Defining RACF access rules
Perform either of the following:
- If your site uses CA Top Secret instead, skip ahead to Defining-CA-top-secret-access-rules.
- If your site uses CA ACF2 instead, skip ahead to Defining-CA-ACF2-access-rules.
User profiles must be in a general resource class called FACILITY or in a user-defined security class. Refer to IBM’s z/OS Security Server RACF Administrator’s Guide for information about defining user security classes. RACF has the following requirements:
- The name profile must start with a dollar sign ($).
To define access rules for RACF, complete the following steps:
1. Initialize the resource facility with three SETROPTS commands.
SETROPTS CLASSACT(FACILITY) | Activates the FACILITY resource class |
SETROPTS GENERIC(FACILITY) | Includes generic profiles in FACILITY class |
SETROPTS GENLIST(FACILITY) | Provides a performance boost for generic profiles |
RDEFINE FACILITY $STROBE.sysname.jobtyp.* UACC(NONE)
2. Use the RDEFINE statement to establish a generic profile of the types of jobs that can be measured. Repeat the following statement for the five job types: job, stc, tsu, appc, omvs.
The high-level qualifier of $STROBE must match the value in the PROFILE keyword of your PARMLIB. See REDEFINE and PERMIT Keywords. for a definition of RDEFINE variables.
3. Use the PERMIT command to selectively grant users access to specific jobs. Establish read access for a user or group, repeating for every user or group that requires access to the jobs. See REDEFINE and PERMIT Keywords. for a definition of PERMIT variables.
PERMIT $STROBE.sysname.jobtyp.jobname CLASS(FACILITY)ID(userid|grp) ACCESS(READ)
4. Use the RDEFINE command to establish privileged access for MANAGER and ADMIN functions.
- Specify a $STROBE.MANAGER profile to control batch starts of the Strobe address space.
RDEFINE FACILITY $STROBE.MANAGER UACC(NONE) - Specify a $STROBE.ADMIN profile to control access to Strobe administrative functions.
RDEFINE FACILITY $STROBE.ADMIN UACC(NONE)
5. Use the PERMIT command to add specific users or groups to the access list for MANAGER or ADMIN authority, repeating for every user or group that requires access.
PERMIT $STROBE.authtype CLASS(FACILITY) ID(userid|grp) ACCESS(READ)
REDEFINE and PERMIT Keywords
Keyword | Function |
|---|---|
sysname | Provide the MVS system name, as specified in the IEASYSxx member of SYS1.PARMLIB. |
jobtype | Name the type of target address space (job for batch job, stc for started tasks, tsu for TSO user IDs, appc for advanced program-to-program communication, omvs for OpenEdition). |
jobname | Job name or set of job names with a common prefix of targets to which RACF allows access.
|
userid | Provide the user ID of the submitter of the request. |
grp | Specify the RACF group to which the user ID of the request submitter is defined. |
authtype | Specify the Strobe authorization type (ADMIN or MANAGER) for access to Strobe administrative functions. |
Task 3.5.1: Initialize the RACF Examples
Each of the RACF examples assumes that the following commands have been issued once at the beginning of the access definition:
SETROPTS GENERIC(FACILITY)
SETROPTS GENLIST(FACILITY)
Example 1: Access to a Specific System
The following commands give users belonging to the group STROBERS access to all address spaces running on system SYSA:
PERMIT $STROBE.SYSA.* CLASS(FACILITY) ID(STROBERS) ACCESS(READ)
Example 2: Access to a Set of Jobs
The following commands give the user IDs SUSAN and JERRY access to all batch jobs on system SYSB whose job names begin with RED.
PERMIT $STROBE.SYSB.JOB.RED* CLASS(FACILITY) ID(SUSAN) ACCESS(READ)
PERMIT $STROBE.SYSB.JOB.RED* CLASS(FACILITY) ID(JERRY) ACCESS(READ)
Example 3: Privileged Access to a Session Manager
The following commands authorize the user ID SMITH to start Strobe from a batch job and the user ID JONES to administer Strobe.
RDEFINE FACILITY $STROBE.ADMIN UACC(NONE)
PERMIT $STROBE.MANAGER CLASS(FACILITY) ID(SMITH) ACCESS(READ)
PERMIT $STROBE.ADMIN CLASS(FACILITY) ID(JONES) ACCESS(READ)
Next, skip ahead to Implementing-security-in-a-multisystem-environment.
{{/code}}