Controlling access to Z Data Tools functions with SAF

SAF controls access to Z Data Tools functions as follows:

If access to the profile FACILITY(FILEM.FUNCTION.fc) in the FACILITY class is defined (where fc is the function code), this controls access to the function.
If access to the profile FACILITY(FILEM.FUNCTION.fc) in the FACILITY class is not defined, the profile name shown in Z Data Tools function to profile name cross-reference (in the form FILEM.group.name) is used.
If no profile name as shown in Z Data Tools function to profile name cross-reference is defined, then FILEM.OTHER.ALL is used. If this does not permit access then access is denied.

Some Z Data Tools functions are protected, by default, by the FILEM.OTHER.ALL profile. These functions are listed in Z Data Tools functions protected by FILEM.OTHER.ALL.

ALTER, UPDATE or READ access means that the user can use the function. Access NONE means that the user cannot use the function.

This is illustrated in Access to Z Data Tools functions.

Figure 1. Access to Z Data Tools functions

  ┌──────────────────────────┐
  │Z Data Tools function (fc)│
  └───────────┬──────────────┘
              ↓
  ┌────────────────────────────────────────────┐
  │FACILITY(FILEM.FUNCTION.fc) access          │
  ├──────┬────────┬──────┬───────┬─────────────┤
  │ALTER │ UPDATE │ READ │ NONE  │ not defined │
  └──┬───┴───┬────┴─┬────┴────┬──┴──────┬──────┘
     ├───────┴──────┘┌────────┘         │
     ↓               ↓                  ↓
  ┌────────┐  ┌────────┐   ┌──────────────────────────────────┐
  │Accepted│  │Rejected│   │FACILITY(FILEM.group.name) access │
  └────────┘  └────────┘   ├──────┬────────┬──────┬───────────┤
                           │ALTER │ UPDATE │ READ │ NONE      │
                           └──┬───┴───┬────┴───┬──┴───┬───────┘
                              └──────┬┴────────┘      │
                                     ↓                ↓
                                ┌────────┐         ┌────────┐
                                │Accepted│         │Rejected│
                                └────────┘         └────────┘

For example, the TP function is part of the FILEM.TAPE.INPUT group. You can control access to the TP function in any of the following ways:

To give a user access to the TP function, regardless of the user's access to FILEM.TAPE.INPUT, give the user ALTER, UPDATE, or READ access to FACILITY(FILEM.FUNCTION.TP).
To prevent a user from using the TP function, regardless of the user's access to FILEM.TAPE.INPUT, give the user NONE access to FACILITY(FILEM.FUNCTION.TP).
To give a user access to any tape input function, unless overridden by a FILEM.FUNCTION.fc entry, give the user ALTER, UPDATE, or READ access to FACILITY(FILEM.TAPE.INPUT).
To prevent a user from using any tape input function, unless overridden by a FILEM.FUNCTION.fc entry, give the user NONE access to FACILITY(FILEM.TAPE.INPUT).