Consider the following requirements and features of DBC security:
DBC must meet the following UNIX requirements:
Write and execute access to the /tmp directory.
Update access to the FSACCESS (UNIX file system access check) resource class.
DBC must be authorized to create an Extended MCS Console.
DBC uses the standard System Authorization Facility (SAF) interface to communicate with an External Security Manager (ESM). DBC is compatible with ESMs that support the SAF interface (including CA Technologies CA-ACF2 and CA-Top Secret products).
The DBC security interface is compatible with the IBM Resource Access Control Facility (RACF) Version 1.9 or later. DBC issues security calls directly to the SAF interface.
For more information, see Configuring RACF security for the DBC subsystem.
DBC does not require you to define resources (that is, internal control points) to an ESM. However, if the security parameter <ALLOW_SAF_RC4> is set to NO and no resource names have been defined, all DBC requests fail with an authorization error. If <ALLOW_SAF_RC4> is set to NO, you must define DBC resource names so that access can be granted or denied as appropriate.
DBC security control points include commands that are issued from an IBM z/OS system console and from the IBM System Display and Search Facility (SDSF). The DBC subsystem command processor extracts the user ID from the ACEE that is associated with the console address space and propagates this value through the system. Appropriate ESM customization is required to allow operator authorization to DBC commands.
DBC stores its security parameters in the DBCSECUR data set.
DBC security parameters are independent of all other DBC parameters. This physical separation allows the security administrator to implement independent and discrete access to the security parameters ( DBCSECUR) and potentially more general access to the subsystem parameters ( DBCPARMS).
For more information about security parameters, see DBC security parameters.
This section contains the following topics: