Implementing a SAF interface to RACF (or equivalent) product

The SAF interface allows you to use RACF or an equivalent product to secure all product features.

By defining a special security class and defining resources to this class, you can activate the SAF interface and specify the product features that are secured. You can then allow use of product features by giving users READ authority for the appropriate resources. In a RACF environment, any product features that are not defined in the security class through the appropriate resource name are not secured and can be used by anyone who initiates a product session. For product features that provide edit and browse capabilities, UPDATE authority is required to access edit, for which browse capability will be assumed.

Note

This approach to internal security is an alternative to the use of user access profiles (skip this task if you secure the product through user profiles).

To secure product features through the SAF interface

  1. Add a product class to the RACF or equivalent class descriptor table that is identified in macro ICHERCDE.
    1. If you cannot use class DLP# because of class naming conventions at your site or because the class already exists, use the JCL in member DLP#SAF1 of the DLPCNTL library to change the class name that the product expects the security product to use. Otherwise, add class DLP# to the class descriptor table.
    2. You must specify the following parameters for the class definition:

      MAXLNTH=100
      FIRST=ANY
      OTHER=ANY
  2. Add the product class to the RACF or equivalent class router table that is identified in macro ICHRFRTB.
  3. Specify the product features that will be secured by defining the appropriate resources to the product class.

    Warning

    Under RACF, anyone who invokes a product session can use product features that you do not secure.

    The following table identifies the functions that you can secure. The table also provides each feature’s resource name. Within the table:

    • target = four-character IMSID or group name

    • cmd = three-character IMS command abbreviation

    • vname = one- to eight-character View Profile name

    • name = one- to eight-character member name

    SAF resources for DELTA PLUS and DELTA PLUS VIRTUAL TERMINAL functions

    Product function

    SAF resource

    Supports

    Read

    Update

    Activate

    ACTIVATE

    Yes

    No

    Log/History File SYSGEN Date Change Utility

    DLP.ADMIN.CHGDATE

    Yes

    No

    Global Options

    DLP.ADMIN.GLOBAL

    Yes

    Yes

    IMSID Options

    DLP.ADMIN.IMSID

    Yes

    Yes

    Group Options

    DLP.ADMIN.GROUP

    Yes

    Yes

    User Profile

    DLP.ADMIN.UPF

    Yes

    Yes

    View Profile Edit

    DLP.ADMIN.VIEWPROF.vname

    Yes

    Yes

    View Profile Use

    DLP.VIEWPROF.vname

    Yes

    No

    Product Authorization

    DLP.ADMIN.PRODAUTH

    Yes

    No

    DELTA List Check/Execute

    DLP.target.DELTALST.RUN

    Yes (Check)

    Yes (Execute)

    DELTA List Browse/Edit

    DLP.DELTALST.name

    Yes (Browse)

    Yes (Edit)

    IMS Command Interface

    DLP.target.COMMAND.cmd

    Yes

    No

    Log Report

    DLP.target.LOG.REPORT

    Yes

    No

    Log Status

    DLP.target.LOG.STATUS

    Yes

    No

    Log Purge

    DLP.target.LOG.PURGE

    Yes

    No

    Log Recover

    DLP.target.LOG.RECOVER

    Yes

    No

    Log Format

    DLP.target.LOG.FORMAT

    Yes

    No

    History Report

    DLP.target.HISTORY.REPORT

    Yes

    No

    History Status

    DLP.target.HISTORY.STATUS

    Yes

    No

    History Purge

    DLP.target.HISTORY.PURGE

    Yes

    No

    History Recover

    DLP.target.HISTORY.RECOVER

    Yes

    No

    History Format

    DLP.target.HISTORY.FORMAT

    Yes

    No

    Storage Display/Zap

    DLP.target.STORAGE

    Yes (Display)

    Yes (Zap)

    Add IMS to Group Log

    DLP.ADMIN.ADDIMS

    Yes

    No

    Remove IMSID from Group Log/History File

    DLP.ADMIN.REMOVIMS

    Yes

    No

    Convert Log to Stage 1

    DLP.target.CONVERT.LOG.STAGE1

    Yes

    No

    Convert Log to DELTA List

    DLP.target.CONVERT.LOG.DELTALST

    Yes

    No

    Convert DELTA List to Stage 1

    DLP.CONVERT.DELTALST.STAGE1

    Yes

    No

    IMSID and Group Options Refresh

    DLP.target.REFRESH.OPTIONS

    Yes

    No

    CPU ID Refresh

    DLP.target.REFRESH.SECURITY

    Yes

    No

    Variable Definition Edit

    DLP.ADMIN.VARDEF.name

    Yes (Browse)

    Yes (Edit)

    Variable Definition Use

    DLP.VARDEF.name

    Yes

    No

    ALL REMAINING FUNCTIONS APPLY ONLY TO DELTA PLUS VIRTUAL TERMINAL

    Back Up TSS Data Set

    DLP.TSS.BACKUP

    Yes

    No

    Define TSS Table

    DLP.TSS.DEFINE.name

    Yes

    No

    TSS Table Browse/Edit

    DLP.TSS.EDIT.name

    Yes

    Yes

    TSS Table Test/Search-Modify

    DLP.TSS.EDIT.name

    Yes (Test)

    Yes (Search-Modify)

    Format TSS Data Set

    DLP.TSS.FORMAT

    Yes

    No

    Load TSS Table(s)

    DLP.TSS.LOAD.name

    Yes

    No

    Remove TSS Table(s)

    DLP.TSS.REMOVE.name

    Yes

    No

    Reorganize TSS Data Set

    DLP.TSS.REORG

    Yes

    No

    Status of TSS Data Set

    DLP.TSS.STATUS

    Yes

    No

    Unload TSS Table(s)

    DLP.TSS.UNLOAD.name

    Yes

    No

    Refresh TSS In-Storage Buffers

    DLP.target.REFRESH.TSS

    Yes

    No

    Display of VIRTUAL TERMINAL statistics

    DLP.target.VTSTATS

    Yes

    No

  4. Give users read authority for the resources (product features) that they need to use. For features that provide browse and edit capabilities, specify READ authority for browse and UPDATE authority for edit. Browse capability will be assumed for users with edit capability.
  5. Define the ACTIVATE resource to the product class. When you define this resource, RACF or an equivalent security product restricts access to the product features that you specified, and user access profile checking is disabled.

Was this page helpful? Yes No Submitting... Thank you

Comments