If you do not have RACF® or similar security software installed, two procedures to submit DFSMShsm-authorized commands in a batch environment without RACF are presented here. Procedure 1, which is the preferred way, allows protection by user ID thus providing better data security. Procedure 2 uses a procedure list that is link edited into an APF-authorized library as an authorized program. One drawback to procedure 2 is that if the procedure name is known by an unauthorized user, data security is lost.

Procedure 1: In this procedure, DFSMShsm is instructed to obtain a user ID from the protected step control block (PSCB) due to the ACCEPTPSCBUSERID parameter of the SETSYS command. It is the installation’s responsibility to ensure that a valid user ID is present in the PSCB. See Determining batch TSO user IDs for more information.

Procedure 2: For this procedure, you can submit operator, storage-administrator, and system-programmer commands for batch processing by defining the HSENDCMD (HSEND) to the Terminal Monitor Program (TMP) as an authorized command and by providing a STEPLIB or JOBLIB card to an Authorized Program Facility (APF) authorized version of module ARCMCMD.

Instead of specifying USER=userid on the JOB card, add the HSENDCMD command (HSEND) to the authorized commands table in TMP so that this command can be invoked and submitted to DFSMShsm as an acceptable authorized command.

CSECT IKJEFTE2, within the IKJEFT02 load module, must be modified to indicate that HSENDCMD alias HSEND is an authorized command and should be attached with APF authorization. This modification should be done to the first entry in IKJEFTE2 that contains eight blanks. One blank entry must remain in the authorized command table to indicate the end of the table.

The DFSMShsm module ARCMCMD, which is the HSENDCMD command processor, must be link-edited into an APF-authorized library as an authorized program. The job submitting the HSENDCMD (HSEND) command must use a STEPLIB or JOBLIB card to this library. Access to this APF library must be restricted to prevent unauthorized use of the HSEND command. It is the responsibility of the system programmer to ensure that any DFSMShsm maintenance to module ARCMCMD is also applied to the authorized copy of ARCMCMD. All concatenated STEPLIBs must be authorized. The APF library name must appear either in the system LINKLIST or in the appropriate APFxx of the SYS1.PARMLIB. Refer to z/OS MVS Initialization and Tuning Guide for additional information about the APFxx. Figure 1 shows a sample job that link-edits the ARCMCMD module to create an authorized copy of ARCMCMD.

//LINKED   EXEC PGM=IEWL,PARM='LIST,LET,NCAL,XREF,RENT,REUS'
//SYSPRINT DD  SYSOUT=A
//SYSUT1   DD  UNIT=SYSDA,SPACE=(CYL,(1,1))
//SYSLMOD  DD  DISP=SHR,DSN=DFHSM.AUTHLIB
//IN       DD  DISP=SHR,DSN=SYS1.CMDLIB
//SYSLIN   DD  *
  INCLUDE IN(HSENDCMD)
  ALIAS HSEND
  SETCODE AC(1)
  ENTRY ARCMCMD
  NAME HSENDCMD(R)
/*

The successful end of this link-editing results in message IEW0461 for ARCWTU2 and ARCCVT.

Refer to z/OS TSO/E Customization for additional information about adding authorized commands to the TSO/E environment. Figure 2 is a graphic overview of the DFSMShsm security environment with RACF.

Figure 2. Overview of DFSMShsm with RACF Environment