×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
Common mainframe infrastructure 2018 release ... Administering Administering BMC Execution Component for z/OS (DBC) DBC security

DBC security parameters

The DBCSECUR DD statement, which is specified in the startup JCL for the DBC subsystem, identifies the security parameters data set for the DBC subsystem. The security parameters are optional. Each security parameter has a default value that applies if you do not specify the DBCSECUR DD statement, or if you omit a particular security option from the parameters file. Thus, you are not required to specify these parameters to use the DBC security features.

You can choose to administer and secure the security parameters separately from the main DBC startup parameters by implementing RACF data set name security. For more information about the started task, see Started task for the DBC subsystem.

Structure of the XML stream

The following figure shows a sample security parameters file:

<DBCSECUR>                  
  <RESOURCE_NAME>                  
    <HLQ>BMC</HLQ>                 
    <CONTEXTS>                     
      <CONTEXT>                    
        <SMFID>MVSA</SMFID>        
        <TO_VALUE>PROD</TO_VALUE>  
      </CONTEXT>                   
      <CONTEXT>                    
        <SMFID>MVSB</SMFID>        
        <TO_VALUE>TEST</TO_VALUE>  
      </CONTEXT>                   
    </CONTEXTS>                    
  </RESOURCE_NAME>                 
  <RESOURCE_CLASS>                 
    <COMPONENT>DBC                 
      <COMMAND>MYCLASS      
    </COMPONENT>                   
    <COMPONENT>DPR                 
      <COMMAND>MYCLASS      
    </COMPONENT>                   
  </RESOURCE_CLASS>                 
  <SUBSYS>DBCS</SUBSYS>            
  <ALLOW_SAF_RC4>NO</ALLOW_SAF_RC4>
</DBCSECUR>

DBCSECUR elements

(Optional) The <DBCSECUR> element is the root-level element of the DBCSECUR structure.

Data type: Not applicable.

Child elements: <RESOURCE_NAME>, <RESOURCE_CLASS>, <SUBSYS>, <ALLOW_SAF_RC4>, and <DB2AUTH>

RESOURCE_NAME

(Optional) The <RESOURCE_NAME> element contains the options for the customizable resource name nodes.

Data type: Not applicable.

Parent element: <DBCSECUR>

Child elements: <HLQ> and <CONTEXTS>

HLQ

(optional) The <HLQ> element specifies a value for the HLQ node of the resource name structure. This value defaults to BMC.

Data type: VARCHAR(8)

Parent element: <RESOURCE_NAME>

Child elements: None.

CONTEXTS

(optional) The <CONTEXTS> element contains one or more context specifications.

Data type: Not applicable.

Parent element: <RESOURCE_NAME>

Child elements: <CONTEXT>

CONTEXT

(required) The <CONTEXT> element specifies a value for the context node of the resource name structure. This option defaults to the SMFID that is associated with the IBM z/OS image on which the DBC subsystem is active. The <CONTEXT> element must specify a <SMFID> and <TO_VALUE> element.

Data type: Not applicable.

Parent element: <RESOURCE_NAME>

Child elements: <SMFID> and <TO_VALUE>

SMFID

(required) The <SMFID> element specifies the SMFID that is associated with the z/OS image on which the DBC subsystem is active.

Data type: VARCHAR(4)

Parent element: <CONTEXT>

Child elements: None.

TO_VALUE

(required) The <TO_VALUE> element specifies the value that the DBC subsystem uses for the context node of the resource name.

Data type: VARCHAR(4)

Parent element: <CONTEXT>

Child elements: None.

Example:

The following example tells the DBC subsystem to use PROD as the context node of the resource name if the subsystem is started on the z/OS image with an SMFID of LPR1:

<CONTEXT>
    <SMFID>LPR1</SMFID>
    <TO_VALUE>PROD</TO_VALUE>
</CONTEXT>

If not started on this z/OS image, the DBC subsystem ignores the <CONTEXT> specification. This behavior allows you to define a single SAF options file for multiple DBC subsystems that run on different z/OS images.

By modifying the <CONTEXT> element to point a specific LPAR to a logical name, you can define RACF resource names that are consistent across multiple LPARs.

RESOURCE_CLASS

(optional) The <RESOURCE_CLASS> element allows you to customize the SAF resource class that is associated with internal DBC security control points. If omitted, the RACF resource class for all DBC commands (and associated components) defaults to the FACILITY class.

Note: This value does not affect the SAF resource class for DPR-initialized product objects. You can customize those classes by using the <SAFCLASS> XML tag in the product definition XML document.

The <COMPONENT> and <COMMAND> subelements are required only if you use the <RESOURCE_CLASS> element.In the sample shown in Structure of the XML stream, all DBC and DPR command resource profiles must be defined in RACF resource class MYCLASS.

Data type: Not applicable.

Parent element: <DBCSECUR>

Child elements: <COMPONENT>

COMPONENT

required) The <COMPONENT> element identifies the specific component for which you are defining the resource class.

Data type: CHAR(3)

Parent element: <RESOURCE_CLASS>

Child elements: <COMMAND>

COMMAND

(required) The <COMMAND> element identifies the SAF resource class name that is used in all SAF security calls for commands issued from the associated component.

Data type: VARCHAR(8)Parent element: <COMPONENT>Child elements: None.

SUBSYS

(optional) The <SUBSYS> element specifies the value to be passed to SAF on each authorization check to the SUBSYS parameter on the RACROUTE macro. The value defaults to DBCS.

Data type: VARCHAR(8)

Parent element: <DBCSECUR>

Child elements: None.

Note: DBC uses BMCDBC as the application name that is passed to SAF through the APPL parameter on the RACROUTE REQUEST=AUTH macro call. This parameter specifies the name of the application that is making the authorization request. The RACROUTE service makes the parameter available to the installation exit routine, or any routines that the service invokes.

ALLOW_SAF_RC4

(optional) The <ALLOW_SAF_RC4> element specifies whether the DBC subsystem allows access to a given resource if SAF returns return code 4. SAF returns 4 if a security decision could not be made.

Valid values are YES and NO:

  • YES (the default) tells the DBC subsystem to allow user access to a resource if SAF returns return code 4.

  • NO tells the DBC subsystem not to allow user access to the resource.

Data type: VARCHAR(3)

Parent element: <DBCSECUR>

Child elements: None.

Note: The IBM RACROUTE macro reference documentation (SA22-7692-04) documents the SAF return codes.

Related topic

Administering BMC Execution Component for z/OS (DBC)


Was this page helpful? Yes No Submitting... Thank you
Last modified by Mary Cameron on Sep 20, 2019
administration

Comments

Log in or register to comment.

Defining a DBC control point resource profile
SAF resource rules used by DBC
© Copyright 2013 - 2019 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.