Skip to Content

Implementing external security

If you implement Fast Path/EP external security, Fast Path/EP products permit only authorized users to access Fast Path/EP product components and functions.

When a user attempts to access a Fast Path/EP product component or function, Fast Path/EP external security issues a RACROUTE call to determine the access authority of the user ID that is associated with the ISPF session or application program. Fast Path/EP external security retains the results of the RACROUTE calls for use as long as the current Fast Path/EP ISPF interface session is active or the application is executing. This eliminates the need for repetitive RACROUTE calls while processing display and/or update requests.

The Fast Path/EP RACROUTE requests specify a default resource class name of PFM0, as defined in the PFMXSC06 CSECT in the Fast Path/EP execution library. To facilitate maintenance, Fast Path/EP products use only one resource class name.

The RACROUTE requests also specify an entity name that is associated with a specific function of the Fast Path/EP product. RACROUTE entity names are associated with specific access levels, and they limit access to specific members of the VSAM repository, specific functions of the Fast Path/EP ISPF interface, or participation of Fast Path/EP products in the application execution. The permitted access levels are read and update, depending on the type of operation being performed against the VSAM repository. The RACROUTE entity names and descriptions that are defined within the Fast Path/EP products are listed in Individual-security-entities.

If the return code from the RACROUTE call indicates that the user is not authorized for the function, Fast Path/EP performs no additional security processing and denies the request for access.

Fast Path/EP products use the PFMXSC06 CSECT to control Fast Path/EP external security processing. The PFMXSC06 CSECT contains a switch to activate Fast Path/EP external security and fields to define the resource class name.

To activate Fast Path/EP external security

  1. Modify, assemble, and link-edit the PFMXSC06 CSECT.The source for the PFMXSC06 CSECT is in member $PFMXSC6 of the PFPSAMP library. A sample of this CSECT is shown in the following figure.

    PFMXSC06 CSECT
             DC    C'N'          RACF USAGE SWITCH
             DC    CL3' '        RESERVED
             DC    F'4'          LEN OF GENERAL RESOURCE CLASS NAME
             DC    CL8'PFM0'     GENERAL RESOURCE CLASS NAME
             DC    CL30' '       RESERVED
            END

    To modify, assemble, and link-edit the PFMXSC06 CSECT, perform the following steps:

    1. Edit the PFMXSC06 source.
      • Change the RACF usage switch to Y to activate Fast Path/EP external security. The usage switch is set to N initially.
      • Set the resource class name. The default is PFM0; you can modify it. You can specify up to eight characters for the class name. If the class name is not at least four characters, modify the length and the name.
    2. Assemble and link-edit the PFMXSC06 CSECT.
    3. Place the link-edited, modified PFMXSC06 CSECT into the library that contains the Fast Path/EP execution modules. The PFPSAMP member #PFMSECR contains sample JCL for the assemble and link-edit job.

  2. Define Fast Path/EP product resources to the system security manager.Fast Path/EP external security is designed to work with RACF-compatible system security managers. Because the implementation and usage of system security managers is often unique to the installation, the following procedure provides general guidelines and examples and is based on RACF as the system security manager. The system security administrator at your site is probably the person who will define Fast Path/EP product resources to the system security manager.

    Warning

    Note

    For performance reasons, consider making the PFM0 resource class name a system-level RACLIST class.

    To define Fast Path/EP product resources to the system security manager, perform the following steps:

    1. Define the necessary resource class to RACF. The following example shows this definition:

      PFM0  ICHERCDE CLASS=PFM0,ID=200,
                     MAXLNTH=8,FIRST=ALPHANUM,
                     OTHER=ANY,OPER=NO,POSIT=19,
                     RACLIST=ALLOWED

      RACLIST is allowed (but not used) by Fast Path/EP external security.

    2. Add the resource class name to the RACF Router table. The following example shows addition of the resource class name to the table:

            ICHRFRTB CLASS=PFM0,ACTION=RACF

    3. Activate the resource class with the RACF SETROPTS command. The default resource class name referenced in the RACROUTE macro is PFM0. The following example shows the default class name that is used with the RACF SETROPTS command:

            SETROPTS CLASSACT(PFM0)

    4. Add the resource entity names to RACF. Individual-security-entities lists the resource entity names that you can define and the requested access levels, with a complete description of each. The following example shows addition of the resource entity names to the access list definition:

      RDEFINE PFM0 PFMGBL UACC(READ)
              OWNER(U12345)

    5. Define the user access list to RACF. Individual-security-entities lists the resource entity names that you can define for the user access authority classes. The following example shows the user access list definition, where PFMGBL is the entity name:

      PERMIT PFMGBL CLASS(PFM0) ID(UID1 UID2 UID3 UID4)
             ACCESS(UPDATE)

Related topic

Implementing-security



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Database Advisor for IMS 3.2