Data Sets

All resources registered in TACF must be managed. To ease management, the resources are largely divided into data sets and general resources (hereafter referred to as resources to avoid confusion). Data sets and resources are managed as data set profiles and resources profiles respectively.

This chapter describes how to manage and use data sets.

1. Overview

Data set profiles can be registered to protect specific resources from unauthorized access.

There are two types of data set profiles supported by TACF.

Discrete data set profiles

A discrete data set profile has unique security requirements. The name of a discrete data set profile must exactly match the name of the data set it protects. Discrete data set profiles can protect one data set with unique security requirements, but they require managing a large number of profiles.
Generic data set profile

A generic data set profile protects several data sets that use similar naming conventions and security requirements.

For example, in the case of a group of data sets whose high-level qualifier starts with TMAX, a generic profile named 'TMAX.**' can be created. Any user in the access list of this profile can access, at the authorized level, data sets with the high-level qualifier TMAX. Generic data set profiles reduce the number of profiles to protect data sets while discrete data set profiles protect data sets with unique security requirements better.

1.1. Creating Discrete Data Set Profiles

Before registering a discrete data set profile, it is necessary to determine whether to assign universal access to the data set for all users or control individual access by user. The universal access authority (UACC) assigned to the data set defines the access that all users have to that data set unless they are explicitly defined in the data set access list.

Another way to assign access to a data set is to register an access list of users who are given the access authority. Managing the access list of individual user profiles, however, can be inconvenient. A new profile can be registered in the list using the ADDSD (AD) command of tacfmgr. For non-cataloged data sets, it is recommended to set UNIT of ADDSD options.

UACC assigns the same level of authority to all users. Therefore, it is recommended that UACC is not used when assigning varying levels of access authority to users.
For more information about the ADDSD command, refer to TACF Commands, and for details on catalogs, refer to OpenFrmae Data Set Guide.

1.2. Creating Generic Data Set Profiles

To create a generic data set profile, the naming conventions must be specified.

The following table describes special characters used in defining the naming conventions and their meanings.

Character	Meaning	Instruction
%	Represents a character or a single digit numeric value that has the same physical location in the identical qualifier.	ABC.%EF (Valid) A%BC.EF (Invalid)
*	Represents a single qualifier or more than one character. It cannot be used as the first qualifier.	ABC.DE* (Valid) ABC.DE.* (Valid) ABC..DE (Valid) ABC.DE.FG (Valid) .ABC.DE (Invalid) ABC.DE (Invalid)
**	Represents 0 or more than one qualifier. It cannot be used as the first qualifier.	ABC. (Valid) .ABC.DE (Invalid)

Character

Meaning

Instruction

Represents a character or a single digit numeric value that has the same physical location in the identical qualifier.

ABC.%EF (Valid)

A%BC.EF (Invalid)

Represents a single qualifier or more than one character. It cannot be used as the first qualifier.

ABC.DE* (Valid)

ABC.DE.* (Valid)

ABC.*.DE (Valid)

ABC.DE*.FG (Valid)

*.ABC.DE (Invalid)

ABC*.DE (Invalid)

Represents 0 or more than one qualifier. It cannot be used as the first qualifier.

ABC.** (Valid)

**.ABC.DE (Invalid)

The following describes matching generic data set profile names.

Profile Name	Match	No Match
ABC.%EF	ABC.DEF ABC.XEF	ABC.DEFGHI ABC.DEF.GHI ABC.DDEF
AB.CD*	AB.CD AB.CDEF	AB.CD.EF AB.CD.EF.GH AB.CD.XY ABC.DEF
AB.CD.*	AB.CD.EF AB.CD.XY	AB.CD AB.CDEF AB.CD.EF.GH ABC.DEF
AB.*.CD	AB.CD.CD AB.XY.CD	AB.CD AB.CD.EF AB.CDEF ABC.DEF ABC.XY.CD ABC.XY.XY.CD
AB.CD*.EF	AB.CD.EF AB.CDEF.EF	AB.CD.XY.EF AB.CD.EF.GH
AB.CD.**	AB.CD AB.CD.EF AB.CD.EF.GH AB.CD.XY	AB.CDEF AB.CDE.FG ABC.DEF
AB.**.CD	AB.CD AB.XY.CD AB.X.Y.CD	AB.CD.EF AB.CDEF AB.XY.CD.EF ABC.DEF ABX.YCD
AB.CD.*	AB.CD AB.CD.EF AB.CDEF AB.CDEF.GH AB.CD.EF.GH AB.CD.XY	ABC.DEF AB.C.DEF
AB.CD..*	AB.CD.EF AB.CD.EF.GH AB.CD.EF.GH.IJ	AB.CD AB.CDEF AB.CDEF.GH ABC.DEF ABC.X.Y.EF

Profile Name

Match

No Match

ABC.%EF

ABC.DEF

ABC.XEF

ABC.DEFGHI

ABC.DEF.GHI

ABC.DDEF

AB.CD*

AB.CD

AB.CDEF

AB.CD.EF

AB.CD.EF.GH

AB.CD.XY

ABC.DEF

AB.CD.*

AB.CD.EF

AB.CD.XY

AB.CD

AB.CDEF

AB.CD.EF.GH

ABC.DEF

AB.*.CD

AB.CD.CD

AB.XY.CD

AB.CD

AB.CD.EF

AB.CDEF

ABC.DEF

ABC.XY.CD

ABC.XY.XY.CD

AB.CD*.EF

AB.CD.EF

AB.CDEF.EF

AB.CD.XY.EF

AB.CD.EF.GH

AB.CD.**

AB.CD

AB.CD.EF

AB.CD.EF.GH

AB.CD.XY

AB.CDEF

AB.CDE.FG

ABC.DEF

AB.**.CD

AB.CD

AB.XY.CD

AB.X.Y.CD

AB.CD.EF

AB.CDEF

AB.XY.CD.EF

ABC.DEF

ABX.YCD

AB.CD*.**

AB.CD

AB.CD.EF

AB.CDEF

AB.CDEF.GH

AB.CD.EF.GH

AB.CD.XY

ABC.DEF

AB.C.DEF

AB.CD..*

AB.CD.EF

AB.CD.EF.GH

AB.CD.EF.GH.IJ

AB.CD

AB.CDEF

AB.CDEF.GH

ABC.DEF

ABC.X.Y.EF

2. Specifying Access Authorities for a Data Set

There are two methods to specify the access levels for a data set.

Assigning UACC when creating a discrete data set

All users are granted the same access level.
Assigning individual access authorities using the access list

After specifying a user or a group, the time, and the day to use the data set, use the PERMIT command to register them.

The following table describes the available authorities for data set or resource access.

Authority Level	Description
NONE	No access authority to the data set or resource.
EXECUTE	Authority to EXECUTE and LOAD the data set.
READ	Authority to READ ONLY the data set but not to COPY and PRINT it.
UPDATE	Authority to READ, COPY, and WRITE the data set but not to DELETE, MOVE, or SCRATCH it.
CONTROL	Authority to perform control interval processing. This is control-interval access (to individual VSAM data blocks), and the ability to RETRIEVE, UPDATE, INSERT, and DELETE records in the specified data set. It is equivalent to UPDATE authority for non-VSAM data sets. Not available in the current TACF version.
ALTER	Authority to READ, UPDATE, RENAME, and MOVE the data set.

Authority Level

Description

NONE

No access authority to the data set or resource.

EXECUTE

Authority to EXECUTE and LOAD the data set.

READ

Authority to READ ONLY the data set but not to COPY and PRINT it.

UPDATE

Authority to READ, COPY, and WRITE the data set but not to DELETE, MOVE, or SCRATCH it.

CONTROL

Authority to perform control interval processing. This is control-interval access (to individual VSAM data blocks), and the ability to RETRIEVE, UPDATE, INSERT, and DELETE records in the specified data set. It is equivalent to UPDATE authority for non-VSAM data sets. Not available in the current TACF version.

ALTER

Authority to READ, UPDATE, RENAME, and MOVE the data set.

The authorities are NONE < EXECUTE < READ < UPDATE < CONTROL < ALTER. The higher level authorities include the lower level authorities.

3. Data Set Profiles

When registering a new data set profile, the data set profile is generated and user information is stored in each field of the profile. PROFILENAME and VOLUME are required fields. If VOLUME is not entered, the volume information is searched for in the catalog using the corresponding PROFILENAME and entered in the field. The other fields are automatically set to default values.

The following table describes the data set information stored in a data set profile.

Field	Description
PROFILENAME	Specifies data sets to be protected. Required item. A profile name may consist of alphabet, numeric, and special characters including '%', '', '', and '**'. Profiles names containing all three types of characters are referred to as generic profiles.
VOLUME	Specifies a volume serial in which the data set to be registered is located. Required item. When this field is not entered and if the data set is a discrete data set profile, then search the PROFILENAME in the catalog, and find the volume information that matches the data set and store it. If the data set to be registered is a generic data set profile, 'GNRC' will be set. If the data set to be registered is 'GDG', 'GDG' will be set.
DTYPE	This field contains a character that indicates the type of data set profile. D: discrete profile (default value) G: generic profile M: model profile T: tape data set profile
OWNER	Specifies a user ID or group name as the owner of the data set profile. The owner of the data set profile can modify and delete the profile. Moreover, the owner is assigned the authority to access the data set. If OWNER is not specified, the owner is set by default to the user ID or the current user.
NOTIFY	Specifies the user who is to receive notifications about data access denial.
UACC	Specifies universal access authority for the data set. If not specified, the authority is set by default to NONE. For more information, refer to "Access Authority List".
AUDT	Specifies an audit level when accessing a data set. The following describes audit levels. READ FAILURE: Records a log when a data set fails to be read. UPDATE FAILURE: Records a log when a data set fails to be updated, read, written, or copied. ALTER FAILURE: Records a log when a data set fails to be read, updated, moved, or scratched. READ SUCCESS: Records a log when a data set is successfully read. UPDATE SUCCESS: Records a log when a data set is successfully updated, read, written, or copied. ALTER SUCCESS: Records a log when a data set is successfully read, updated, deleted, renamed, moved, or scratched. Although CONTROL FAILURE is supported, their functionalities are not yet implemented. To prevent errors, only internal parameters are used for the fields.

Field

Description

PROFILENAME

Specifies data sets to be protected. Required item. A profile name may consist of alphabet, numeric, and special characters including '%', '*', '**', and '***'. Profiles names containing all three types of characters are referred to as generic profiles.

VOLUME

Specifies a volume serial in which the data set to be registered is located. Required item. When this field is not entered and if the data set is a discrete data set profile, then search the PROFILENAME in the catalog, and find the volume information that matches the data set and store it. If the data set to be registered is a generic data set profile, 'GNRC' will be set. If the data set to be registered is 'GDG', 'GDG' will be set.

DTYPE

This field contains a character that indicates the type of data set profile.

D: discrete profile (default value)
G: generic profile
M: model profile
T: tape data set profile

OWNER

Specifies a user ID or group name as the owner of the data set profile. The owner of the data set profile can modify and delete the profile. Moreover, the owner is assigned the authority to access the data set. If OWNER is not specified, the owner is set by default to the user ID or the current user.

NOTIFY

Specifies the user who is to receive notifications about data access denial.

UACC

Specifies universal access authority for the data set. If not specified, the authority is set by default to NONE. For more information, refer to "Access Authority List".

AUDT

Specifies an audit level when accessing a data set. The following describes audit levels.

READ FAILURE: Records a log when a data set fails to be read.
UPDATE FAILURE: Records a log when a data set fails to be updated, read, written, or copied.
ALTER FAILURE: Records a log when a data set fails to be read, updated, moved, or scratched.
READ SUCCESS: Records a log when a data set is successfully read.
UPDATE SUCCESS: Records a log when a data set is successfully updated, read, written, or copied.
ALTER SUCCESS: Records a log when a data set is successfully read, updated, deleted, renamed, moved, or scratched.

Although CONTROL FAILURE is supported, their functionalities are not yet implemented. To prevent errors, only internal parameters are used for the fields.

Although CATEGORY, SECLEVEL, SECLABEL, DATA, FLAGS, and LTMODDT are supported, their functionalities are not yet implemented. To prevent errors, only internal parameters are used for the fields.