To establish authorization to access VSAM RLS resources, assign
a RACF attribute of PRIVILEGED or TRUSTED to the VSAM RLS server address
space, SMSVSAM.
With PRIVILEGED, most RACROUTE REQUEST=AUTH macro instructions
done for SMSVSAM are considered successful, without any checking being
performed. The checking done for the CHKAUTH operand on the RACROUTE
REQUEST=DEFINE macro instruction is also bypassed. All other RACF
processing occurs as usual. RACF does not:
- Call any exit routines
- Generate any SMF records
- Update any statistics.
TRUSTED is similar to PRIVILEGED. Most RACROUTE REQUEST=AUTH macro
instructions that are done for SMSVSAM are considered successful,
without any checking being performed. RACF does not:
- Call any exit routines
- Update any statistics.
RACF does generate SMF records that are based on the audit options
specified in SETROPTS LOGOPTIONS and the UAUDIT setting in the USER
ID profile.
If the VSAM RLS server address space is neither PRIVILEGED nor
TRUSTED, grant the SMSVSAM server the appropriate access authorization:
- Add SMSVSAM with the STARTED attribute if you are using a started
task group.
- Authorize SMSVSAM for update access to SYS1.DFPSHCDS.* data sets.
If you protect SYS1.* data sets be sure SMSVSAM is able to access
SYS1.DFPSHCDS.* for update.
- If you protect volumes that contain RLS-accessed data then authorize
SMSVSAM for update access to the volume profiles.
- To use the access method services SHCDS command, you must be authorized
to the STGADMIN.IGWSHCDS.REPAIR resource in the FACILITY class. The
SHCDS command lists SMSVSAM recovery associated with subsystems and
spheres, and controls that recovery.
You should also ensure that only those users who need the capability,
such as CICS subsystems, have access to register a subsystem name
to SMSVSAM. Use the RACF subsystem name class to restrict this access.
For more information, refer to CICS Transaction Server for z/OS
Release Guide, at .