December 21, 2001
RACF High-Level Profiles to Be Required
Controlling access to all disk data sets requires that all registered account/initials be assigned a "high-level RACF profile." High-level RACF profiles are of the form aaaaiii.** (where aaaa is your account and iii are your initials), and provide a default level of protection (UACC) for all disk data sets created for that account/initials pair. This default level of protection applies to all disk data sets matching an account/initials whether they are accessed via batch jobs, interactively (e.g., WYLBUR, TSO, ISPF), or SILK Web. The creation of high-level profiles does NOT effect the protection of data sets that are already protected by a discrete or generic RACF profile.
One of four levels of access for data sets must be specified:
NONE | Data sets cannot be read, updated, or scratched by anyone other than the owner, iii, unless permission is specifically granted. This is the highest level of protection and may require paying significant attention to data access administration. It is typically appropriate for sensitive data or data that does not need to be shared. | |
READ | Data sets can be read by anyone, but only the owner, iii, can update or scratch them unless others are specifically granted permission to do so. This protection level may require some attention to data access administration. It is typically appropriate for non-sensitive data that needs to be protected from modification by others but needs to be shared. | |
UPDATE | Data sets can be read or modified (updated) by anyone, but only the owner, iii, can scratch the data set unless others are specifically granted permission to do so. This protection level usually requires little attention to data access administration. It is typically appropriate for non-sensitive data that can be modified by others. | |
ALTER | Data sets can be read, modified (updated), or deleted by anyone. This is the lowest level of protection and requires no attention to data access administration. It is typically appropriate for non-sensitive data that can be readily reproduced. Users with ALTER access may create new data sets under the aaaaiii high-level qualifier. |
Schedule for Creation of the Profiles
The creation of these high-level profiles will be done in phases. Phase 1 will only affect newly assigned initials. Phase 2 will run concurrently with Phase 1 and will consist of a time period when customers can set up their own high-level profiles. Phase 3 will consist of the Computer Center assigning high-level profiles for users who have not yet done so in phases 1 and 2.
Phase 1
After January 7, 2002, when account sponsors establish new initials on the South system they will be required to specify a default level of access for all data sets created matching the newly assigned account/initials. Web Sponsor will be modified to provide this feature.
After the new aaaaiii.** high-level profile has been created with the specified default level of access, the new user may use Web RACF to change the default level of access, permit other users to access all of their data, or specifically protect individual data sets or groups of data sets.
Phase 2
In Phase 2 users are encouraged to set up their own RACF high-level profiles. CIT has developed tools to make it easier to set up these profiles. On January 31st the seminar, "Titan TransitionWhere's My Keyword," will describe RACF security, including the process of setting up a RACF high-level profile, and will discuss these tools. Computer Center staff will be available to assist customers in determining the correct high-level RACF profile.
Generic RACF profiles, and specifically high-level profiles, have been available since March of 1993, but few users have taken advantage of this feature. Currently, most data sets at NIH have ALTER protection when accessed through batch, and the equivalent of READ protection when accessed interactively.
Phase 3
CIT will set a deadline and will assign a high-level profile to any set of registered account/initials that do not already have one. To avoid adversely affecting production work, it is especially important for users to establish appropriate protection prior to Phase 3.
If you have questions regarding the appropriate level of access for your dataor you want to register for the seminar on January 31contact TASC (301-594-6248).
Current Issues | Archive | Previous | Next |
Comments | NIH Computer Center | Titan | Subscribe/Unsubscribe |
December 21, 2001