Understanding SAF rule access levels

SAF provides for five levels of access to any FACILITY or XFACILIT resource. The levels of access form a hierarchy, so that a user with the highest level of access to a resource also has access to all the lower levels. The levels of access are specified in RACF® rules using the following mnemonics:

NONE
No access
READ
Level 1 access
UPDATE
Level 2 access
CONTROL
Level 3 access
ALTER
Level 4 access.

It is important to understand that the mnemonics used (READ, UPDATE and so on) can and do mean different things, depending on the context in which the SAF resource name is used. This can be confusing since READ and UPDATE have obvious meanings when it comes to, for example, accessing a data set. For SAF rules used to control Z Data Tools audit, it may aid understanding to think of the mnemonics as indicating level 1 access and level 2 access.

For the SAF resource rules used by Z Data Tools, the meanings of the various levels of access are:

NONE
The user does not have access to the resource; this typically means the user cannot write audit log records.
READ
The user has level 1 access to the resource; this typically means that the user can write audit log records.
UPDATE
The user has level 2 access to the resource. This level of access only has meaning for FACILITY rule 2 (see Table 1). A user with level 2 access can write audit log records to the user's audit log data set, and the audit log data set will be printed at the end of the user's session (online execution only). This is equivalent to the DEMAND audit option in the non-SAF case.
CONTROL
The user has level 3 access to the resource. This level of access is not used by Z Data Tools.
ALTER
The user has level 4 access to the resource. This level of access is not used by Z Data Tools.