Previous Topic: How to Set Up a SAF Qualifier Under CA Top Secret for z/OS

Next Topic: Examples of Using Your SAF Qualifier

Controlling the Use of FTPHow to Set Up a SAF Qualifier Under RACF

How to Set Up a SAF Qualifier Under RACF

To set up a SAF qualifier class and profiles under RACF

  1. Define the SAF class to the RACF Class Descriptor Table by using one of the JCL members in your dsnpref.NMC1.CC17SAMP library:

    Note: The default class name for FTP SAF rules is $FTP. You can stipulate any value that conforms to RACF standards. If you use another name, ensure that you specify it in the FTPCNTL parameter group.

    Note: An IPL is required for changes to the RACF Class Descriptor Table to take effect.

  2. Set up profiles for the SAF class, as follows: 
    RDEFINE $FTP FTP.saf-qualifier.remote-ip-address.filename  UACC(NONE)
PE FTP.saf-qualifier.remote-ip-address.filename CLASS($FTP) ID(userid or group) ACCESS(READ)
SETROPTS GENERIC($FTP) REFRESH

    These profiles have the following format:

    FTP.saf-qualifier.remote-ip-address.filename
    FTP

    Is a constant.

    saf-qualifier

    Specifies the name that you determine and enter in the SAF Qualifier Field when defining your policy rule.

    remote-ip-address

    Specifies the standard dotted decimal notation of an IP address (* wildcard allowed).

    filename

    Specifies the name of a data set (* wildcard allowed).

  3. Make the profiles available to specific users or groups of users, with access attributes of either read or write.

More information:

Examples of Using Your SAF Qualifier