Space banner

   

This space provides the same content as before, but the organization of the home page has changed. The content is now organized based on logical branches instead of legacy book titles. We hope that the new structure will help you quickly find the content that you need.

Defining a DBC control point resource profile

The DBC subsystem and its components automatically call the SAF router to check user authorization to various services.

These services are identified by internal functional control points and are externally associated with a resource name. You control user access to the DBC component services by granting or denying authorization to the resource names that are associated with these internal functional control points. To control access to these services, you must define these resource names to the ESM.

To define a DBC control point resource profile

  1. Define the resource profile (that is, the resource name) to the RACF ESM by using one or more RDEFINE FACILITY commands.

    Example

    The following example protects access to various resource categories for a DBC subsystem. The profile applies to LPARs named PROD. You set the PROD value through the < CONTEXT> XML element in the DBC security parameters.

    The profile also applies to product codes DBC and DPR (inherent components of the DBC subsystem) and ABC (which relates to a DPR-initialized product with the 3-byte product code ABC). For example, the BMC System and SQL Performance products for DB2 use DBC, DPR, LGC, and NGL.

    RDEFINE FACILITY (BMC.DBC.PROD.*) UACC(NONE) 
    RDEFINE FACILITY (BMC.DPR.PROD.*) UACC(NONE) 
    RDEFINE FACILITY (BMC.ABC.PROD.*) UACC(NONE)

    The next example defines a generic profile that protects all currently defined subsystem resources and future resources that are associated with products that you have not yet defined to the DPR component of DBC:

    RDEFINE FACILITY (BMC.*.PROD.*) UACC(NONE)
  2. Activate the resource class by issuing one of the following commands:
    • SETROPTS CLASSACT(FACILITY)

    • SETROPTS CLASSACT(FACILTY) RACLIST(FACILITY)(to maintain profiles in memory)

  3. (optional) Enable generic profile checking for the FACILITY class:

    SETROPTS GENERIC(FACILITY)



Was this page helpful? Yes No Submitting... Thank you

Comments