RACF and ACF2 Access to COPE ISPF Functions

Restriction of access to various COPE functions is supported by RACF and ACF2. This section details the required facilities for the ISPF based functions. Refer to the BMC-COPE-Administration-Guide for a description of the implementation of security for IMS based functions via the COPESXSX exit. If the XISPFSEC parameter is set to YES, COPE accesses RACF any time a function is selected. If RACF does not permit access, an error message is returned on the panel stating access is not allowed.

The parameters used on the RACHECK macro are:

RACHECK ENTITY=(ENTITY),CLASS='DATASET',ATTR=READ,DSTYPE=M,*
LOG=ASIS,APPL='COPE',RACFIND=NO,GENERIC=YES

The Entity is defined as a dataset and consists of a name of the form:

SPL.<NAME>.<FUNCTION>

The <NAME> is the name of the function set to be executed and <FUNCTION> is the name of the function in the function set. These values may be extracted from the selection panels that COPE provides.

In general, most of the functions may be accessed by all users, and a few functions are restricted to the COPE Administrator. To do this, multiple generic profiles must be defined. A profile allowing read access to the resource SPL.* is defined for every user, and an additional profile for any option that is to be restricted. For example: SPL.COPE.COPELD (to restrict access to Option 4.1) must also be defined.

A user of ACF2 used the following security definition to limit access. In addition to the 'dataset' name generated by COPE, a security rule on the program VTSPL was used to prevent access to all but authorized User IDs.

SAFPROT record
  ?T C(GSO)
  ?INS SAFPROT.COPE CLASSES(DATASET) CNTLPTS(VTSPL) SUBSYS(VTSPL)

Create dataset $KEY(SPL) as follows:

ACCESS RULE SPL STORED BY H001234 ON 06/10/91-110.30
$KEY(SPL)
$OWNER(IMS-SYSPGM)
$USERDATA(COPE ISPF FUNCTION SAF RULES)
CATGET.REPLACEX UID(*) READ(A) EXEC(A)
COPE.COPE UID(*) READ(A) EXEC(A)
Etc Etc.
- UID(DBA) READ(A) EXEC(A)
UID(SYS20) READ(A) EXEC(A)

The VTSPL program is limited to various development groups as follows:

RESOURCE RULE VTSPL STORED BY H01234 ON 06/18/91-09:10
$KEY(VTSPL) TYPE(PGM)
$USERDATA(COPE ISPF DRIVER PROGRAM THAT ISSUES RACHECK SECURITY CALLS)
UID(ABC) ALLOW
UID(CSS) ALLOW
Etc Etc.

In order to facilitate the setting up of RACF, a table of selections versus the entity dataset name that is generated when a selection is made, follows:

Dynamically Allocated Dataset Name Suffixes

Some installations control the names of datasets by using the last portion of the name (Last Level Qualifier) to indicate the usage of the dataset. The following table lists the dataset name suffixes dynamically allocated by  COPE  together with a description of the use of the dataset.

COPE  Dynamically Allocated Dataset Name Suffixes

Dataset Name Suffix (LLQ)

Dataset Usage

@@NEW

ADS

AMBLIST

BACKUP

CNTL

COPETRAC

DATA

DBRCCARD

DUMPJCL

DUMPSTUB

DYNALLOC

GEN

IMSGEN

JCLLIB

LINKLIST

LIST

Copy of expanded dataset

Editing Area Dataset definitions

Editing AMBLIST JCL and control cards

COPE JOBSAVE dataset

COPE -generated control statements

COPE trace record editing

Editing DBRC initial definitions

Editing DBRC definitions

Editing JCL scan and regenerate

Editing STUBX definitions

Editing DYNALLOC definitions

Editing Generated Db2 RTT and plans

Editing Generated Stage 1 and Dynalloc

Editing Generated External Interface Procs

Linkedit listing

Compile and DCS listings


COPE  Menus SPL FUNCTION SETS and FUNCTIONS for RACF Checks

    ISPF PANEL

     OPTION

     ISPF PANEL

SPL FUNCTION SET

SPL FUNCTION

    ISPF PANEL

     OPTION

     ISPF PANEL

SPL FUNCTION SET

SPL FUNCTION

From ISPF


Any

COPE

COPE

COPEFIRS

1


COPEFIRS

COPEFIRS

COPEFIR1

1.1

COPEFIR1

COPE

COPELDNW


1.2

COPEFIR1

COPECGEN

PROCGEN


1.3

COPEFIR1

COPECGEN

EAJCARD


1.4

COPEFIR1

COPEFIRS

FIRS12


1.5

COPEFIR1

COPESTG1

MDS


1.6

COPEFIR1

COPEUJCL

COPEUJCL


1.7

COPEFIR1

COPEITAB

COPEITAB


1,8

COPEFIR1

COEPSTG1

DEFCOMS


1.9

COPEFIR1

COPEFIRS

FIR19


1.10

COPEFIR1

COPESTG1

MDSXRF5


1.11

COPEFIR1

COPEALLO

COPEALLO


1.12

COPEFIR1

COPESTG1

VDATE

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

Wizard Init

99

COPEFIR1

COPEPANL

COPEWIZ1

***********






2

COPEFIRS

COPEFIRS

COPEFIR2


2.1

COPEFIR2

COPESTG1

COPESTG1

USERSTG1

BSIMPORT


2.2

COPEFIR2

COPESTG1

COPEGJCL

USERDYNO

EXTERNAL


2.3

COPEFIR2

COPEFIRS

COPEGJCL

FIR2DBD

EXTERNAL


2.4

COPEFIR2

COPEFIRS

COPEGJCL

FIR2PSB

EXTERNAL


2.5

COPEFIR2

COPEFIRS

COPEGJCL

FIR2MFS

EXTERNAL


2.6

COPEFIR2

COPEDBRC

COPESTG1

COPEDBRC

BTCHDEF

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

***********






3


COPEFIRS

COPEFIR3


3.1

COPEFIR3

COPEFIRS

COPESTG1

FIR3FSTG

BSEDIT


3.2

COPEFIR3

COPEFIRS

COPEGJCL

COPEGJCL

FIR3PSTG

EXTERNA

BTCHGENL


3.3

COPEFIR3

COPEFIRS

COPEGJCL

COPEGJCL

FIR3FDYN

BATCHGEN

EXTERNAL


3.4

COPEFIR3

COPEFIRS

COPEGJCL

COPEGJCL

FIR35

BATCHGEN

EXTERNAL


3.5

COPEFIR3

COPEHAL

COPEHAL


3.6

COPEFIR3

COPEFIRS

COPEGJCL

COEPGJCL

FIR36

EXTERNAL

BATCHGEN


3.7

COPEFIR3

COPEFIRS

COPEGJCL

COPEGJCL

FIR37

EXTERNAL

BATCHGEN


3.8

COPEFIR3

COPEFIRS

FIR39

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

***********






4


COPEFIRS

COPEFIR4


4.1

COPEFIR4

COPEFIRS

COPESTG1

COPESTG1

FIR41

BSTG1GM

REFRESH


4.2

COPEFIR4

COPEFIRS

FIR41A


4.3

COPEFIR4

COPEFIRS

FIR42


4.4

COPEFIR4

COPEPSB

COPEBSB

COPEPSB

BKPSBG


4.5

COPEFIR4

COPEACB

COPEACB


4.6

COPEFIR4

COPEFIRS

COPESTG1

FIR47

REFRESH


4.7

COPEFIR4

COPEGJCL

GNMFSTAB


PACK

COPEFIR4

COPEBB2

COPEBB2


4.8

COPEFIR4

COPEPSB

COPEACB

REMAKEEX

BCKGENP


4.9

COPEFIR4

COPESTG1

COPESTG1

DODGF

BTCHDEF


4.10

COPEFIR4

COPEDEBG

COPEDEBG


4.11

COPEFIR4

COPEFIRS

FIR411

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

***********





---------------------

5

FOR DCCTL

-------------------------

---------------------


5.1

COPEFIRF

COPEFIRS

FIR51


5.2

COPEFIRF

COPEFIRS

FIR52


5.3

COPEFIRF

COPEFIRS

FIR53


5.4

COPEFIRF

COPEFIRS

FIR54


5.5

COPEFIRF

COPEFIRS

FIR55


5.6

COPEFIRF

COPEFIRS

FIR56


5.7

COPEFIRF

COPEFIRS

FIR57


5.8

COPEFIRF

COPEFIRS

FIR58


5.L

COPEFIRF

COPEFIRS

FIR5L


5.9

COPEFIRF

COPELIBR

PRINTOUT


5.10

COPEFIRF

COPE

SCANIT


5.11

COPEFIRF

COPEDSN

COPEDSN

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

***********





----------------------

5

FOR IMS AND DBCTL

------------------------

-------------------


5.1

COPEFIR5

COPEFIRS

FIR51


5.2

COPEFIR5

COPEFIRS

FIR52


5.3

COPEFIR5

COPEFIRS

FIR53


5.4

COPEFIR5

COPEFIRS

FIR54


5.5

COPEFIR5

COPEFIRS

FIR55


5.6

COPEFIR5

COPEFIRS

FIR56


5.7

COPEFIR5

COPEFIRS

FIR57


5.L

COPEFIR5

COPEFIRS

FIR5L


5.8

COPEFIR5

COPELIBR

PRINTOUT


5.9

COPEFIR5

COPE

SCANIT


5.10

COPEFIR5

COPEDSN

COPEDSN

***********

HIDDEN- COMMANDS





JOB

COPEFIR1

CATGET

JOBDISPL

***********






6


COPE

COPE7


T or 7

COPEFIRS

COPETRAN

COPETRAN


B

COPESEL1




B.1

COPESEL1

COPEBROW

COPEBROW


B.2

COPESEL1

COPEEDIT

COPEEDIT


B.3

COPEUTIL




B.3.1

COPEUTIL

COPELIBR

COPELIBR


B.3.2

COPEUTIL

COPELIBS

COPELIBS


B.3.3

COPEUTIL

COPEMVCO

COPEMVCO


B.3.4

COPEUTIL

COPEEXP

EXPORT


B.3.5

COPESCN




B.3.5.1

COPESCN

COPESCAN

COPESCAN


B.3.5.2

COPESCAN

COPE

SCANIT


B.3.6

COPEUTIL

CATGET

REPLACEX


B.3.7

COPECOM2




B.3.7.1

COPECOM2

COPECCOM

COPECEXT


B.3.7.2

COPECOM2

COPECCOM

COPECCOM


B.3.8

COPEDSNS




B.3.8.1

COPEDSNS

COPEDSN

COPEDSNC


B.3.8.2

COPEDSNS

COPEDSN

COPEDSN


B.3.9

COPEUTIL

COPEDGEN

COPEDIN


B.3.10

COPEUTIL

COPEIMLD

COEPIMLD


B.3.11

COPEUTIL

COPEINTG

COPEINTG


B.3.13

COPEUTIL

COPEDBC

COPEDBC


B.3.14

COPEUTIL

COPEHAL

COPEHAL


B.3.15

COPEUTIL

COPEBB2

COPEBB2


B.3.16

COPEUTIL

COPESWAP

COPESWAP


B.3.6

COPEUTIL

CATGET

REPLACEX


B.2

COPEADMN




B.4.1

COPEADMN

COPE

COPELDNM


B.4.2

COPEADMN

COPESTG1

STAGE1


B.4.3

COPEADMN

COPE

COPEDRAW


B.4.4

COPEADMN

COPE

RELATED


B.4.5

COPEADMN

COPEJDEF

COPEJDEF


B.4.6

COPEADMN

COPECALL

COPECALL


B.4.7

COPEADMN

COPEPSB

COPEPSB


B.4.8

COPEADMN

COPEACB

COPEACB


B.4.9

COPEADMN

COPEJCL

COPEJCL


B.4.10

COPEADMN

COPEDB2

COPEDB2


B.4.11

COPEADMN

COPESTG1

MDS


B.4.12

COPEADMN

COPEUJCL

COPEMSC


B.4.13

COPEADMN

COPESTG1

VDATE


B.4.14

COPEADMN

COPEALLO

COPEALLO


B.5

COPEUTSE




B.5.1

COPEUTSE

COPEBTLD

COPEBTLD


B.5.2

COPEUTSE

COPEJCLU

COPEJCLU


B.5.3

COPEUTSE

COPETABU

COPETABU


B.5.4

COPEUTSE

COPETABR

COPETABR


B.5.5

COPEUTSE

COPEITAB

COPEITAB


B.5.6

COPEUTSE

COPEXREF

COPEXREF


B.5.7

COPEUTSE

COPECGEN

COPECGEN


B.5.8

COPEUTSE

COPEBTLO

COPECAPT


B.5.9

COPEUTSE

COPEORPH

COPEORPH


B.5.10

COPEMAIN




B.5.10.1

COPEMAIN

COPEORPH

COPEORPI


B.5.10.2

COPEMAIN

COPEFIND

COPEFIND


B.5.10.3

COPEMAIN

COPEDIND

COPEDIND


B.5.10.4

COPEMAIN

CATGET3

SYNCDYN


B.5.10.5

COPEMAIN

COPEGJCL

GNMFSTAB


B.5.10.6

COPEMAIN

COPELDBD

COPELDBD


B.5.10.7

COPEMAIN

COPECMFS

COPECMFS


B.5.10.8

COPEMAIN

COPECPSB

COPECPSB


B.5.10.9

COPEMAIN

COPECDBD

COPECDBD


B.5.10.10

COPEMAIN

COPEBDIR

COPEBDIR


B.5.10.11

COPEMAIN

COPEDBDX

COPEDBDX


B.5.10.12

COPEMAIN

COPEDUMP

COPEDUMP


B.5.10.13

COPEMAIN

COPESTUX

COPESTUX


B.5.10.14

COPEMAIN

COPEDBRC

COPEDBRC


B.5.10.15

COPEMAIN

COPEPREL

COPEPREL


B.5.10.16

COPEMAIN

COPEMSDB

COPEMSDB


B.5.10.17

COPEMAIN

COPELOAD

COPEDOUT


B.5.10.18

COPEMAIN

COPEDORE

COPEDORE


B.6

COPESEL1

COPEDEBG

COPEDEBG


B.7

COPESEL1

COPE

COPE7


B.8

COPESEL1

COPEPANL

COPEWIZ


B.9

COPESEL1

COPESPOC

COPESPOC


B.99

COPEUTSE

COPETABR

COPETABS


9


COPESPOC

COPESPOC

**************

HIDDEN COMMANDS





XSPLB


COPEXXSP

XBROWSE


TEDIT


TDFSET

TEDITT


SCAN


COPE

SCANIT


DA

COPEDSNS




INSTALL


INSTALL

INSTALL


LOAD


COPELOAD

COPELOAD


VV


COPE

VBNF


CPUID


COPE

CPUID


CMNUM


COPESTAT

COPESTAT


EVARS


COPEEVAR

COPEEVAR


SVAR

COPESVAR




VT

VTABM000




DBRC


COPEDABI

COPEDABI


OTHER


COPE

OTHERUSR


GENASM


COPEASM

COPEASM


JOB


COPE

JOBSTAT


EDIT

EXECUTE ISREDIT




UTIL

ISRUTIL




ISPFTEST

EXECUTE ISPYXDR




REFRESH


COPERNAM

COPERNAM


RELOAD

COPERELO

COPERELO



CCSID


COPECCSI

COPECCSI


MEM


GENCTL

GENCTL


HALDB

EXEC DSPXPDDU




POUT

EXEC CLIST LKEDOM




SSPOC

EXEC STARTSPC




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*