Ingolf24 120000DRN3 Visits (3823)
I am currently looking into a security requirement, which I received from a customer. It is in our new Request for Enhancements (RFE) database.
The request asks to "Eliminate the DTSECTAB" (RFE number 50467, was MR0605134213).
Some background on z/VSE's security concept:
z/VSE provides batch and online security - supported by the z/VSE Basic Security Manager (BSM). Instead of the BSM you may choose an external security manager from a vendor.
You may protect resources to be used by batch jobs with our batch security, which can be activate with the IPL parameter SYS SEC=YES. Resources to be protected are defined in the DTSECTAB. Resources can be files, libraries, sublibraries or members, The DTSECTAB is generated (compiled) by the z/VSE user. A batch job may be authorized via user id / password to access these resources (e.g. via the JCL ID statement).
In the online environment the CICS Transaction Server (CICS TS) authorizes users to access online resources such as transactions. CICS uses RACROUTE calls (a security programming interface) to verify, if a user is authorized to access a resource.
The BSM manages and provides the access control information to the RACROUTE services. BSM runs in a server partition, which is started after system initialization, usually in partition FB.
Access control information such as
To verify the access to a batch resource the z/VSE system uses the SECHECK instead of the RACROUTE services.
Now back to the requirement: There are two possible implementations to "Eliminate the DTSECTAB":
Which one would you like more ?
More information on z/VSE securty is in the
We also have a z/VSE service section for security APARs. That section is here.