Controlling the Use of FTP › How to Set Up a SAF Qualifier Under RACF

How to Set Up a SAF Qualifier Under RACF

To set up a SAF qualifier class and profiles under RACF

1. Define the SAF class to the RACF Class Descriptor Table by using one of the JCL members in your dsnpref.NMC0.CC17SAMP library:
   • DEFRACFA (for non-SMP/E)
   • DEFRACFS (for SMP/E)

     Note: The default class name for FTP SAF rules is $FTP. You can stipulate any value that conforms to RACF standards. If you use another name, ensure that you specify it in the FTPCNTL parameter group.

     Note: An IPL is required for changes to the RACF Class Descriptor Table to take effect.

2. Set up profiles for the SAF class, as follows:

   RDEFINE $FTP FTP.saf-qualifier.remote-ip-address.filename  UACC(NONE)
   PE FTP.saf-qualifier.remote-ip-address.filename CLASS($FTP) ID(userid or group) ACCESS(READ)
   SETROPTS GENERIC($FTP) REFRESH
   

   These profiles have the following format:

   FTP.saf-qualifier.remote-ip-address.filename
   

   • FTP

     Is a constant.

   • saf-qualifier

     Specifies the name that you determine and enter in the SAF Qualifier Field when defining your policy rule.

   • remote-ip-address

     Specifies the standard dotted decimal notation of an IP address (* wildcard allowed).

   • filename

     Specifies the name of a data set (* wildcard allowed).

3. Make the profiles available to specific users or groups of users, with access attributes of either read or write.