There's many different RACF access levels and it's important you know understand what they do to work with RACF, or to know what the accesses you've been given means. In this tutorial we will give a brief overview of them so you know what kind of access you are giving to resources, datasets, and groups when configuring security on z/OS.

Access levels for resource profiles and datasets

NONE

Lowest access level possible, with this level you can't interact with the profile in any way.

EXECUTE

With this access level you can execute the associated program, but not read the contents of the resource.

READ

With this access level you can read the associated resource, no writing or deletion is allowed. Note that with READ or higher it is possible to copy the dataset and then downgrade the security of the copy.

UPDATE

With this access level you can read and write to the resource, however you can't delete, scratch or rename it.

CONTROL

This mostly affect VSAM datasets, see RACF Security Administrator's Guide for full details. For non-VSAM datasets this is the same as UPDATE.

ALTER

This is the highest access level possible, with this you can read, write, delete, scratch, and rename. Anything goes. This should generally not be used if it can be avoided.

Authority levels for groups

The access you can define when connecting users to groups is different from that of dataset and resource profiles. Let's go ever them, from lowest to highest access.

Use

With the USE authority you inherent the access rights that groups has. For example if the group has READ access to a dataset the connected user will get that access. You will get no control over the group itself with this level.

Permitted RACF commands:

• LISTDSD (list dataset profile)
• RLIST (list resource profile)

CREATE

With the CREATE authority the connected user can create group datasets, but the user can't necessarily delete those datasets.

Permitted RACF commands:

• ADDSD (Add dataset profile)

CONNECT

This authority level is where it starts to get dangerous. Users with the connect authority can connect other users to the group, this can potentially be a security problem as the group can have access to sensitive resources.

Permitted RACF commands:

• All of the preceding
• Limited ALTUSER privileges
• CONNECT (Except being to give SPECIAL, AUDITOR, and OPERATIONS attributes)
• Limited LISTGRP privileges
• REMOVE

JOIN

The JOIN authority is very dangerous as it allows users to define new groups and users to RACF, as well as assigning any level of authority to those users. Users with this authority must also have CLAUTH to the USER class. Groups defined with this authority level become subgroups of the group that this authority level comes from.

Permitted RACF commands:

• All of the preceding
• ADDGROUP
• ADDUSER (Except being to give SPECIAL, AUDITOR, and OPERATIONS attributes)
• DELGROUP
• limited LISTGRP privileges

UACC

UACC or "Universal Access" controls what access everyone not defined in the access list gets. A universal access level of READ allows everyone on the system to read that resource. UACC does not apply to users with the RESTRICTED attribute.

However the dangerous thing with UACC is that it allows unknown user IDs to access resources, such as users from other platforms. To avoid exposing resources to users from other platforms you should instead use ID() on access lists and set UACC to NONE. ID() only allows the specified access level to a resource profile or dataset for RACF defined users, this is not particularly well known and can be an issue. There are few exceptions where programs won't work without UACC READ, such as some specific JES2 resources. Example:

PERMIT IZUACCT CLASS(ACCTNUM) ID(*) ACCESS(READ)

This tutorial didn't go into everything in full detail, it's best to also read the manuals, but hopefully you have a basic understanding of access and authority levels in RACF.