Implementing a SAF interface to RACF (or equivalent) product—DELTA PLUS and DELTA PLUS VIRTUAL TERMINAL customization
The SAF interface allows you to use RACF or an equivalent product to secure all product features.
By defining a special security class and defining resources to this class, you can activate the SAF interface and specify the product features that are secured. You can then allow use of product features by giving users READ authority for the appropriate resources. In a RACF environment, any product features that are not defined in the security class through the appropriate resource name are not secured and can be used by anyone who initiates a product session. For product features that provide edit and browse capabilities, UPDATE authority is required to access edit, for which browse capability will be assumed.
To secure product features through the SAF interface
- Add a product class to the RACF or equivalent class descriptor table that is identified in macro ICHERCDE.
- If you cannot use class DLP# because of class naming conventions at your site or because the class already exists, use the JCL in member DLP#SAF1 of the DLPCNTL library to change the class name that the product expects the security product to use. Otherwise, add class DLP# to the class descriptor table.
You must specify the following parameters for the class definition:
MAXLNTH=100
FIRST=ANY
OTHER=ANY
- Add the product class to the RACF or equivalent class router table that is identified in macro ICHRFRTB.
Specify the product features that will be secured by defining the appropriate resources to the product class.
The following table identifies the functions that you can secure. The table also provides each feature’s resource name. Within the table:
- target = four-character IMSID or group name
- cmd = three-character IMS command abbreviation
- vname = one- to eight-character View Profile name
- name = one- to eight-character member name
Product function
SAF resource
Supports
Read
Update
Activate
ACTIVATE
Yes
No
Log/History File SYSGEN Date Change Utility
DLP.ADMIN.CHGDATE
Yes
No
Global Options
DLP.ADMIN.GLOBAL
Yes
Yes
IMSID Options
DLP.ADMIN.IMSID
Yes
Yes
Group Options
DLP.ADMIN.GROUP
Yes
Yes
User Profile
DLP.ADMIN.UPF
Yes
Yes
View Profile Edit
DLP.ADMIN.VIEWPROF.vname
Yes
Yes
View Profile Use
DLP.VIEWPROF.vname
Yes
No
Product Authorization
DLP.ADMIN.PRODAUTH
Yes
No
DELTA List Check/Execute
DLP.target.DELTALST.RUN
Yes (Check)
Yes (Execute)
DELTA List Browse/Edit
DLP.DELTALST.name
Yes (Browse)
Yes (Edit)
IMS Command Interface
DLP.target.COMMAND.cmd
Yes
No
Log Report
DLP.target.LOG.REPORT
Yes
No
Log Status
DLP.target.LOG.STATUS
Yes
No
Log Purge
DLP.target.LOG.PURGE
Yes
No
Log Recover
DLP.target.LOG.RECOVER
Yes
No
Log Format
DLP.target.LOG.FORMAT
Yes
No
History Report
DLP.target.HISTORY.REPORT
Yes
No
History Status
DLP.target.HISTORY.STATUS
Yes
No
History Purge
DLP.target.HISTORY.PURGE
Yes
No
History Recover
DLP.target.HISTORY.RECOVER
Yes
No
History Format
DLP.target.HISTORY.FORMAT
Yes
No
Storage Display/Zap
DLP.target.STORAGE
Yes (Display)
Yes (Zap)
Add IMS to Group Log
DLP.ADMIN.ADDIMS
Yes
No
Remove IMSID from Group Log/History File
DLP.ADMIN.REMOVIMS
Yes
No
Convert Log to Stage 1
DLP.target.CONVERT.LOG.STAGE1
Yes
No
Convert Log to DELTA List
DLP.target.CONVERT.LOG.DELTALST
Yes
No
Convert DELTA List to Stage 1
DLP.CONVERT.DELTALST.STAGE1
Yes
No
IMSID and Group Options Refresh
DLP.target.REFRESH.OPTIONS
Yes
No
CPU ID Refresh
DLP.target.REFRESH.SECURITY
Yes
No
Variable Definition Edit
DLP.ADMIN.VARDEF.name
Yes (Browse)
Yes (Edit)
Variable Definition Use
DLP.VARDEF.name
Yes
No
ALL REMAINING FUNCTIONS APPLY ONLY TO DELTA PLUS VIRTUAL TERMINAL
Back Up TSS Data Set
DLP.TSS.BACKUP
Yes
No
Define TSS Table
DLP.TSS.DEFINE.name
Yes
No
TSS Table Browse/Edit
DLP.TSS.EDIT.name
Yes
Yes
TSS Table Test/Search-Modify
DLP.TSS.EDIT.name
Yes (Test)
Yes (Search-Modify)
Format TSS Data Set
DLP.TSS.FORMAT
Yes
No
Load TSS Table(s)
DLP.TSS.LOAD.name
Yes
No
Remove TSS Table(s)
DLP.TSS.REMOVE.name
Yes
No
Reorganize TSS Data Set
DLP.TSS.REORG
Yes
No
Status of TSS Data Set
DLP.TSS.STATUS
Yes
No
Unload TSS Table(s)
DLP.TSS.UNLOAD.name
Yes
No
Refresh TSS In-Storage Buffers
DLP.target.REFRESH.TSS
Yes
No
Display of VIRTUAL TERMINAL statistics
DLP.target.VTSTATS
Yes
No
- Give users read authority for the resources (product features) that they need to use. For features that provide browse and edit capabilities, specify READ authority for browse and UPDATE authority for edit. Browse capability will be assumed for users with edit capability.
- Define the ACTIVATE resource to the product class. When you define this resource, RACF or an equivalent security product restricts access to the product features that you specified, and user access profile checking is disabled.
Related topic