Hi Floyd,
RACF does not support temporary permissions in a way that you can define an end-date on a permit. However, RACF does support the definition of an end-date to a connection between a user ID and a group. Thus, if you permit the access to the involved data set to a group and next, you can connect your target user ID that group with a future revoke date. This construction causes that the user ID can no longer access the data set after the connection revoke date is reached.
However, when you can also use zSecure in addition to native RACF commands, zSecure support the use of CKGRACF commands that do support temporary permissions. When you set up the appropriate CKGRACF profiles in the (by default) XFACILIT class, authorized CKGRACF administrators can use start- and end-dates on resource permissions. In addition, you must schedule an CKGRACF refresh job to run at least once per day (or more frequently if needed) to process the timed CKGRACF commands when start- and/or end-dates are reached.
You can find more information about CKGRACF command language in the zSecure Admin and Audit User Reference Manual:
https://www.ibm.com/docs/en/szs/3.1.0?topic=manual-ckgracf-command-language
I hope this helps.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------
Original Message:
Sent: Wed April 17, 2024 05:22 PM
From: Floyd Womble
Subject: Revoke Date on Datasets
I am wanting to know if theirs such capability within RACF or zSecure and/or Carla where you can REVOKE access on a dataset on a certain date like in ACF2 UNTIL (00/00/00)?
------------------------------
Floyd Womble
Senior Identity and Access Management Engineer | Enterprise Information Protection (EIP) | Access Management - Mainframe
Humana
T 951.813.1822
fwomble@humana.com
------------------------------