Defining commands with RACF

Your installation's security policy determines which commands you must protect. A RACF® profile for the command in the OPERCMDS class protects the command. When an operator logs on to a console and issues an MVS™ command that requires a higher authority than the console allows, RACF can check the access list of the command profile to determine if the user is authorized to issue the command.

To link the command the operator issues with the profile that protects the command, MVS provides a construct, or structure, called a resource-name for each command.

The resource-name for an MVS command has the following parts:

  MVS.command.command-qualifier.command object

where:

MVS

Is the high-level qualifier that defines the command as a system command. MVS is a required part of the resource-name. Subsystem commands use a different high-level qualifier, such as JES2 or JES3.

command

Specifies the command or a specific variation of the command. To protect an individual command, this part of the resource-name is required. It also allows you to control significant variations of a command separately. For example, FORCE without the ARM operand has a different effect than does FORCE with the ARM operand; you can thus specify either FORCE or FORCEARM to control the two uses separately.

command-qualifier

Specifies a subfunction of the command. This part of the resource-name is optional. It allows you to protect specific command subfunctions separately. For example, the following resource-name protects all functions of the TRACE command:

  MVS.TRACE.**

In contrast, the following resource-names protect each function of the TRACE command separately:

  MVS.TRACE.ST
  MVS.TRACE.MT
  MVS.TRACE.CT
  MVS.TRACE.STATUS

command-object

Specifies the object or target of the command. This part of the resource-name is optional. Examples of objects or targets include:

The device on a CANCEL command
The jobname on a MODIFY command
The membername on a START command

MVS Commands, RACF Access Authorities, and Resource Names in z/OS MVS System Commands defines the MVS commands and their corresponding resource-names. It also shows the RACF access authority associated with each command. To define resource profiles for system commands, the RACF security administrator can use the resource-names exactly as shown in MVS Commands, RACF Access Authorities, and Resource Names, or replace the optional fields with asterisks or, for command-object, specific values. In the command profile, the security administrator also defines the auditing requirements and the users or groups allowed to issue the command in the profile's access list.

When an operator issues an MVS command with a RACF profile, MVS determines the resource-name that matches the command and passes that resource-name to RACF. RACF uses the resource-name to locate the profile for the command and verifies that the operator is allowed to issue the command by checking the access list in the profile. If RACF authorizes the access, MVS processes the command; if RACF denies the access, MVS rejects the command. If your installation has user-written commands that you must protect, use the CMDAUTH macro; see z/OS MVS Programming: Authorized Assembler Services Guide and z/OS MVS Programming: Authorized Assembler Services Reference ALE-DYN.

To create profiles for MVS system commands that you do not have to change frequently, it is a good idea to end each name with two asterisks, which indicate that the profile protects all commands that match the specified portion of the resource-name, regardless of whether there are additional qualifiers or how many additional qualifiers there are. For example, use:

  MVS.SET.**

to protect all SET commands with a single profile.