Unix System Services (USS) and Access Control Lists (ACL) using RACF

In z/OS Unix System Services (USS), Access Control Lists (ACLs) are used in conjunction with the normal permission bits, allowing access control for files and directories by individual UIDs and GIDs. These are known as extended Access Control Lists and require RACF class FSSEC to be active.

Although controlled by RACF, ACLs are administered via UNIX commands:

  • setfacl – used to create, modify and delete ACLs in USS
  • getfacl – used to display ACLs in USS

To be able to apply changes to the Access Control Lists in Unix System Services (USS) we need to either be the owner of the file, a superuser or have our RACF userid defined in the UNIXPRIV class.

Examples of useful commands:

1) To activate RACF class FSSEC:
setr classact(FSSEC)
2) Give user XPTO01 and group GRP01 Read/Write (RW) access to a file:
setfacl -m user:XPTO01:rw-,group:GRP01:rw- /u/example.txt
  • -m – parameter to modify or add entries to ACL
  • /u/example.txt – path and file name
  • We could have given access only to the user or group; we don’t need to specify the user and the group in the command.
3) To display the ACL of a file:
getfacl /u/example.txt

For more information on how to work with ACLs in Unix System Services, please refer to the following IBM manuals:

  • z/OS UNIX System Services Planning
  • z/OS UNIX System Services Command Reference

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.