The OWNER of a RACF Resource

It is important to understand what owning a RACF resource really means to avoid security misconfigurations and the introduction of security vulnerabilities in your mainframe environment.
In this article, I will try to explain the concept of a RACF resource OWNER, and describe what the OWNER can actually do.

Let’s start with two important rules:
  1. If a user owns a RACF dataset or general resource profile, it does not mean that the user automatically has access. What it means is that the user has the ability to give himself access.
  2. If a group owns a profile, users connected to it won’t automatically get access to the profile. However, users connected to this group with group-special have the ability to give themselves and others access.

OWNER of a RACF Group:

  • If you are the owner of a RACF group (or if you are a user connected to the group with the group-SPECIAL attribute), you have the authority to:
    • Define new users to RACF (provided you also have the CLAUTH attribute for the USER class).
    • Connect and remove users from the group.
    • Delegate and change group authorities and set the default UACC for all new resources belonging to members of the group.
    • Modify, list, and delete the group profile.
    • Define, delete, and list the names of the subgroups under the group.
    • Specify the group terminal option.
  • Ownership of a group by a user does not allow that user to update the access lists of resource profiles owned by the group.

OWNER of a Dataset Profile:

  • If the owner of the dataset profile is a group, users with group-SPECIAL in that group have full control over the profile.
  • Note that ownership of a dataset profile does not mean that the owner can automatically access that data set.
  • To access a data set, the owner must still be authorised in the profile’s access control list, unless the high-level qualifier of the profile name is the owner’s userid.
  • When issuing RACF commands:
    • If you specify OWNER(userid), the user you specify as the owner does not automatically have access to the data set. Use the PERMIT command to add the owner to the access list as desired.
    • If you specify OWNER(group-name), RACF treats any users who have the group-SPECIAL attribute in the group as owners of the data set profile.

OWNER of a General Resource Profile:

  • If the owner is a user, the owner can list, modify, or delete the resource profile.
  • Note that being the owner of a resource profile does not, by itself, allow a user to have access to the resource or resources that are protected by the profile.
  • If the owner is a group, the authority of a user who has a group-level attribute in that group (such as group-SPECIAL or group-AUDITOR) extends to resources that are protected by this profile.
  • When issuing RACF commands:
    • The user specified as the owner does not automatically have access to the resource. Use the PERMIT command to add the owner to the access list as desired.



1 Comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.