Controlling access to File Manager functions with SAF

SAF controls access to File Manager functions as follows:

If access to the profile FACILITY(FILEM.FUNCTION.fc) in the FACILITY class is defined (where fc is the function code), this controls access to the function.
If access to the profile FACILITY(FILEM.FUNCTION.fc) in the FACILITY class is not defined, the profile name shown in File Manager function to profile name cross-reference (in the form FILEM.group.name) is used.
If no profile name as shown in File Manager function to profile name cross-reference is defined, then FILEM.OTHER.ALL is used. If this does not permit access then access is denied.

Some File Manager functions are protected, by default, by the FILEM.OTHER.ALL profile. These functions are listed in File Manager functions protected by FILEM.OTHER.ALL.

ALTER, UPDATE or READ access means that the user can use the function. Access NONE means that the user cannot use the function.

This is illustrated in Access to File Manager functions.

Figure 1. Access to File Manager functions

  ┌──────────────────────────┐
  │File Manager function (fc)│
  └───────────┬──────────────┘
              ↓
  ┌────────────────────────────────────────────┐
  │FACILITY(FILEM.FUNCTION.fc) access          │
  ├──────┬────────┬──────┬───────┬─────────────┤
  │ALTER │ UPDATE │ READ │ NONE  │ not defined │
  └──┬───┴───┬────┴─┬────┴────┬──┴──────┬──────┘
     ├───────┴──────┘┌────────┘         │
     ↓               ↓                  ↓
  ┌────────┐  ┌────────┐   ┌──────────────────────────────────┐
  │Accepted│  │Rejected│   │FACILITY(FILEM.group.name) access │
  └────────┘  └────────┘   ├──────┬────────┬──────┬───────────┤
                           │ALTER │ UPDATE │ READ │ NONE      │
                           └──┬───┴───┬────┴───┬──┴───┬───────┘
                              └──────┬┴────────┘      │
                                     ↓                ↓
                                ┌────────┐         ┌────────┐
                                │Accepted│         │Rejected│
                                └────────┘         └────────┘

For example, the TP function is part of the FILEM.TAPE.INPUT group. You can control access to the TP function in any of the following ways:

To give a user access to the TP function, regardless of the user's access to FILEM.TAPE.INPUT, give the user ALTER, UPDATE, or READ access to FACILITY(FILEM.FUNCTION.TP).
To prevent a user from using the TP function, regardless of the user's access to FILEM.TAPE.INPUT, give the user NONE access to FACILITY(FILEM.FUNCTION.TP).
To give a user access to any tape input function, unless overridden by a FILEM.FUNCTION.fc entry, give the user ALTER, UPDATE, or READ access to FACILITY(FILEM.TAPE.INPUT).
To prevent a user from using any tape input function, unless overridden by a FILEM.FUNCTION.fc entry, give the user NONE access to FACILITY(FILEM.TAPE.INPUT).