In z/OS Unix System Services (USS), Access Control Lists (ACLs) are used in conjunction with the normal permission bits, allowing access control for files and directories by individual UIDs and GIDs. These are known as extended Access Control Lists and require RACF class FSSEC to be active.
Although controlled by RACF, ACLs are administered via UNIX commands:
- setfacl – used to create, modify and delete ACLs in USS
- getfacl – used to display ACLs in USS
To be able to apply changes to the Access Control Lists in Unix System Services (USS) we need to either be the owner of the file, a superuser or have our RACF userid defined in the UNIXPRIV class.
Examples of useful commands:
setfacl -m user:XPTO01:rw-,group:GRP01:rw- /u/example.txt
- -m – parameter to modify or add entries to ACL
- /u/example.txt – path and file name
- We could have given access only to the user or group; we don’t need to specify the user and the group in the command.
For more information on how to work with ACLs in Unix System Services, please refer to the following IBM manuals:
- z/OS UNIX System Services Planning
- z/OS UNIX System Services Command Reference