ISPF operates within the security framework provided by external security managers (ESM) like RACF, ACF2, or TopSecret. Understanding how security controls access to datasets, who can edit what, and how ISPF interacts with security systems is essential for both users and administrators. This tutorial covers security concepts, access levels, dataset protection, and best practices for secure ISPF usage.
Security in ISPF is not controlled by ISPF itself but by the underlying security manager. ISPF respects security decisions and enforces access controls. Understanding security helps you understand why you can or cannot access certain datasets, what access levels mean, and how to work within security constraints effectively.
Understanding External Security Managers
External Security Managers (ESM) control access to system resources on z/OS. ISPF works with whichever ESM is installed on your system.
What are External Security Managers?
External Security Managers are system software that control access to resources:
RACF (Resource Access Control Facility): IBM's security product for z/OS. RACF is the most common security manager on IBM mainframes.
ACF2: Security product from Broadcom (formerly CA Technologies). Provides similar functionality to RACF with different interfaces.
TopSecret: Security product from CA Technologies. Another alternative to RACF with its own interfaces and features.
All three products serve the same purpose: controlling who can access what resources. They differ in interfaces, some features, and administration methods, but the core security concepts are similar.
How Security Managers Work
Security managers control access through:
User Profiles: Define users and their attributes (groups, special authorities, etc.)
Resource Profiles: Define resources (datasets, etc.) and who can access them
Access Decisions: When access is requested, security manager checks profiles and grants or denies access
Audit Logging: Log access attempts and decisions for security monitoring
When you try to access a dataset in ISPF, ISPF requests access from the security manager, which checks your user profile against the dataset profile and makes an access decision.
Dataset Access Levels
Security managers define different access levels that control what you can do with datasets. Understanding these levels helps you understand what operations are allowed.
Common Access Levels
Typical access levels include:
NONE: No access to the dataset. You cannot read, write, or access it in any way.
READ: Can read the dataset (browse) but cannot modify it. Allows viewing content but not editing.
UPDATE: Can read and modify the dataset. Typically sufficient for editing in ISPF, though some organizations require ALTER.
ALTER: Can read, modify, and change dataset attributes (like allocation parameters). Usually sufficient for all editing operations.
CONTROL: Can control the dataset, including changing security profiles. Rarely needed for normal editing operations.
The specific access levels and their meanings can vary slightly between security managers and organizational configurations. Your security administrator can tell you what access levels are used in your environment.
Access Levels for ISPF Operations
Different ISPF operations require different access levels:
Browse: Requires READ access. Allows viewing dataset content but not modification.
Edit: Typically requires UPDATE or ALTER access, depending on configuration. Allows modifying dataset content.
Allocate: May require ALTER or special authority, depending on the dataset and configuration.
Delete: Typically requires ALTER access or special authority.
Rename: Typically requires ALTER access or special authority.
If you don't have sufficient access, ISPF will display a security error message and deny the operation.
Dataset Protection
Datasets are protected through security profiles that define access rules. Understanding how datasets are protected helps you understand access decisions.
Dataset Profiles
Security managers protect datasets through profiles that specify:
Dataset Name: The specific dataset or pattern (using wildcards) the profile protects
Access Lists: Lists of users or groups and their access levels
Universal Access: Default access for users not specifically listed
Special Attributes: Additional security attributes or restrictions
Profiles can protect specific datasets (e.g., PROD.APPLICATION.DATA) or patterns (e.g., PROD.** to protect all datasets starting with PROD.).
Profile Hierarchy
Security managers use profile hierarchy:
Specific Profiles: Profiles for specific dataset names take precedence
Generic Profiles: Profiles using wildcards provide default protection
Class Profiles: Profiles at dataset class level provide system-wide defaults
When checking access, security managers check specific profiles first, then generic profiles, then class profiles. The first matching profile determines access.
ISPF and Security Interaction
ISPF interacts with security managers to enforce access controls. Understanding this interaction helps explain ISPF behavior and error messages.
Access Request Process
When you try to access a dataset in ISPF:
ISPF Requests Access: ISPF requests access from the security manager
Security Manager Checks: Security manager checks your user profile against dataset profiles
Access Decision: Security manager grants or denies access based on profiles
ISPF Enforces Decision: ISPF allows or denies the operation based on the security manager's decision
Error Messages: If access is denied, ISPF displays a security error message
ISPF cannot bypass security decisions. All access is controlled by the security manager, and ISPF enforces those decisions.
Security Error Messages
When access is denied, ISPF displays security error messages. Common messages include:
Insufficient Authority: You don't have sufficient access level for the operation
Access Denied: Access is explicitly denied by security profile
Dataset Not Found: May indicate security is preventing you from seeing the dataset exists
Security Violation: General security error indicating access was denied
The specific message format depends on your security manager. Understanding these messages helps diagnose access problems.
Who Can Edit What
Understanding who can edit what datasets depends on security profiles and access levels. This section covers common scenarios and access patterns.
User Datasets
Users typically have full access to their own datasets:
User ID Prefix: Datasets starting with your user ID are typically accessible to you
Full Access: You usually have ALTER or UPDATE access to your own datasets
Edit Capability: You can typically edit your own datasets without restrictions
Security profiles often grant users full access to datasets under their user ID, allowing normal work without access issues.
Shared Datasets
Shared datasets have controlled access:
Project Datasets: Access controlled by project membership or group membership
Team Datasets: Access granted to team members through group profiles
Department Datasets: Access controlled by department or organizational structure
Read-Only Access: Some shared datasets may be read-only for most users, with only specific users having update access
Access to shared datasets is determined by security profiles that grant access to specific users or groups.
Production Datasets
Production datasets typically have restricted access:
Limited Access: Only authorized personnel have update access
Read-Only for Most: Most users may have read-only access for viewing
Change Control: Updates may require special approval or change control processes
Audit Requirements: Access to production datasets is often heavily audited
Production datasets are protected to prevent unauthorized changes that could affect production systems.
System Datasets
System datasets are highly protected:
System Authority Required: Typically require system-level authority to modify
Restricted Access: Most users cannot access system datasets
Administrator Only: Only system administrators can modify system datasets
Critical Protection: System datasets are protected to prevent system damage
System datasets (like ISPF system libraries) are protected to maintain system integrity.
Security Best Practices
Following security best practices helps maintain secure ISPF usage and avoid security problems:
For Users
Understand Your Access: Know what datasets you can and cannot access
Respect Access Controls: Don't attempt to bypass security or access unauthorized datasets
Report Issues: Report security errors or access problems to security administrators
Protect Your Datasets: Ensure your datasets have appropriate security profiles
Use Appropriate Access: Request only the access you need for your work
Follow Procedures: Follow organizational procedures for accessing shared or production datasets
For Administrators
Principle of Least Privilege: Grant users only the access they need
Regular Reviews: Regularly review access profiles and remove unnecessary access
Documentation: Document security profiles and access decisions
Audit Monitoring: Monitor security audit logs for unauthorized access attempts
Change Control: Use change control processes for security profile changes
Training: Ensure users understand security and access requirements
Checking Your Access
You can check your access to datasets using various methods, depending on your security manager and permissions.
Attempting Access
The simplest way to check access is to attempt it:
Try to Edit: Attempt to edit the dataset in ISPF
Check Error Messages: If access is denied, error messages indicate the problem
Try to Browse: If edit fails, try browsing to see if you have read access
This method is simple but doesn't provide detailed access information.
Security Manager Commands
Security managers provide commands to check access (if you have permission):
RACF: LISTDSD command shows dataset profiles and your access
ACF2: LIST command shows dataset access information
TopSecret: TSS LIST command shows access information
These commands may require special permissions and provide detailed access information.
Contacting Security Administrators
Security administrators can:
Check Your Access: Review your access to specific datasets
Explain Access Decisions: Explain why you have or don't have access
Grant Access: Grant access if appropriate and authorized
Review Profiles: Review and update security profiles as needed
If you need access to datasets, contact your security administrator with justification for the access request.
Common Security Scenarios
Understanding common security scenarios helps you work effectively within security constraints:
Scenario 1: Cannot Edit Production Dataset
Situation: You can browse a production dataset but cannot edit it.
Explanation: You have READ access but not UPDATE or ALTER access. Production datasets are typically protected to prevent unauthorized changes.
Solution: If you need to edit production data, follow organizational change control procedures. You may need special approval and temporary access granted by security administrators.
Scenario 2: Cannot See Dataset Exists
Situation: You know a dataset exists but cannot see it in DSLIST or access it.
Explanation: Security may be preventing you from seeing the dataset exists, or you may not have any access to it.
Solution: Verify the dataset name is correct. If you believe you should have access, contact your security administrator.
Scenario 3: Can Edit Some Members But Not Others
Situation: In a PDS, you can edit some members but get security errors for others.
Explanation: Some security managers support member-level protection, where individual PDS members can have different access controls.
Solution: This is expected behavior if member-level protection is configured. You can edit members you have access to but not those you don't.
Explain Like I'm 5: ISPF Security
Think of ISPF security like a library with security guards:
Security Managers are like security guards at the library. They decide who can go into which rooms and what they can do there. Just like you can't go into the librarian's office without permission, you can't access certain datasets without the right permissions!
Access Levels are like different types of library cards. Some cards let you only read books (READ), some let you check books out (UPDATE), and some let you even reorganize the shelves (ALTER). The security guard checks your card before letting you do anything!
Dataset Profiles are like lists the security guards have that say "This person can go in this room" or "This group can use these books." The guards check these lists whenever you want to do something!
ISPF is like the library itself. It has all the books (datasets) and tools you need, but it always asks the security guards (security manager) before letting you do anything. ISPF can't let you do something the guards say you can't do!
Your User ID is like your library card. It tells the security guards who you are and what you're allowed to do. Different people have different cards with different permissions!
So ISPF security is like a library where security guards (security managers) check your library card (user ID) against their lists (profiles) before letting you read or change books (datasets)!
Practice Exercises
Practice understanding security in your environment:
Exercise 1: Check Your Dataset Access
Objective: Understand what datasets you can access.
Steps:
Use DSLIST to list datasets under your user ID
Attempt to edit one of your datasets - verify you can edit it
Attempt to browse a shared dataset (if available) - note if you can only browse or can also edit
Document what access levels you appear to have
Exercise 2: Understand Security Messages
Objective: Learn to interpret security error messages.
Steps:
Attempt to edit a dataset you know you don't have access to (like a system dataset)
Note the security error message you receive
Understand what the message is telling you
Document the message format for future reference
Exercise 3: Review Access Patterns
Objective: Understand access patterns in your environment.
Steps:
Identify datasets you can edit (your own datasets)
Identify datasets you can only browse (shared or production datasets)
Identify datasets you cannot access at all
Document the access patterns you observe
Test Your Knowledge
1. What access level is typically needed to edit a dataset in ISPF?
READ
UPDATE or ALTER
CONTROL
NONE
2. Can ISPF bypass security controls?
Yes, always
No, ISPF respects security manager decisions
Only for system datasets
Only with special authority
3. What are the three main external security managers for z/OS?
RACF, ACF2, TopSecret
RACF, TSO, ISPF
ACF2, TopSecret, z/OS
RACF, z/OS, TSO
4. What access level allows browsing but not editing?