Authorizing restricted ABACKUP command authority

When users are added to the STGADMIN.ARC.ABACKUP.agname profile, they receive RESTRICTED command authority. If users with this RESTRICTED authority issue the ABACKUP command, they must have a minimum of READ access to all RACF-protected data sets in the aggregate group. If they do not have READ or READ/WRITE access to a RACF-protected data set, the ABACKUP command fails for that data set during verification processing. Each data set that fails authorization checking is listed in the aggregate backup activity log.

If a data set is not RACF® protected, it does not fail during verification processing because no RACF authorization checking is performed on it.

You can issue the following RACF command to define profiles that prevent or limit the authority of users to issue the ABACKUP command with a specific aggregate group name: 
RDEFINE FACILITY STGADMIN.ARC.ABACKUP.PAY1
The following RACF command authorizes all console operators to issue the ABACKUP command with a specified aggregate group name: 
PERMIT STGADMIN.ARC.ABACKUP.PAY1 CLASS(FACILITY) -
   ID(OPER) ACCESS(READ)

Related reading

Parent topic: Preparing for aggregate backup