On July 31, 2000, new North system disk data sets will be protected by generic RACF profiles rather than discrete profiles. This article describes the changes that users and agencies may need to make in order to create and access data sets created after July 31. To provide a smooth transition, it may be necessary for users to modify existing generic profiles or create new ones, particularly for agency data sets.

The switch to generic RACF profiles opens new approaches to data set protection and gives users and agencies better control of their security environments. In the generic environment, the authority to read, update, create, and delete data sets originates from the generic profile that protects a collection of data sets. The levels of access permitted by a RACF profile are:

By default, each user belongs to a RACF group for their agency or organization. Within the group there are different levels of authority. Most individuals in the group do not have implicit authority over group data sets. They can read, update, create, or delete their own data sets (ones beginning with their ID, $iii), but have no rights to a group data set (beginning with aaa)—unless they are added to the access list of the protecting generic profile with the appropriate permission.

Changes for Agency/Organization Data

In the past, North users have been able to create group data sets, although in most organizations the tendency has been for a few administrators or developers to create group data sets for the rest of the group. Since the scope of generic RACF profiles is so much greater, this will change when the automatic creation of discrete profiles (ADSP) is turned off on July 31. At that time, only those individuals or groups added to the access list of the generic RACF profile with ALTER authority will be able to create and delete group data sets.

What this means is that beginning July 31, no one will be able to create or access a new group data set unless they have the proper authority originating from the protecting generic profile access list. Since discrete profiles supersede generic profiles, existing data sets will continue to be protected by their associated discrete profiles.

Modifying Generic RACF Profiles

The good news is that unlike a discrete profile (which only exists while the data set it protects exists), generic profiles can exist before any data sets with that naming convention are created and will continue to exist after the data sets are deleted. This means that the CIT-generated generic profiles can be modified—or additional, more specific generic profiles created—with the proper access lists well in advance of July 31. This setup is a one-time process, not the ongoing maintenance effort required of discrete profiles.

Initially, the RACF coordinator of the agency/organization will be the only one who can add or modify generic RACF profiles for the group. The coordinator can, however, designate others to have the authority to protect group data sets (add or modify RACF profiles for the group—the CREATE authority within the group). Because of data integrity implications, this privilege should be carefully limited.

More Information

For detailed information and additional hints on creating and maintaining RACF groups and profiles, go to the North system’s Web page http://silkad.nih.gov/ and select "Generic Profiles." To see your current RACF profiles and access lists, select the "RACF Profiles Listing" on the same page. If you would like additional help from CIT in setting up and modifying generic RACF profiles, please call TASC and arrange a consultation with CIT staff.

Interface 214 (June 23, 2000)