Overview of ACLs within Unix System Services

Within Unix System Services (USS), Access Control Lists (ACLs) are used in conjunction with the normal permission bits, allowing access control for files and directories by individual UIDs and GIDs.

These are known as Extended ACLs and require the resource class FSSEC to be active, via the following RACF command:

SETROPTS CLASSACT(FSSEC)

You can define ACLs prior to activating the FSSEC class, however the ACLs may be overruled by the standard POSIX 'permission bit' checks.

¬

Rules to be aware of when managing ACLs for files and/or directories:

• You must either be the file owner or have superuser authority (UID=0 or READ access to SUPERUSER.FILESYS.CHANGEPERMS in the UNIXPRIV class).

• You must activate the FSSEC class before ACLs can be used in access decisions.

¬

Important Commands for use in OMVS

Although controlled by RACF, ACLs are administered via UNIX commands:

setfacl access /directory/ --> This is used to set (define), modify and delete the ACL of the stated /directory/

getfacl /directory/ --> This is used to display the full ACL of the stated /directory/

ls -l /directory/ --> This displays the contents and extended attributes of the stated /directory/

¬

Step-by-Step: Managing ACLs within Unix System Services

1) Determine which USS directory/file you need to manage the access for, and what level of access (rwx) is needed for the relevant user/group

2) Open the OMVS panels by using the "TSO OMVS" command.

2a) You may need SuperUser access to make changes, which will require you running the "SU" command.

3) Check the ACL of the directory using one of the commands below.

getfacl /directory/  -->  This is used to display the full ACL of the stated /directory/ 

or

ls -l /directory/  -->  This displays the contents and extended attributes of the stated /directory/

3a) This should appear akin to the screenshots below, if the stated /directory/ were to be /home/temp

4) Modify access as use the following commands:

setfacl access /directory/  -->  This is used to set (define), modify and delete the ACL of the stated /directory/

4a) This should appear akin to the screenshots below, if the stated /directory/ were to be /home/temp and if we were granting the SECURITY group full access

Please note that the -m parameter specifies that we are modifying the ACL (and are not re-setting or re-defining this) Also note that additional users/groups may be added to this command, and must be separated by , (a comma).

5) Check that the new ACL is correct by re-issuing a LS -L command or a GETFACL command.

And that's it, your ACL should now be amended! Thanks for reading :)

¬