Space announcement We are no longer updating this version of the documentation for the infrastructure components (DBC, LGC, and NGL).  You can no longer leave comments on it. For the latest version of the documentation, see Common Mainframe Infrastructure 2022 release.

DBC security parameters

The DBCSECUR DD statement, which is specified in the startup JCL for the DBC subsystem, identifies the security parameters data set for the DBC subsystem. The security parameters are optional. Each security parameter has a default value that applies if you do not specify the DBCSECUR DD statement, or if you omit a particular security option from the parameters file. Thus, you are not required to specify these parameters to use the DBC security features.

You do not specify the security parameters with the main DBC startup parameters identified in the DBCPARMS DD statement. You can choose to administer and secure the security parameters separately from the main DBC startup parameters by implementing RACF data set name security. For more information about the started task, see Started-task-for-the-DBC-subsystem.

Structure of the XML stream

The following figure shows a sample security parameters file.

Structure of the DBCSECUR XML stream

<DBCSECUR>                 
  <RESOURCE_NAME>                 
    <HLQ>BMC</HLQ>                
    <CONTEXTS>                    
      <CONTEXT>                   
        <SMFID>MVSA</SMFID>       
        <TO_VALUE>PROD</TO_VALUE>
      </CONTEXT>                  
      <CONTEXT>                   
        <SMFID>MVSB</SMFID>       
        <TO_VALUE>TEST</TO_VALUE>
      </CONTEXT>                  
    </CONTEXTS>                   
  </RESOURCE_NAME>                
  <RESOURCE_CLASS>                
    <COMPONENT>DBC                
      <COMMAND>MYCLASS     
    </COMPONENT>                  
    <COMPONENT>DPR                
      <COMMAND>MYCLASS     
    </COMPONENT>                  
  </RESOURCE_CLASS>                
  <SUBSYS>DBCS</SUBSYS>           
  <ALLOW_SAF_RC4>NO</ALLOW_SAF_RC4>
</DBCSECUR>

DBCSECUR elements

(optional) The <DBCSECUR> element is the root-level element of the DBCSECUR structure.

Data type: Not applicable.Child elements: <RESOURCE_NAME>, <RESOURCE_CLASS>, <SUBSYS>, <ALLOW_SAF_RC4>, and <DB2AUTH>

RESOURCE_NAME

(optional) The <RESOURCE_NAME> element contains the options for the customizable resource name nodes.

Data type: Not applicable.

Parent element: <DBCSECUR>

Child elements: <HLQ> and <CONTEXTS>

HLQ

(optional) The <HLQ> element specifies a value for the HLQ node of the resource name structure. This value defaults to BMC.

Data type: VARCHAR(8)

Parent element: <RESOURCE_NAME>

Child elements: None.

CONTEXTS

(optional) The <CONTEXTS> element contains one or more context specifications.

Data type: Not applicable.

Parent element: <RESOURCE_NAME>

Child elements: <CONTEXT>

CONTEXT

(required) The <CONTEXT> element specifies a value for the context node of the resource name structure. This option defaults to the SMFID that is associated with the IBM z/OS image on which the DBC subsystem is active. The <CONTEXT> element must specify a <SMFID> and <TO_VALUE> element.

Data type: Not applicable.

Parent element: <RESOURCE_NAME>

Child elements: <SMFID> and <TO_VALUE>

SMFID

(required) The <SMFID> element specifies the SMFID that is associated with the z/OS image on which the DBC subsystem is active.

Data type: VARCHAR(4)

Parent element: <CONTEXT>

Child elements: None.

TO_VALUE

(required) The <TO_VALUE> element specifies the value that the DBC subsystem uses for the context node of the resource name.

Data type: VARCHAR(4)

Parent element: <CONTEXT>

Child elements: None.

Example

The following example tells the DBC subsystem to use PROD as the context node of the resource name if the subsystem is started on the z/OS image with an SMFID of LPR1:

<CONTEXT>
    <SMFID>LPR1</SMFID>
    <TO_VALUE>PROD</TO_VALUE>
</CONTEXT>

If not started on this z/OS image, the DBC subsystem ignores the <CONTEXT> specification. This behavior allows you to define a single SAF options file for multiple DBC subsystems that run on different z/OS images.

By modifying the <CONTEXT> element to point a specific LPAR to a logical name, you can define RACF resource names that are consistent across multiple LPARs.

RESOURCE_CLASS

(optional) The <RESOURCE_CLASS> element allows you to customize the SAF resource class that is associated with internal DBC security control points. If omitted, the RACF resource class for all DBC commands (and associated components) defaults to the FACILITY class.

Note

This value does not affect the SAF resource class for DPR-initialized product objects. You can customize those classes by using the <SAFCLASS> XML tag in the product definition XML document.

In the sample shown in Structure of the DBCSECUR XML stream, all DBC and DPR command resource profiles must be defined in RACF resource class MYCLASS.

The <COMPONENT> and <COMMAND> subelements are required only if you use the <RESOURCE_CLASS> element.

Data type: Not applicable.

Parent element: <DBCSECUR>

Child elements: <COMPONENT>

COMPONENT

required) The <COMPONENT> element identifies the specific component for which you are defining the resource class.

Data type: CHAR(3)

Parent element: <RESOURCE_CLASS>

Child elements: <COMMAND>

COMMAND

(required) The <COMMAND> element identifies the SAF resource class name that is used in all SAF security calls for commands issued from the associated component.

Data type: VARCHAR(8)

Parent element: <COMPONENT>

Child elements: None.

SUBSYS

(optional) The <SUBSYS> element specifies the value to be passed to SAF on each authorization check to the SUBSYS parameter on the RACROUTE macro. The value defaults to DBCS.

Data type: VARCHAR(8)

Parent element: <DBCSECUR>

Child elements: None.

Note

DBC uses BMCDBC as the application name that is passed to SAF through the APPL parameter on the RACROUTE REQUEST=AUTH macro call. This parameter specifies the name of the application that is making the authorization request. The RACROUTE service makes the parameter available to the installation exit routine, or any routines that the service invokes.

ALLOW_SAF_RC4

(optional) The <ALLOW_SAF_RC4> element specifies whether the DBC subsystem allows access to a given resource if SAF returns return code 4. SAF returns 4 if a security decision could not be made.

Valid values are YES and NO:

  • YES (the default) tells the DBC subsystem to allow user access to a resource if SAF returns return code 4.
  • NO tells the DBC subsystem not to allow user access to the resource.

Data type: VARCHAR(3)

Parent element: <DBCSECUR>

Child elements: None.

Note

The IBM RACROUTE macro reference documentation (SA22-7692-04) documents the SAF return codes.



 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*