3.14 Access control lists (ACLs) Access control lists have existed on various UNIX platforms for many years, but with variations in the interfaces. ACLs are introduced in z/OS V1R3 to provide a greater granularity for access to z/OS UNIX files and directories by RACF user IDs and groups. ACLs are created, modified, and deleted by using either the setfacl shell command or the ISHELL interface. 3.14.1 ACL entries In the POSIX standard, two different ACLs are referenced as follows: Base ACL entries These entries are the same as permission bits (owner, group, other) that have always existed with z/OS UNIX files and directories. You can change the permissions using the chmod or the new setfacl command. They are not physically part of the ACL although you can use the setfacl command to change them and the getfacl command to display them. These entries are for individual users or groups and, like the permission bits, they are stored with the file, not in RACF profiles. Each ACL type (access, file default, directory default) can contain up to 1024 extended ACL entries. Each extended ACL entry specifies a qualifier to indicate whether the entry pertains to a user or a group; the actual UID or GID itself; and the permissions being granted or denied by this entry. The allowable permissions are read, write, and execute. As with other UNIX commands, the setfacl command allows the use of either names or numbers when referring to users and groups. Extended ACL entries