z/OS HCD User's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Providing additional security for devices

z/OS HCD User's Guide
SC34-2669-00

Providing additional security for devices

If your system has stringent security requirements and includes Resource Access Control Facility (RACF), you can ensure that only certain programs can allocate unit record, communication, or graphics devices. These programs include Print Services Facility (PSF) for printers, Advanced Communication Facility/Virtual Telecommunications Access Method (ACF/VTAM) for communication or graphics devices, and JES2 or JES3 for unit record, communication, or graphics devices.

When a user attempts to allocate a device, the system uses SAF (the system authorization facility) to issue an authorization check. If RACF is installed, it checks a profile in the DEVICES class to determine whether the user can access the device. If the user does not have authority to access the device, the allocation fails. (Note that the system does not retry an allocation request that fails because the user is not authorized to access the device.)

Work with your RACF security administrator to set up profiles in the DEVICES class:

  1. Determine your exact security requirements. Consider questions such as these:
    • Are there some devices that only a few users can use?
    • Are there some devices that all users can use?
    • Do some devices share the same security requirements?
  2. Work with your RACF security administrator to assign profile names for the devices to be protected. Assign a discrete profile name to each device that has a unique security requirement. Assign a generic profile name to each device group that shares security requirements. For devices, RACF profile names include the following information:
    sysid
    This is the system identifier, which is defined on the SYSNAME keyword in the IEASYSxx member of SYS1.PARMLIB.
    Note:
    The system identifier is necessary only if different devices with the same device class, unit name, and device address can be attached to multiple systems and they have different security requirements. In most cases, you should specify an asterisk (*) for this qualifier.
    device-class
    This can be one of the following UCB device classes:
    TP
    Teleprocessing or communications devices
    UR
    Unit record devices
    GRAPHIC
    Graphic devices. These device classes are consistent with the class names used on the DISPLAY U operator command.
    unit-name
    This is a generic name (such as 3800) that identifies the device or devices.

For more details, see z/OS Security Server RACF Security Administrator’s Guidez/OS Security Server RACF Security Administrator’s Guide.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014