Page 1 of 1

RESTRICTED attribute query

PostPosted: Thu May 31, 2012 11:01 am
by jaggz
Dear All,

In of our test region I have permitted RESTRICTED attribute to a userid but even after that the user is able to access other Users dataset which are not Defined to RACF. I assume that they can only access data to which they have been explicitly permitted or Is it something we set the UACCs to all our sensitive datasets and resources to NONE.

Could anyone please shed some light on the above.

Jaggz

Re: RESTRICTED attribute query

PostPosted: Thu May 31, 2012 4:20 pm
by Robert Sample
It sounds like your RACF is working as designed. From the RACF Command Language Reference manual section 5.6:
RESTRICTED | NORESTRICTED
e
RESTRICTED Specifies that global access checking is bypassed when resource access checking is performed for the user, and neither ID(*) on the access list nor the UACC will allow access. The RESTRICTED.FILESYS.ACCESS profile in the UNIXPRIV class can also be used to bypass the z/OS UNIX other permission bits during file access checking for RESTRICTED users. Note: If your installation has profiles defined in the PROGRAM class, and the user ID with the RESTRICTED attribute needs to load programs covered by one or more of these profiles, the user ID must be put on the access list with EXECUTE or READ authority. NORESTRICTED Specifies that the user does not have the RESTRICTED attribute and access checking is performed the standard way including global access checking, ID(*), the UACC, and the z/OS UNIX 'other' permission bits as appropriate.