Managing access authority for BMP jobs

For Application Accelerator to participate in the execution of IMS batch message processing (BMP) jobs, it needs access authority to the following data sets:
  • IMS RECON data sets

  • IMS subsystem’s MODSTAT or OLCSTAT data set

  • IMS subsystem’s ACBLIBA, ACBLIBB, and ACBLIB libraries

  • All libraries in IMS subsystem’s STEPLIB concatenation

  • IMS database data sets (only if Application Accelerator is optimizing the job step)

BMP jobs that execute without Application Accelerator run under the IMS control region, which already has the required authority to access these data sets. When Application Accelerator participates in the execution, by default the security access facility (SAF) grants the access that is defined for the user ID that submitted the job. This user ID typically does not have access authority to the required data sets.

Instead of defining SAF rules that allow access to each data set for each user ID that will submit a BMP job, you can define a single SAF resource that allows Application Accelerator to access the required data sets.

During initialization, Application Accelerator attempts to retrieve the resource profile, based on the job step values for the operating system ID, the IMS ID, and the program specification block (PSB) name:

  • If a resource definition is not found, Application Accelerator continues with the default access authority for the job step.

  • If a resource definition is found, Application Accelerator extracts the Installation Data value from the resource definition and uses that value only to access the required data sets. For all other access, the job uses the default authority of the user ID that submitted the job. If Application Accelerator cannot access a required data set because of insufficient authority, the product switches to IGNORE mode and issues a message.

To define a SAF resource rule for Application Accelerator

  1. Identify a user ID that has access to the required libraries and other data sets in the online IMS subsystem.

    You can use the information in message IEF695I to identify a user ID, as shown in the following example:

    IEF695I START MXOAIMS WITH JOBNAME MXOAIMS IS ASSIGNED TO USER STCUSER , GROUP STCGROUP

  2. Define a resource rule as follows:
    • Specify CLASS = FACILITY.

    • Specify PROFILE = BBM.SDBA.mvsid.imsid.psbname.AAOR.

      You can specify the operating system ID, IMS ID, and PSB name as generic values by using wildcard characters (* and %).

    • In the installation data field, specify the previously identified user ID.

  3. Define the SAF profile as shown in the following example:

    RDEFINE FACILITY BBM.SDBA.*.*.*.AAOR DATA('userid')
    SETROPTS CLASSACT(FACILITY)
    SETROPTS RACLIST(FACILITY) REFRESH
    RLIST FACILITY BBM.SDBA.*.MXOA.*.AAOR

    You can specify the operating system ID, IMS ID, and PSB name values as specific or generic values.



Was this page helpful? Yes No Submitting... Thank you

Comments