Implementing security for IRMICMD
The valid resource (entity) names for IRMICMD are listed in the following table. These resource names control whether users are authorized to use IRMICMD to issue the corresponding IMS command. Resource names can also control whether a command can be issued on a specified IMS system or for a specified sharegroup.
IRMICMD first checks for a SAF resource rule containing an IMS ID or SHAREGROUP name that matches the IMS ID or SHAREGROUP name in the IRMICMD control statement:
If a rule contains the optional imsid parameter (imsid is the one- to four-character IMS ID), the rule applies to the specified IMS system; if the command is GLOBAL, the rule also applies to all other IMS systems in the sharegroup.
If a rule contains the optional sharegroup parameter (sharegroup is the one- to four-character SHAREGROUP name), the rule applies to all IMS systems in the specified sharegroup; the command is GLOBAL by default.
If a rule does not contain the imsid parameter or the sharegroup parameter, IRMICMD checks for a rule containing a command that matches the IRMICMD command. If a rule contains the command, the access rules in that SAF rule apply to all IMS systems. Therefore, if access is denied, it is denied for all IMS systems; if access is allowed, it is allowed for all IMS systems.
SAF resources for RMGR IMS Command (IRMICMD) utility
Resource name | IMS command | Command description |
---|---|---|
BBM.IRM.CHE | /CHE | Take a simple checkpoint on any IMS system |
BBM.IRM.CHE.imsid | /CHE | Take a simple checkpoint on the specified IMS system |
BBM.IRM.CHE.sharegroup | /CHE | Take a simple checkpoint on all IMS systems in the specified sharegroup |
BBM.IRM.DBD | /DBD | Dump a database on any IMS system |
BBM.IRM.DBD.imsid | /DBD | Dump a database on the specified IMS system |
BBM.IRM.DBD.sharegroup | /DBD | Dump a database on all IMS systems in the specified sharegroup |
BBM.IRM.DBR | /DBR | Recover a database or area on any IMS system |
BBM.IRM.DBR.imsid | /DBR | Recover a database or area on the specified IMS system |
BBM.IRM.DBR.sharegroup | /DBR | Recover a database or area on all IMS systems in the specified sharegroup |
BBM.IRM.STADB | /STA | Start a database or area on any IMS system |
BBM.IRM.STADB.imsid | /STA | Start a database or area on the specified IMS system |
BBM.IRM.STADB.sharegroup | /STA | Start a database or area on all IMS systems in the specified sharegroup |
BBM.IRM.STODB | /STO | Stop a database or area on any IMS system |
BBM.IRM.STODB.imsid | /STO | Stop a database or area on the specified IMS system |
BBM.IRM.STODB.sharegroup | /STO | Stop a database or area on all IMS systems in the specified sharegroup |
BBM.IRM.SWI | /SWI | Switch the active log data set to the next OLDS and then take a simple checkpoint on any IMS system |
BBM.IRM.SWI.imsid | /SWI | Switch the active log data set to the next OLDS and then take a simple checkpoint on the specified IMS system |
BBM.IRM.SWI.sharegroup | /SWI | Switch the active log data set to the next OLDS and then take a simple checkpoint on all IMS systems in the specified sharegroup |
The following figure shows sample RACF control statements to define IMSICMD resources that apply to a specified IMS system (IMSP).
RACF resource definitions for IRMICMD that apply to any IMS system
RDEFINE FACILITY BBM.IRM.CHE UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBD UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBR UACC(NONE)
RDEFINE FACILITY BBM.IRM.STADB UACC(NONE)
RDEFINE FACILITY BBM.IRM.STODB UACC(NONE)
RDEFINE FACILITY BBM.IRM.SWI UACC(NONE)
PERMIT BBM.IRM.CHE CLASS(FACILITY) ID(USER01) ACCESS(READ)
PERMIT BBM.IRM.DBD CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.DBR CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.STADB CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.STODB CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.SWI CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY BBM.IRM.CHE AUTHUSER
RLIST FACILITY BBM.IRM.DBD AUTHUSER
RLIST FACILITY BBM.IRM.DBR AUTHUSER
RLIST FACILITY BBM.IRM.STADB AUTHUSER
RLIST FACILITY BBM.IRM.STODB AUTHUSER
RLIST FACILITY BBM.IRM.SWI AUTHUSER
The following figure shows sample RACF control statements to define IMSICMD resources and restrict their usage on the specified IMS system.
RACF resource definitions for IRMICMD that apply to a specified IMS system
RDEFINE FACILITY BBM.IRM.CHE.IMSP UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBD.IMSP UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBR.IMSP UACC(NONE)
RDEFINE FACILITY BBM.IRM.STADB.IMSP UACC(NONE)
RDEFINE FACILITY BBM.IRM.STODB.IMSP UACC(NONE)
RDEFINE FACILITY BBM.IRM.SWI.IMSP UACC(NONE)
PERMIT BBM.IRM.CHE.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
PERMIT BBM.IRM.DBD.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
PERMIT BBM.IRM.DBR.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
PERMIT BBM.IRM.STADB.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
PERMIT BBM.IRM.STODB.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
PERMIT BBM.IRM.SWI.IMSP CLASS(FACILITY) ID(USER02) ACCESS(READ)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY BBM.IRM.CHE.IMSP AUTHUSER
RLIST FACILITY BBM.IRM.DBD.IMSP AUTHUSER
RLIST FACILITY BBM.IRM.DBR.IMSP AUTHUSER
RLIST FACILITY BBM.IRM.STADB.IMSP AUTHUSER
RLIST FACILITY BBM.IRM.STODB.IMSP AUTHUSER
RLIST FACILITY BBM.IRM.SWI.IMSP AUTHUSER
The following figure shows sample RACF control statements to define IMSICMD resources that apply to a specified sharegroup (SHRP).
RACF resource definitions for IRMICMD that apply to a specified sharegroup
RDEFINE FACILITY BBM.IRM.CHE.SHRP UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBD.SHRP UACC(NONE)
RDEFINE FACILITY BBM.IRM.DBR.SHRP UACC(NONE)
RDEFINE FACILITY BBM.IRM.STADB.SHRP UACC(NONE)
RDEFINE FACILITY BBM.IRM.STODB.SHRP UACC(NONE)
RDEFINE FACILITY BBM.IRM.SWI.SHRP UACC(NONE)
PERMIT BBM.IRM.CHE.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.DBD.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.DBR.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.STADB.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.STODB.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
PERMIT BBM.IRM.SWI.SHRP CLASS(FACILITY) ID(DBAGRP) ACCESS(READ)
SETROPTS CLASSACT(FACILITY)
SETROPTS RACLIST(FACILITY) REFRESH
RLIST FACILITY BBM.IRM.CHE.SHRP AUTHUSER
RLIST FACILITY BBM.IRM.DBD.SHRP AUTHUSER
RLIST FACILITY BBM.IRM.DBR.SHRP AUTHUSER
RLIST FACILITY BBM.IRM.STADB.SHRP AUTHUSER
RLIST FACILITY BBM.IRM.STODB.SHRP AUTHUSER
RLIST FACILITY BBM.IRM.SWI.SHRP AUTHUSER
Comments
Log in or register to comment.