Managing access authority for BMP jobs

• IMS RECON data sets
• All libraries in IMS subsystem’s STEPLIB concatenation
• IMS subsystem's MODSTAT or OLCSTAT data sets
• IMS subsystem’s ACBLIBA, ACBLIBB, and ACBLIB libraries

• IMS database data sets

  IMS database data sets (only if Application Accelerator is optimizing the job step)

BMP jobs that execute without Application Accelerator run under the IMS control region, which already has the required authority to access these data sets. When Application Accelerator participates in the execution, by default the security access facility (SAF) grants the access that is defined for the user ID that submitted the job. This user ID typically does not have access authority to the required data sets.

Instead of defining SAF rules that allow access to each data set for each user ID that will submit a BMP job, you can define a single SAF resource that allows Application Accelerator to access the required data sets. If you define this resource, Application Accelerator extracts the Installation Data value from the resource definition and uses that value only to access the required data sets. For all other access, the job uses the default authority of the user ID that submitted the job.

Application Accelerator handles access requests as follows:

1. During initialization, Application Accelerator attempts to retrieve the resource profile, based on the job step values for the operating system ID, the IMS ID, and the program specification block (PSB) name. Specifically, Application Accelerator searches for a facility that has the pattern BBM.SDBA.*.*.*.AAOR.
2. If the BBM.SDBA.*.*.*.AAOR facility is found, Application Accelerator uses the value in the installation data field or the application data field. One of these fields must contain the user ID that Application Accelerator should use to access the required IMS resources.
3. If the BBM.SDBA.*.*.*.AAOR facility is not found, Application Accelerator searches for a facility that has the pattern BBM.AAI.*.*.*.
4. If the BBM.AAI.*.*.* facility is found, Application Accelerator uses the user ID that is specified for IMS to access IMS resources.

5. If the BBM.AAI.*.*.* facility is not found, Application Accelerator is provided with the default access authority for the job step.

   If Application Accelerator cannot access a required data set because of insufficient authority, the product switches to IGNORE mode and issues a message.

For more information about using SAF definitions with Application Accelerator, see the Database Products for IMS Customization Guide.

To define a SAF resource rule for Application Accelerator

1. Identify a user ID that has access to the required libraries and other data sets in the online IMS subsystem.You can use the information in message IEF695I to identify a user ID, as shown in the following example:

   IEF695I START MXOAIMS WITH JOBNAME MXOAIMS IS ASSIGNED TO USER STCUSER , GROUP STCGROUP
2. Define a resource rule as follows:
   • Specify CLASS = FACILITY.

   • Specify PROFILE = BBM.SDBA.mvsid.imsid.psbname.AAOR.

     You can specify the operating system ID, IMS ID, and PSB name as generic values by using wildcard characters (* and %).

   • In the installation data field, specify the previously identified user ID.

3. Define the SAF profile as shown in the following example:

   SETROPTS CLASSACT(FACILITY)
   SETROPTS RACLIST(FACILITY) REFRESH
   RLIST FACILITY BBM.SDBA.*.MXOA.*.AAOR

   You can specify the operating system ID, IMS ID, and PSB name values as specific or generic values.