ADSP - Automatic Data Set Protection
Automatic Data Set Protection (ADSP) is a security feature within IBM's Resource Access Control Facility (RACF) for z/OS that automatically protects newly created non-VSAM data sets. When ADSP is active, RACF automatically defines a discrete or generic profile for any new data set, thereby preventing unauthorized access from the moment of its creation. Its primary purpose is to ensure a baseline level of security for all new data sets without requiring manual intervention from a security administrator or user.
Key Characteristics
-
- Automatic Profile Creation: ADSP ensures that a RACF profile is created for a new data set at the time of its allocation, either by creating a new discrete profile or associating it with an existing generic profile.
- Non-VSAM Focus: It primarily applies to non-VSAM data sets, including sequential (PS), partitioned (PO/PDS), and partitioned extended (PDSE) data sets.
- RACF Integration: ADSP is a core function of RACF (or an equivalent External Security Manager like CA ACF2 or CA Top Secret) and requires the ESM to be active and properly configured.
- System-wide or User-specific: ADSP can be enabled globally for the entire z/OS system or selectively for specific users or groups via their RACF user profiles.
- Default Access Control: It typically assigns a default access level (e.g.,
UACC(NONE)orUACC(READ)) to the newly protected data set, preventing unauthorized access by default. - Naming Convention Support: ADSP often works in conjunction with RACF's generic profile capabilities, allowing administrators to define broad security policies based on data set naming conventions.
Use Cases
-
- Ensuring Baseline Security: Automatically protecting all newly created production data sets to prevent accidental or malicious access before specific security profiles can be manually defined.
- Simplifying Development Environments: Providing immediate, albeit basic, protection for data sets created by developers during testing, reducing the administrative overhead of securing every temporary data set.
- Preventing Orphaned Data Sets: Ensuring that no data sets exist on the system without any security control, which could otherwise become security vulnerabilities.
- Compliance Requirements: Helping organizations meet compliance mandates that require all sensitive data to be protected from unauthorized access from its inception.
Related Concepts
ADSP is fundamentally tied to RACF (Resource Access Control Facility), as it is a feature configured and managed within RACF. It relies heavily on RACF Data Set Profiles, particularly Generic Profiles, which define security rules for groups of data sets based on naming patterns. ADSP contributes directly to the overall z/OS Security posture by automating a critical aspect of data set protection. It interacts with JCL (Job Control Language) and COBOL programs whenever they allocate new data sets, as ADSP intercepts these allocation requests to apply security.
- Enable System-Wide ADSP: For robust security, enable ADSP globally (
SETROPTS ADSP) to ensure all new non-VSAM data sets are protected by default. - Define Comprehensive Generic Profiles: Establish a well-structured set of RACF generic data set profiles that align with your naming conventions. This allows ADSP to automatically associate new data sets with appropriate, pre-defined security policies.
- Set
UACC(NONE)for Default: Configure your generic profiles or ADSP settings to assignUACC(NONE)(Universal Access Command of NONE) to newly created data sets, ensuring that only explicitly authorized users can access them. - Regularly Review ADSP Settings: Periodically audit your ADSP settings and the effectiveness of your generic profiles to ensure they meet current security requirements and cover all necessary data set types.
- Educate Users: Inform developers and users about ADSP's behavior, especially regarding how new data sets they create will be protected and how to request specific access for others.