Activating the RACF FACILITY class profiles

To set the security environment for DFSMShsm commands, you must activate the RACF® FACILITY class before DFSMShsm is started. DFSMShsm uses RACF FACILITY class checking if the RACF FACILITY class is active. If you have not defined the new profiles, every DFSMShsm command fails.

Table 1 lists examples of the RACF commands that provide storage administrators access to a specific storage administrator command and a specific end user command while denying access for other users.

Table 1. Minimum RACF Commands for DFSMShsm
RACF command	Purpose
SETROPTS CLASSACT(FACILITY)	Defines the FACILITY class as active.
SETROPTS RACLIST(FACILITY)	Activates the sharing of in-storage profiles (improves performance).
RDEFINE FACILITY STGADMIN.ARC.command UACC(NONE)	Defines a default, denying all users access to the specific storage administrator command.
PERMIT STGADMIN.ARC.command CLASS(FACILITY) ID(user1) ACCESS(READ)	Allows user1 to issue the specific storage administrator command.
RDEFINE FACILITY STGADMIN.ARC.ENDUSER.command UACC(NONE)	Defines a default, denying all users access to the specific user command.
PERMIT STGADMIN.ARC.ENDUSER.command CLASS(FACILITY) ID(user1) ACCESS(READ)	Allows user1 to issue the specific user command.
SETROPTS RACLIST(FACILITY) REFRESH	Refreshes in-storage profile lists.

Table 2 shows how you can expand the minimal list of RACF commands to further restrict access for storage administrator commands.

Table 2. Expanded RACF Commands for DFSMShsm
RACF command	Purpose
PERMIT STGADMIN.ARC.ADDVOL CLASS(FACILITY) ID(user2) ACCESS(READ)	Allows user2 to issue the ADDVOL command only.
RDEFINE FACILITY STGADMIN.ARC.ENDUSER.HMIGRATE UACC(NONE)	Defines a default, allowing no user access to the HMIGRATE user command.