You can use RACF® authorization
to limit access to the following categories of ISMF functions:
- The entire ISMF component
- The individual ISMF applications:
- Profile
- Data Set
- DASD Volume
- Mountable
Optical Volume
- Management Class
- Data Class
- Storage
Class
- Storage Group
- Automatic Class Selection
- Control
Data Set
- Aggregate Group
- Library Configuration
- Drive
Configuration
- Data Collection
- Copy Pool
- List
- Mountable Tape Volume
- Tape Library
- The
ISMF line operators
- The ISMF commands
ISMF relies on the RACF program control feature to
protect many
of its applications. The RACF program
control feature prevents unauthorized end users from running selected
ISMF programs. To use the feature, you must activate the RACF Program Class and define your
selected ISMF programs to RACF.
With RACF program control
you can set up authorization levels for each of these categories,
varying the level within a particular category to suit the needs of
your installation. Individual end users can execute an ISMF function
if one of the following conditions is true:
- They are authorized to execute the corresponding load module.
- Their RACF profile contains
the OPERATIONS attribute.
- Their group is authorized to execute
the load module.
- RACF is
disabled or the
program control feature is turned off.
- The universal access
authority (UACC) for the load module is READ
or greater, making the load module available to anyone who can access
ISMF.
Recommendation: Protect
these functions with RACF program
control to make sure that only particular users can use the storage
administrator applications and functions. Because a TSO/E user can
change his user mode level, as this information is contained in the
user's ISPF profile, protect the functions at a different level than
user mode level.
The RACF program
resource
class allows the security administrator to protect various ISMF applications
and functions with program control. This is achieved by controlling
the access to load modules which are invoked by:
- ISMF Applications
- ISMF Line Operators
- ISMF Commands
The load modules reside in the following
libraries:
- SYS1.DGTLLIB for DFSMSdfp/ISMF
- SYS1.DGTLLIB
for DFSMSdss/ISMF
- SYS1.DFQLLIB for DFSMShsm
If
the installation moves these modules to another load library,
the installation-defined load library must be used in the program
protection.
To protect a load module, use the RDEFINE RACF command. The syntax of this
command is:
RDEFINE PROGRAM mod-name OWNER(owner of profile) +
UACC(NONE) ADDMEM('dsn of loadlib'/volser/NOPADCHK)
See z/OS Security Server RACF Security Administrator's Guide for
a detailed description of how to use the RACF program control features.