Understanding SAF rule access levels
SAF provides for five levels of access to any FACILITY or XFACILIT resource. The levels of access form a hierarchy, so that a user with the highest level of access to a resource also has access to all the lower levels. The levels of access are specified in RACF® rules using the following mnemonics:
- NONE
- No access
- READ
- Level 1 access
- UPDATE
- Level 2 access
- CONTROL
- Level 3 access
- ALTER
- Level 4 access.
It is important to understand that the mnemonics used (READ, UPDATE and so on) can and do mean different things, depending on the context in which the SAF resource name is used. This can be confusing since READ and UPDATE have obvious meanings when it comes to, for example, accessing a data set. For SAF rules used to control FM/CICS audit, it may aid understanding to think of the mnemonics as indicating level 1 access and level 2 access.
For the SAF resource rules used by FM/CICS, the meanings of the various levels of access are:
- NONE
- The user does not have access to the resource; this typically means the user cannot write audit log records.
- READ
- The user has level 1 access to the resource; this typically means that the user can write audit log records.
- UPDATE
- The user has level 2 access to the resource. This level of access only has meaning for FACILITY rule 2 (see FM/CICS auditing FACILITY class resource names). A user with level 2 access can write audit log records to the user's audit log data set, and the audit log data set will be printed at the end of the user's session (online execution only). This is equivalent to the DEMAND audit option in the non-SAF case.
- CONTROL
- The user has level 3 access to the resource. This level of access is not used by FM/CICS.
- ALTER
- The user has level 4 access to the resource. This level of access is not used by FM/CICS.