Introduction to the WYLBUR Text Editor.
Chapter 3: Account Security on WYLBUR.

Commands. Index. Glossary.

On this page:

line.


General Information

RACF (Resource Access Control Facility) from IBM is a security system that governs all access to computer resources, such as files (referred to as "datasets" in this section), programs, terminals, and CICS transactions on MVS. Each time a user attempts to access a dataset, RACF checks the security profile for that dataset. If the user has not been given authorization to access the dataset or if no security profile has been created for the dataset, RACF fails the user's request. Each user owns all the profiles for each of his/her datasets and, through SECURE, can add, delete, modify, and list those profiles. In addition, account administrators have full control over users and dataset profiles within their group and, thus, may grant themselves access to any datasets created by subaccount users.

Maintaining RACF Profiles With SECURE

If you want to allow another user to access one or more of your datasets, you must use SECURE to add profile(s) for each dataset. You may also add generic profiles that describe more than one dataset by using "wildcard" characters. SECURE is run as a batch job on MVS, which means that you put a copy of the required JCL and RACF commands in your active file and enter the WYLBUR command RUN or RUN FETCH. You can use TECH SECURE, a WYLBUR exec file, to build the required SECURE job in your active file for you, or you can write the SECURE job yourself. Below is an example of a SECURE job, where user ABCDE creates a profile to allow user FGHIJ to access a dataset owned by ABCDE. (Note spacing.)

// JOB (AB$CDE,1234),'SECURE',CLASS=A
// EXEC SECURE
//SYSIN DD *
ADDSD WYL.AB.CDE.TESTLIB UACC(NONE)
PERMIT WYL.AB.CDE.TESTLIB ACCESS(READ) ID(FGHIJ)
//

RACF Commands

The RACF commands used to maintain RACF profiles are ADDSD, ALTDSD, DELDSD, LISTDSD, and PERMIT. RACF commands can begin in any column and are continued to subsequent lines by placing a hyphen (-), preceded by a space, as the last two characters in the line to be continued. The operands of the commands are separated by spaces or commas (see RACF Command Syntax for examples).

Generic Dataset Profile Names

A dataset profile can be a generic dataset name describing several similarly named datasets by using generic or wildcard characters in the dataset name. The generic (wildcard) characters allowed are described below.

Wildcard Characters
Wildcard Description
% matches any single character (except a period) in a dataset name
* matches any single "qualifier" in the same position of a dataset name or, when specified as the last character in a qualifier, matches zero or more characters until the end of the qualifier
** matches zero or more characters until the end of the dataset name and, if specified, must be the last qualifier

Qualifiers

Qualifiers in a dataset name follow standard MVS naming conventions (each qualifier is separated by a period and can be no longer than eight characters, with the total dataset name no longer than 44 characters).

Examples:

WYL.AB.CDE.LIB%%           matches to  WYL.AB.CDE.LIB12
                                   or  WYL.AB.CDE.LIBAB
                    does not match to  WYL.AB.CDE.LIB345
                                   or  WYL.AB.CDE.LIB.TEST
                                   or  WYL.AB.CDE.LIB12.TEST

WYL.AB.CDE.LIB*            matches to  WYL.AB.CDE.LIB
                                   or  WYL.AB.CDE.LIB12
                    does not match to  WYL.AB.CDE.LIB.TEST

WYL.AB.CDE.LIB*.**         matches to  WYL.AB.CDE.LIB
                                   or  WYL.AB.CDE.LIB12
                                   or  WYL.AB.CDE.LIB.TEST
                                   or  WYL.AB.CDE.LIB.TEST.DATA

Note that the single "*" matches zero or more characters in a single qualifier. The double "**" matches zero or more qualifiers until the end of the dataset and, if specified, must be typed at the end of the dataset name (e.g., WYL.AB.CDE.LIB**.TEST would not be recognized by RACF as a generic name).

Dataset profile names must begin with the standard WYLBUR prefix WYL., followed by your group and userid (e.g., WYL.GG.UUU.LIB, where GGUUU is your userid). RACF only recognizes generic characters after the WYL.GG.UUU. prefix so that WYL.GG.U%%.LIB would not be recognized by RACF as a generic name.

RACF Command Syntax

ADDSD and ALTDSD

The ADDSD and ALTDSD commands add or modify (alter) a dataset profile. The dataset itself is created separately using WYLBUR or JCL. The dataset name can be a generic name describing several datasets by using the wildcard characters *, **, or %. Once a profile for a dataset is added, any number of PERMIT commands can be issued to allow access to the dataset by other users. Syntax:

                                   ADDSD profile-name                     -
                                         OWNER(userid)                   -
                                         UACC(universal-access-authority)
Dataset Profile Items
profile-name the dataset name or generic name. The name must be the complete WYLBUR name, prefixed by WYL.GG.UUU., where GGUUU is your userid. Generic characters may only be specified after the WYL.GG.UUU. prefix.
userid the optional user you wish to be established as the owner of this dataset profile. This operand is normally not specified, thus, making you the owner.
universal-access-authority the access authority granted to ALL users who have not otherwise been granted access to the dataset via PERMIT. The authorities can be any one of READ, UPDATE, CONTROL, ALTER, EXECUTE, or NONE. See the explanation of the PERMIT command for the meaning of each authority. This operand should normally be left off and allowed to default to NONE so that the dataset will be protected from unauthorized access.

The example below adds a profile for any of ABCDE's datasets beginning with WYL.AB.CDE.LIB.:

ADDSD WYL.AB.CDE.LIB*.**

The syntax for the ALTDSD is exactly the same and may be issued to change the OWNER or UACC for the dataset but not the profile name.

PERMIT

The PERMIT command adds or deletes an entry from the "access list" of a dataset profile. The access list tells RACF what users are allowed to access the dataset or datasets described by the profile and the type of access allowed by those users. Syntax:

                                PERMIT profile-name                 -
                                       ACCESS(access-auth)|DELETE  -
                                       ID(userid|groupname|*)      -
                                       FROM(profile-name2)          -
                                       RESET
PERMIT Command Items
profile-name the name of the dataset profile of the access list you are modifying. Specify the profile name exactly as it appeared in the ADDSD command, complete with the WYLBUR standard prefix and any generic characters used.
access-auth the level of authority to be granted. The allowed authorities are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. READ, UPDATE, CONTROL, and ALTER are hierarchical with ALTER implying CONTROL, UPDATE, and READ. CONTROL implies UPDATE, READ, etc.
READ allows only READ access.
UPDATE allows READ and WRITE access.
CONTROL applies only to VSAM datasets and is equivalent to the VSAM CONTROL password.
ALTER allows all types of access, including reading, writing, allocating, scratching, renaming, and executing.
EXECUTE applies to a library from which the user is allowed to execute programs (load modules) but from which all other access (READ or COPY) is denied.
NONE unconditionally disallows all types of access.
DELETE mutually exclusive with ACCESS. DELETE, when specified with the ID operand, deletes the user or group from the access list.
userid|groupname|* can be a userid, group name, or *. When a userid is specified, the userid is given the access authority in the ACCESS operand to the dataset or datasets described by the profile name. When a group name is specified, all userids that are members of the group are given the access specified in the ACCESS operand. If an asterisk (*) is specified, all users are given the access specified in the ACCESS operand.
FROM(profile-name2) specifies an existing profile from which to copy the access list. Using the FROM operand can save time when creating new datasets with the same access requirements.
RESET when specified, removes all the entries from the access list for the profile but leave the profile itself intact.

Examples:

PERMIT WYL.AB.CDE.LIB* ACCESS(UPDATE) ID(FGHIJ)
grants UPDATE authority to user FGHIJ for any dataset matched by the generic name WYL.AB.CDE.LIB*.

PERMIT WYL.AB.CDE.TEST.** DELETE ID(AB)
deletes a previously added access for group AB from the access list of profile WYL.AB.CDE.TEST.**.

PERMIT WYL.AB.CDE.PRODLIB FROM(WYL.AB.CDE.TESTLIB)
copies the access list from profile WYL.AB.CDE.TESTLIB to profile WYL.AB.CDE.PRODLIB.

PERMIT WYL.AB.CDE.PRODLIB RESET
removes the access list from profile WYL.AB.CDE.PRODLIB. The profile itself remains, but any access previously defined is removed.

DELDSD

DELDSD deletes a profile and its access list. Syntax:

DELDSD profile-name

DELDSD Command Items
profile-name the exact profile name specified in the ADDSD command, complete with the WYLBUR standard prefix and generic characters.

Example:

DELDSD WYL.AB.CDE.LIB*
deletes the profile and the access list for WYL.AB.CDE.LIB*. No other user besides ABCDE will be able to access the dataset(s).

LISTDSD

LISTDSD lists a profile and its access list. Syntax:

                               LISTDSD DATASET(profile-name)|
                                       ID(user|group)|         -
                                       PREFIX(dsn-prefix)       -

The DATASET, ID, and PREFIX operands are mutually exclusive.

Dataset Access List
profile-name the exact profile name specified in the ADDSD command, complete with the WYLBUR standard prefix and generic characters.
user|group a user or group name for which all profiles belonging to that user or group are to be listed.
dsn-prefix the profile name prefix with which all profiles to be listed begin.

Examples:

LISTDSD DATASET(WYL.AB.CDE.LIB*)
lists information about the profile, including its access list.

LISTDSD ID(ABCDE)
lists information about all profiles owned by user ABCDE.

LISTDSD PREFIX(WYL.AB)
lists all profiles beginning with WYL.AB (you must have at least READ access to any profile listed by the LISTDSD command).

LISTDSD
with no operands lists all profiles owned by you.

line.

Site Search Options
[© 2/2001 Documentation Home] [Laws and Policies] [TTU Home Page]
Updated July 29, 2003