Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Basic Access Control List (BACL)

The Basic Access Control List (BACL) is located one level higher in the hierarchy of protection mechanisms than the ACCESS/USER-ACCESS protection attributes. It is effective for an object if no guards protection has been defined. Password protection and retention period also apply.

Using a BACL, it is possible to define different access rights for object owners, the members of their user group and for all other users. However, it is not possible to define access rights at individual user level with this access protection mechanism.

You define a Basic Access Control List for files using the BASIC-ACL operand of the /CREATE-FILE or /MODIFY-FILE-ATTRIBUTES commands.

In the same way, you create Basic Access Control Lists for job variables using the /CREATE-JV or /MODIFY-JV-ATTRIBUTES commands.

User classes

The BACL protection mechanism extends the user group concept by implementing user classes which may all have different access rights. The set of all users is subdivided into the following user class subsets:

OWNER:

Owner of an object – the user ID under which the file or job variable is catalogued


Co-owners defined using the co-owner protection facility (see "Co-owner protection") also belong to this user class.


GROUP:

All theuser IDs that belong to the same user group as the owner, with the exception of the owner and any co-owners

OTHERS:

All other users except for co-owners

As far as the object owner is concerned, users are classified individually. WIth reference to any object, the user classes OWNER, GROUP and OTHERS always represent mutually exclusive sets of users

Notes on the user class GROUP

All users that are not assigned to any explicitly created group are automatically part of the implicitly created group *UNIVERSAL. This is true, in particular, if no groups have been explicitly created. In this case, all users of the system are part of the same group. When a BACL is evaluated, all user IDs that attempt access, with the exception of the owner, are attributed the entry GROUP and not the entry OTHERS.


In the case of the user group *UNIVERSAL, you are therefore very strongly recommended to assign the same rights to the user classes GROUP and OTHERS.

Access rights

You can define three access rights for each user class:

  • Read (R)

  • Write (W)

  • Execute (X)

Unlike in the case of the ACCESS protection attribute, none of these rights includes either of the others.
Example

The owner of a file wants read, write and execute rights to this while allowing members of the same group read and write access. All other users should have read access only.


/create-file file-name=test,protection=(basic-acl=( -
/                             owner=(read=*yes,write=*yes,exec=*yes), -
/                             group=(read=*yes,write=*yes), -
/                             others=(read=*yes)))
/ show-file-attr file-name=test,information=(security=*yes) 

%00000003 :AAAA:$EVA.TEST
%  ------------------------------- SECURITY     -------------------------------
%  READ-PASS  = NONE        WRITE-PASS = NONE        EXEC-PASS  = NONE
%  USER-ACC   = OWNER-ONLY  ACCESS     = WRITE       ACL        = NO
%  OWNER      = R W X       GROUP      = R W -       OTHERS     = R - -
%  AUDIT      = NONE        FREE-DEL-D = *NONE       EXPIR-DATE = NONE
%  DESTROY    = NO          FREE-DEL-T = *NONE       EXPIR-TIME = NONE
%  SP-REL-LOCK= NO


For further information on BACLs, refer to the “Introductory Guide to DMS” [6].

Powered by Atlassian Confluence and Scroll Viewport.