DBC security parameters
You can choose to administer and secure the security parameters separately from the main DBC startup parameters by implementing RACF data set name security. For more information about the started task, see Started task for the DBC subsystem.
Structure of the XML stream
The following figure shows a sample security parameters file:
<DBCSECUR>
<RESOURCE_NAME>
<HLQ>BMC</HLQ>
<CONTEXTS>
<CONTEXT>
<SMFID>MVSA</SMFID>
<TO_VALUE>PROD</TO_VALUE>
</CONTEXT>
<CONTEXT>
<SMFID>MVSB</SMFID>
<TO_VALUE>TEST</TO_VALUE>
</CONTEXT>
</CONTEXTS>
</RESOURCE_NAME>
<RESOURCE_CLASS>
<COMPONENT>DBC
<COMMAND>MYCLASS
</COMPONENT>
<COMPONENT>DPR
<COMMAND>MYCLASS
</COMPONENT>
</RESOURCE_CLASS>
<SUBSYS>DBCS</SUBSYS>
<ALLOW_SAF_RC4>NO</ALLOW_SAF_RC4>
</DBCSECUR>
DBCSECUR elements
(Optional) The <DBCSECUR> element is the root-level element of the DBCSECUR structure.
Data type: Not applicable.
Child elements: <RESOURCE_NAME>, <RESOURCE_CLASS>, <SUBSYS>, <ALLOW_SAF_RC4>, and <DB2AUTH>
RESOURCE_NAME | (Optional) The <RESOURCE_NAME> element contains the options for the customizable resource name nodes. Data type: Not applicable. Parent element: <DBCSECUR> Child elements: <HLQ> and <CONTEXTS>
| ||||||||||
RESOURCE_CLASS | (optional) The <RESOURCE_CLASS> element allows you to customize the SAF resource class that is associated with internal DBC security control points. If omitted, the RACF resource class for all DBC commands (and associated components) defaults to the FACILITY class. Note: This value does not affect the SAF resource class for DPR-initialized product objects. You can customize those classes by using the <SAFCLASS> XML tag in the product definition XML document. The <COMPONENT> and <COMMAND> subelements are required only if you use the <RESOURCE_CLASS> element.In the sample shown in Structure of the XML stream, all DBC and DPR command resource profiles must be defined in RACF resource class MYCLASS. Data type: Not applicable. Parent element: <DBCSECUR> Child elements: <COMPONENT>
| ||||||||||
SUBSYS | (optional) The <SUBSYS> element specifies the value to be passed to SAF on each authorization check to the SUBSYS parameter on the RACROUTE macro. The value defaults to DBCS. Data type: VARCHAR(8) Parent element: <DBCSECUR> Child elements: None. Note: DBC uses BMCDBC as the application name that is passed to SAF through the APPL parameter on the RACROUTE REQUEST=AUTH macro call. This parameter specifies the name of the application that is making the authorization request. The RACROUTE service makes the parameter available to the installation exit routine, or any routines that the service invokes. | ||||||||||
ALLOW_SAF_RC4 | (optional) The <ALLOW_SAF_RC4> element specifies whether the DBC subsystem allows access to a given resource if SAF returns return code 4. SAF returns 4 if a security decision could not be made. Valid values are YES and NO:
Data type: VARCHAR(3) Parent element: <DBCSECUR> Child elements: None. Note: The IBM RACROUTE macro reference documentation (SA22-7692-04) documents the SAF return codes. |
Comments
Log in or register to comment.