The basic access control list (BACL) is one level above the ACCESS/USER-ACCESS protection attributes in the hierarchy of access protection mechanisms. It takes effect for an object when no guards protection is defined for the object. The password protection and retention period are also in effect.
Different access rights can be defined for the owner of the object, members of its user group and for all other users with a BACL . However, it is not possible to define access rights for individual user IDs with this access protection mechanism.
A basic access control list for files is defined using the BASIC-ACL operand of the CREATE-FILE or MODIFY-FILE-ATTRIBUTES command.
Basic access control lists for job variables can be defined accordingly with the CREATE-JV or MODIFY-JV-ATTRIBUTES commands.
User classes
Building on the concept of user groups, user classes are defined for access to objects. User classes subdivide the set of all users into the subsets OWNER, GROUP and OTHERS.
OWNER | The owner of an object, meaning the user ID under which the file or job variable is cataloged as well as co-owners specified using the co-owner protection mechanism |
GROUP | All user IDs of the user group to which the owner belongs except for the owner and any co-owners |
OTHERS | All other users except for the co-owners |
The definition of the group structure on the home pubset is used to define the user class.
Notes on the GROUP user class
All users that are not explicitly assigned to any group are automatically members of the implicitly defined group *UNIVERSAL. This is especially true when no groups at all were set up. In this case all users of the system are members of the same group. When a BACL is evaluated, all user IDs except for the owner himself are granted the access rights of the OTHERS entry.
It is therefore urgently recommended for members of the *UNIVERSAL user group to assign the same access rights to the GROUP and OTHERS user classes.
Access rights
Nine access rights for a file are specified in a BACL. For each of the three user classes OWNER, GROUP and OTHERS three access types can be separately assigned:
read (R),
write (W) and
execute (X)
None of these access rights automatically includes the other access rights.
Evaluation of the basic access control list
If the user ID requesting access is the owner of the object, a co-owner or the TSOS, the access rights stored under OWNER apply.
If the user ID belongs to the owner's user group, the access rights stored under GROUP apply.
For all other user IDs the access rights stored under OTHERS apply.
Example
OWNER = R W X
GROUP = R W -
OTHERS = R - -
The owner of this file may perform read, write and execution operations on the file. The file owner's group may read from and write to the file. All other users can only read the file.