

ACCESS REQUEST

Yes, Insufficient Authority Yes, Sufficient Authority

PROTECTALL

Mode

PROFILE

FOUND?


Global Access Table

READY RLIST GLOBAL DATASET ALL CLASS NAME GLOBAL DATASET

MEMBER CLASS NAME GMBR RESOURCES IN GROUP

&RACUID.**/ALTER (G)

ICFMCAT.**/READ (G)

ICFNVSAM.**/UPDATE (G)

ICFUCAT.**/UPDATE (G)

ISP*.**/READ (G)

SYS1.COBLIB/READ

SYS1.HELP/READ

SYS1.MACLIB/READ

SYS1.PROCLIB/READ


RDEF GLOBAL DATASET

RALT GLOBAL DATASET ADDMEM(&RACUID.**/ALTER)

RALT GLOBAL DATASET ADDMEM(ICFMCAT.**/READ)

RALT GLOBAL DATASET ADDMEM(ICFUCAT.**/UPDATE)

RALT GLOBAL DATASET ADDMEM(ISP*.**/READ)

RALT GLOBAL DATASET ADDMEM(SYS1.HELP/READ)

etc . . .


Data Set Profile Access Lists

STANDARD ACCESS LIST

• Grant Groups and/or Users some level of access

CONDITIONAL ACCESS LIST

• Grant Groups and/or Users some level of access based

on a predefined condition:

• WHEN using a certain PROGRAM

• WHEN user is logged onto a certain TERMINAL

• WHEN user is logged onto a certain CONSOLE

• WHEN job submitted from a certain JESINPUT

• WHEN user enters system from certain LU (APPCPORT)

• WHEN user enters system from certain IP address (SERVAUTH)



User ID In Access List

STANDARD ACCESS LIST CHECKING

THE STANDARD ACCESS LIST MAY ALLOW, DISALLOW

OR RESTRICT THE LEVEL OF ACCESS OTHERWISE

AUTHORIZED TO THE USER.


GROUP10

JIMMY

GROUP05

JANICE

Data Set Profile Name UACC WARNING Access List

VAN.DATA.* NONE NO GROUP10 / READ

GROUP05 / UPDATE

JANICE / READ

* / READ

GROUP15

BILLY


User ID In Access List

IF USER IS ON THE STANDARD ACCESS

LIST:

A. IF ACCESS LEVEL IS SUFFICIENT,

ACCESS IS ALLOWED

B. IF ACCESS IS LESS THAN THE REQUESTING

ACCESS,

– CHECK CONDITIONAL ACCESS LIST

(PREVENTS ACCESS BASED ON GROUP

ACCESS, ID(*), THE UACC, AND OPERATIONS)



List-of-Groups Checking


• LIST-OF-GROUPS REFERS TO

MATCHING A USER’S RACF

CONNECT GROUPS TO GROUP

NAMES IN AN ACCESS LIST

• LIST-OF-GROUPS CHECKING IS

A GLOBAL RACF OPTION

ACTIVATED USING SETROPTS

ACCESS IS BASED ON THE HIGHEST AUTHORITY OF ANY GROUP

IN THE ACCESS LIST TO WHICH THE USER ID IS CONNECTED

IF USER IS NOT ON STANDARD ACCESS LIST:


Permit ID(*)

AN ASTERISK (*) IN THE ACCESS LIST ALLOWS:

• ALL RACF DEFINED USERS ACCESS TO THE DATA

SET PER THE ACCESS LEVEL

AD ‘VAN.DATA.*’ OW(VAN) UACC(NONE)

PE ‘VAN.DATA.*’ ID(*) AC(READ)



Universal Access Authority

• Defines default access authority to a resource for

ALL users or groups not specifically permitted

access – even those users NOT defined to RACF

AD 'SYS1.HELP' GEN UACC(READ)


SYS1.HELP


OPERATIONS Attribute

• Access to most RACF protected data sets

• Access to some general resources

• Allows the user to allocate new data sets

• Allows the user to delete data sets

• Assign to the minimum number of users

• Primary use is storage management

• Can be superseded during authorization checking



Conditional Access

EXAMPLE

• Normally, allow the PERSNL READ access to the

Payroll Data Sets

• However, when executing the PAYUPD program, allow

the PERSNL UPDATE access to the Payroll Data Sets

• Program Access to Data Sets (PADS)

PE ‘PAYROLL.**’ ID(PERSNL) ACCESS(READ)

PE ‘PAYROLL.**’ ID(PERSNL) AC(UP) WHEN(PROGRAM(PAYUPD))


PAYROLL.** NONE PERSNL(READ) PERSNL(UPDATE) WHEN(PAYUPD)

Data Set

Profile Name UACC Access List Conditional Access List


Program Access To Data Sets

ALLOWS A RACF USER-ID OR RACF GROUP TO:

• ACCESS A SPECIFIC DATA SET,

• WITH A SPECIFIC ACCESS LEVEL,

• WHEN EXECUTING A "CONTROLLED PROGRAM"


BOB

PERSNL

PAYROLL.MASTER

Normal

Access

PAYUPD

READ

UPDATE


WARNING Mode

• Allows a user to fail the authorization checking

process and still have access

• Used primarily as an implementation tool

• Use “WARNING” with the notify option

• Could be misused and create a security exposure



Ownership Versus Access to Data Sets

• Profile Ownership: – gives user ID / group ID full administrative control over

profile; including access list

– does NOT allow access to data set itself

• Access to data set requires: – user ID is TRUSTED or PRIVILEGED

– GAT allows access

– user ID = high-level qualifier

– user ID / group ID in access list (via PERMIT)

– ID(*) allows access

– UACC allows access

– OPERATIONS attribute

– WARNING Mode



Commands For Data Set Profiles

ADDSD (AD) ADD A DATA SET PROFILE ALTDSD (ALD) MODIFY A DATA SET PROFILE PERMIT (PE) CREATE, MODIFY, OR DELETE

ACCESS LIST ENTRIES IN A DATA SET PROFILE

LISTDSD (LD) LIST A DATA SET PROFILE DELDSD (DD) DELETE A DATA SET PROFILE



ADDSD Command Syntax

ADDSD (AD) ‘profile_name’ or (‘profile_name-1’ . . .)

[ OWNER(user-id or group-name) ]

[ UACC(access authority) ]

[ DATA('data or comment') ]

[ GENERIC ]

[ LEVEL(nn) ]

[ FROM(‘profile_name_2’) ]

[ AUDIT(access-attempt [(audit-access-

level)]) ]

[ WARNING | NOWARNING ]


ADDSD ‘SYS2.*.**’ OWNER(SYS2) UACC(NONE)

AD ‘BILL.*.**’ OWNER(BILL) UACC(NONE)

AD ‘VAN.PROD.FILE’ OW(VAN) UA(NONE) GENERIC

ADDSD


ALTDSD Command Syntax


ALTDSD (ALD) ‘profile_name’ or (‘profile_name-1’ . . .)

[ OWNER(user-id or group-name) ]

[ UACC(access authority) ]

[ DATA('data or comment') ]

[ GENERIC ]

[ LEVEL(nn) ]

[ WARNING | NOWARNING ]

[ GLOBALAUDIT(access-attempt

[(audit-access-level)]) ]

ALTDSD ‘SYS2.*.**’ AUDIT(FAILURES(READ) SUCCESS(UPDATE))

ALD ‘SYS1.MIGLIB’ GEN LEVEL(87)

ALTDSD


PERMIT Command Syntax

PERMIT (PE) ‘profile-name-1’

[ GENERIC ]

[ ID(name. . . | *) ]

[ ACCESS(access-authority) ]

[ FROM(‘profile-name-2’) ]

[ DELETE ]

[ RESET [ (ALL | STANDARD |

WHEN) ]


PERMIT

PERMIT ‘SYS2.*.**’ ID(CICSGRP) ACCESS(UPDATE))


PERMIT Command Examples

PE 'SYS2.*.**' ID(MVSGRP) ACCESS(ALTER)

PE 'SYS2.*.**' ID(CICSGRP) DELETE

PE 'VAN.PROD.**' RESET

PE 'VAN.PROD.**' ID(LVPAYCLK) AC(UPDATE)

PE 'VAN.PROD.**' ID(LVCSTSRV)

PE ‘VAN.PROD.FILE' GEN ID(*) AC(READ)



Listing Data Set Profiles

HOW DO I:

q Look at a particular data set profile

q Find the best fitting profile that protects a data set

q Find out which data sets a profile protects


DATASET(‘profile-name’. . .)

ID(name . . . )

PREFIX(char . . . )

[ GENERIC | NOGENERIC ]

[ AUTHUSER ]

[ HISTORY ]

[ STATISTICS ]

[ ALL ]

[ DSNS ]

[ DFP ]

[ NORACF ]

LISTDSD (LD)


Listing a Particular Data Set Profile


INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO AUDITING -------- FAILURES(READ) GLOBALAUDIT ----------- SUCCESS(UPDATE) NOTIFY -------- NO USER TO BE NOTIFIED YOUR ACCESS CREATION GROUP DATASET TYPE ----------- -------------- ------------ NONE VANGUARD NON-VSAM

LD DA('VAN.PROD.**') AU


Listing the Access List


NO INSTALLATION DATA SECURITY LEVEL ------------------------------------------ NO SECURITY LEVEL CATEGORIES ---------- NO CATEGORIES SECLABEL -------- NO SECLABEL ID ACCESS -------- ------- LVPAYCLK UPDATE LVCSTSRV READ ID ACCESS CLASS ENTITY NAME -------- ------- -------- ------------------------------ NO ENTRIES IN CONDITIONAL ACCESS LIST

LD DA('VAN.PROD.**') AU


Listing the Data Set HLQ


INFORMATION FOR DATASET VAN.PROCLIB LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.DATA.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "

LD ID(VAN)


Listing the Prefix of a Data Set


INFORMATION FOR DATASET VAN.PROD.DATA.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.STUFF.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " " INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "

LD PRE(VAN.PROD)


Undercutting Exercise - Commands

• Buddy requests UPDATE access to

VAN.PROD.FILE

• Management approves request

• What profile protects VAN.PROD.FILE?

• Give BUDDY UPDATE access to that profile?

– What are the ramifications?

• Do I need a new profile built?

– What are the ramifications if I build a new profile?



INFORMATION FOR DATASET VAN.PROD.** (G) LEVEL OWNER UNIVERSAL ACCESS WARNING ERASE ----- -------- ---------------- ------- ----- 00 VAN NONE NO NO " " " " "

Finding the Best Fitting Profile


Is the Data Set protected by a discrete profile?

If not, then find the best-fitting generic profile.

LD DA('VAN.PROD.FILE')

LD DA('VAN.PROD.FILE') GENERIC


Finding Data Sets Protected by a Profile


INFORMATION FOR DATASET VAN.PROD.** (G) CATALOGUED DATA SETS AFFECTED BY PROFILE CHANGE ----------------------------------------------- VAN.PROD.FILE VAN.PROD.MASTER.FILE VAN.PROD.PAYROLL VAN.PROD.RACF.BKUP VAN.PROD.RACF.PRIM

What data sets are protected

by the VAN.PROD.** profile?

LD DA('VAN.PROD.**') DSNS NORACF


Data Set Profile Modeling


AD 'VAN.PROD.FILE' GEN FROM('VAN.PROD.**')

VAN.PROD.** VAN NONE FAILURES/READ LVPAYCLK/UPDATE

LVCSTSRV/READ

Profile Name Owner UACC Audit Access List

VAN.PROD.FILE VAN NONE FAILURES/READ LVPAYCLK/UPDATE

LVCSTSRV/READ

VAN.PROD.FILE

VAN.PROD.MASTER.FILE

VAN.PROD.PAYROLL

VAN.PROD.RACF.BKUP

VAN.PROD.RACF.PRIM


Update the Access List


PE 'VAN.PROD.FILE' GEN ID(BUDDY) AC(UPDATE)

VAN.PROD.FILE

VAN.PROD.MASTER.FILE

VAN.PROD.PAYROLL

VAN.PROD.RACF.BKUP

VAN.PROD.RACF.PRIM

VAN.PROD.FILE VAN NONE FAILURES/READ LVPAYCLK/UPDATE

LVCSTSRV/READ

BUDDY/UPDATE

VAN.PROD.** VAN NONE FAILURES/READ LVPAYCLK/UPDATE

LVCSTSRV/READ

Profile Name Owner UACC Audit Access List


Data Set Profiles – RACF Panels



Add a Data Set Profile



Enter Profile Name



Specify the Owner



Select Access List



Enter 1 to Add to Access List



Enter YES to Specify



Enter ID and Access Level



Profile Added



Adding Another ID to the Access List



Enter Another ID and Access Level



Display a Data Set Profile - RACF Panels



Enter the Profile Name



Request the Access List



Profile Displayed



Undercutting Exercise – RACF Panels


VAN.PROD.FILE









Finding the Best Fitting Profile



Profile Displayed



Finding Protected Data Sets



Protected Data Sets Displayed



Model a Data Set Profile – Panels



Enter the Model Profile



Change the New Data Set Profile



Select the Access List



Update the Access List



Administrator for Data Set Profiles



Adding Data Set Profiles



Specify Profile Name



Enter Owner and UACC



Edit the Standard Access Permits



Input the ID



Specify the Access Level – Press F3



Enter Another ID in Access List



Specify the Access Level – Press F3



Results of Access Permits - Press F3



Enter GO to Generate Commands



Review the Commands



Undercutting Exercise - Administrator


VAN.PROD.FILE









Find Best Fitting Profile



Select Data Sets



Enter Full Data Set Name



Display Covering Profile?



Covering Profile Found



What to do From Here?



Finding Protected Data Sets



Protected Data Sets Displayed



Fastpath to Clone a Data Set Profile



The Clone Data Set Command Panel



Replicate the Line



Update the Commands



DELDSD Command Syntax


DELDSD (DD) ‘profile-name’ or (‘profile_name_1’ . . .)

[ GENERIC ]

DD 'VAN.PROD.FILE' GEN

NOTE: Deletes data set profile, NOT data set itself


Delete a Data Set Profile – RACF Panels



Enter the Profile to be Deleted



Clear the Indicator Bit



Delete Data Set Profile - Administrator



Using Reports to Delete a Profile



Data Set Profile Summary Report



Delete the Data Set Profile



Review the Commands



Implementing Changes

• For changes to take effect after defining new generic

profiles or after changing generic profiles, one of

following is required:

• User of data set issues LISTDSD command:

LD DA('VAN.PROD.FILE') GEN

• Security administrator issues:

SETR GENERIC(DATASET) REFRESH

• User of data set logs off then back on



Data Set Commands Summary


ADDSD (AD)

PERMIT (PE)

ALTDSD (ALD)

LISTDSD (LD)

DELDSD (DD)

racf protection for data sets - amazon s3 · cicsplex db2 eserver ibm ibm z ibm z systems ibm z13...

Documents