Implementing a SAF interface to RACF (or equivalent) product

By defining a special security class and defining resources to this class, you can activate the SAF interface and specify the product features that are secured. You can then allow use of product features by giving users READ authority for the appropriate resources. In a RACF environment, any product features that are not defined in the security class through the appropriate resource name are not secured and can be used by anyone who initiates a product session. For product features that provide edit and browse capabilities, UPDATE authority is required to access edit, for which browse capability will be assumed.

To secure product features through the SAF interface

1. Add a product class to the RACF or equivalent class descriptor table that is identified in macro ICHERCDE.
   1. If you cannot use class DLP# because of class naming conventions at your site or because the class already exists, use the JCL in member DLP#SAF1 of the DLPCNTL library to change the class name that the product expects the security product to use. Otherwise, add class DLP# to the class descriptor table.

   2. You must specify the following parameters for the class definition:

      MAXLNTH=100
      FIRST=ANY
      OTHER=ANY

2. Add the product class to the RACF or equivalent class router table that is identified in macro ICHRFRTB.

3. Specify the product features that will be secured by defining the appropriate resources to the product class.

   Warning

   Under RACF, anyone who invokes a product session can use product features that you do not secure.

   The following table identifies the functions that you can secure. The table also provides each feature’s resource name. Within the table:

   • target = four-character IMSID or group name

   • cmd = three-character IMS command abbreviation

   • vname = one- to eight-character View Profile name

   • name = one- to eight-character member name

   SAF resources for DELTA PLUS and DELTA PLUS VIRTUAL TERMINAL functions

   Product function	SAF resource	Supports
   		Read	Update
   Activate	ACTIVATE	Yes	No
   Log/History File SYSGEN Date Change Utility	DLP.ADMIN.CHGDATE	Yes	No
   Global Options	DLP.ADMIN.GLOBAL	Yes	Yes
   IMSID Options	DLP.ADMIN.IMSID	Yes	Yes
   Group Options	DLP.ADMIN.GROUP	Yes	Yes
   User Profile	DLP.ADMIN.UPF	Yes	Yes
   View Profile Edit	DLP.ADMIN.VIEWPROF.vname	Yes	Yes
   View Profile Use	DLP.VIEWPROF.vname	Yes	No
   Product Authorization	DLP.ADMIN.PRODAUTH	Yes	No
   DELTA List Check/Execute	DLP.target.DELTALST.RUN	Yes (Check)	Yes (Execute)
   DELTA List Browse/Edit	DLP.DELTALST.name	Yes (Browse)	Yes (Edit)
   IMS Command Interface	DLP.target.COMMAND.cmd	Yes	No
   Log Report	DLP.target.LOG.REPORT	Yes	No
   Log Status	DLP.target.LOG.STATUS	Yes	No
   Log Purge	DLP.target.LOG.PURGE	Yes	No
   Log Recover	DLP.target.LOG.RECOVER	Yes	No
   Log Format	DLP.target.LOG.FORMAT	Yes	No
   History Report	DLP.target.HISTORY.REPORT	Yes	No
   History Status	DLP.target.HISTORY.STATUS	Yes	No
   History Purge	DLP.target.HISTORY.PURGE	Yes	No
   History Recover	DLP.target.HISTORY.RECOVER	Yes	No
   History Format	DLP.target.HISTORY.FORMAT	Yes	No
   Storage Display/Zap	DLP.target.STORAGE	Yes (Display)	Yes (Zap)
   Add IMS to Group Log	DLP.ADMIN.ADDIMS	Yes	No
   Remove IMSID from Group Log/History File	DLP.ADMIN.REMOVIMS	Yes	No
   Convert Log to Stage 1	DLP.target.CONVERT.LOG.STAGE1	Yes	No
   Convert Log to DELTA List	DLP.target.CONVERT.LOG.DELTALST	Yes	No
   Convert DELTA List to Stage 1	DLP.CONVERT.DELTALST.STAGE1	Yes	No
   IMSID and Group Options Refresh	DLP.target.REFRESH.OPTIONS	Yes	No
   CPU ID Refresh	DLP.target.REFRESH.SECURITY	Yes	No
   Variable Definition Edit	DLP.ADMIN.VARDEF.name	Yes (Browse)	Yes (Edit)
   Variable Definition Use	DLP.VARDEF.name	Yes	No
   ALL REMAINING FUNCTIONS APPLY ONLY TO DELTA PLUS VIRTUAL TERMINAL
   Back Up TSS Data Set	DLP.TSS.BACKUP	Yes	No
   Define TSS Table	DLP.TSS.DEFINE.name	Yes	No
   TSS Table Browse/Edit	DLP.TSS.EDIT.name	Yes	Yes
   TSS Table Test/Search-Modify	DLP.TSS.EDIT.name	Yes (Test)	Yes (Search-Modify)
   Format TSS Data Set	DLP.TSS.FORMAT	Yes	No
   Load TSS Table(s)	DLP.TSS.LOAD.name	Yes	No
   Remove TSS Table(s)	DLP.TSS.REMOVE.name	Yes	No
   Reorganize TSS Data Set	DLP.TSS.REORG	Yes	No
   Status of TSS Data Set	DLP.TSS.STATUS	Yes	No
   Unload TSS Table(s)	DLP.TSS.UNLOAD.name	Yes	No
   Refresh TSS In-Storage Buffers	DLP.target.REFRESH.TSS	Yes	No
   Display of VIRTUAL TERMINAL statistics	DLP.target.VTSTATS	Yes	No

4. Give users read authority for the resources (product features) that they need to use. For features that provide browse and edit capabilities, specify READ authority for browse and UPDATE authority for edit. Browse capability will be assumed for users with edit capability.
5. Define the ACTIVATE resource to the product class. When you define this resource, RACF or an equivalent security product restricts access to the product features that you specified, and user access profile checking is disabled.