RACF – User Attributes

User attributes are extraordinary capabilities, limitations, or environments that can be assigned to a user either all of the time or when the user is connected to a specific group or groups.

Attribute Description
SPECIAL A user who has the SPECIAL attribute at the system level can issue all RACF commands. This attribute gives the user full control over all of the RACF profiles in the RACF database. You can assign the SPECIAL attribute at the group level. When you do, the group-SPECIAL user has full control over all of the profiles within the scope of the group.
AUDITOR The AUDITOR attribute is given to users who are responsible for auditing RACF security controls and functions. You can assign the AUDITOR attribute at the group level. When you do, the group-AUDITOR user’s authority is limited to profiles that are within the scope of that group.
OPERATIONS A user who has the system wide OPERATIONS attribute has full access authorization to all RACF-protected resources in the classes DATASET, DASDVOL, GDASDVOL, PSFMPL, TAPEVOL, VMBATCH, VMCMD, VMMDISK, VMNODE, and VMRDR classes. You can assign the OPERATIONS attribute at the group level. When you do, the group-OPERATIONS user’s authority is limited to resources within the scope of that group.
CLAUTH If a user has the CLAUTH attribute in a class, RACF allows the user to define profiles in that class. You cannot assign the CLAUTH attribute at the user or group level.
GRPACC When a user with the GRPACC attribute creates a data set profile for a group data set, RACF gives UPDATE access authority to other users in the group.
ADSP The ADSP attribute establishes an environment in which all permanent DASD data sets created by this user are automatically defined to RACF and protected with a discrete profile.
REVOKE The REVOKE attribute prevents the RACF-defined user from entering the system. REVOKE can be assigned at the group level, in which case the user cannot enter the system and connect to that group.
RESTRICTED You can prevent RACF users from gaining access to protected resources they are not specifically authorized to access by assigning the RESTRICTED attribute on the ADDUSER or ALTUSER command.
PROTECTED This attribute is used mainly for started tasks to prevent a user ID from being revoked due to multiple unsuccessful logon attempts. This attribute is assigned implicitly by default. So, if you specify PASSWORD operand with ALU command, it will be removed.
WHEN Specifies days of the week and hours of the day during which the user has access to the system.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.