RESTRICTED attribute query

All about SAF, RACF, encryption, Firewall, Risk assessment and integrity concepts

RESTRICTED attribute query

Postby jaggz » Thu May 31, 2012 11:01 am

Dear All,

In of our test region I have permitted RESTRICTED attribute to a userid but even after that the user is able to access other Users dataset which are not Defined to RACF. I assume that they can only access data to which they have been explicitly permitted or Is it something we set the UACCs to all our sensitive datasets and resources to NONE.

Could anyone please shed some light on the above.

User avatar
Posts: 356
Joined: Fri Jul 23, 2010 8:51 pm
Has thanked: 8 times
Been thanked: 5 times

Re: RESTRICTED attribute query

Postby Robert Sample » Thu May 31, 2012 4:20 pm

It sounds like your RACF is working as designed. From the RACF Command Language Reference manual section 5.6:
RESTRICTED Specifies that global access checking is bypassed when resource access checking is performed for the user, and neither ID(*) on the access list nor the UACC will allow access. The RESTRICTED.FILESYS.ACCESS profile in the UNIXPRIV class can also be used to bypass the z/OS UNIX other permission bits during file access checking for RESTRICTED users. Note: If your installation has profiles defined in the PROGRAM class, and the user ID with the RESTRICTED attribute needs to load programs covered by one or more of these profiles, the user ID must be put on the access list with EXECUTE or READ authority. NORESTRICTED Specifies that the user does not have the RESTRICTED attribute and access checking is performed the standard way including global access checking, ID(*), the UACC, and the z/OS UNIX 'other' permission bits as appropriate.

These users thanked the author Robert Sample for the post:
jaggz (Fri Jun 01, 2012 7:57 am)
Robert Sample
Global moderator
Posts: 3718
Joined: Sat Dec 19, 2009 8:32 pm
Location: Dubuque, Iowa, USA
Has thanked: 1 time
Been thanked: 279 times

Return to Mainframe Security


  • Related topics
    Last post