Previous Topic: File FunctionsNext Topic: Example: IBMFAC permissions

Controlling Access to the Hierarchical File SystemSecure HFS FunctionsFile FunctionsFile Functions (IBMFAC)

File Functions (IBMFAC)

The following file functions are authorized via the IBMFAC ATTRIBUTE:

BPX.CAHFS.CHANGE.FILE.ATTRIBUTES

Allows a user to change extended file attributes, such as APF authorization and program control. Native z/OS UNIX services will issue an IBMFAC resource call to determine authorization to set the specific attribute, but not to specific files. Use of this file function resource provides additional control down to the file level.

BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS

HFS files contain two sets of audit flags, one that can be set by a normal user and the other that can only be set by an auditor. This resource allows a user to change user‑audit flags in a file.

BPX.CAHFS.CHANGE.FILE.FORMAT

Allows a user to change the format of a file. Changes include defining text data delimiters or binary file format.

BPX.CAHFS.CHANGE.FILE.MODE

Allows a user to change any file mode information. This includes changes to file permission settings, setting the execution UID or GID indicators, and setting the “sticky” bit. Native z/OS UNIX permission settings are used for validation purposes only when CA SAF HFS security is inactive.

BPX.CAHFS.CHANGE.FILE.MODE.STICKY

Allows a user to set the “sticky” bit in the file mode information. The “sticky” bit causes a program to be loaded from MVS libraries instead of the HFS.

BPX.CAHFS.CHANGE.FILE.MODE.EUID

Allows a user to set the execution‑UID indicator in the file mode information. When this indicator is set, the program runs under the UNIX UID of the file owner instead of the UID of the user running the program.

BPX.CAHFS.CHANGE.FILE.MODE.EGID

Allows a user to set the execution‑GID indicator in the file mode information. When this indicator is set, the program runs under the UNIX GID of the file owner instead of the GID of the user running the program.

BPX.CAHFS. CHANGE.FILE.OWNER

Allows a user to change file owner UID setting. Native z/OS UNIX ownership settings are used for validation purposes only when CA SAF HFS security is inactive.

BPX.CAHFS. CHANGE.FILE.GROUP

Allows a user to change file owner GID setting. Native z/OS UNIX ownership settings are used for validation purposes only when CA SAF HFS security is inactive.

BPX.CAHFS. CHANGE.FILE.TIME

Allows a user to change the last access or modification time to the current time or a user‑specified time. If the current time is to be set and the user has write access to the file, the function is allowed. If the user does not have write access or a user‑specified time is to be set, access must be allowed to this IBMFAC resource.