Examples: Checking for authorization when additional security is in use

Before you begin: See z/OS Security Server RACF Security Administrator's Guide for information about how to use the SETROPTS command.

Example 1: This example shows how authorization checking for RMM TSO subcommands is set. The RACROUTE command is issued in the DATASET class. The request can be issued in the address space where the command is issued or in the DFSMSrmm subsystem address space. When you issue the command in the DFSMSrmm subsystem address space, a third-party RACROUTE is issued.

 RACROUTE REQUEST=AUTH,CLASS=DATASET,ATTR=level,ENTITY=resource,
              LOG=ASIS,DSNTYPE=T,FILESEQ=n

When a subcommand is issued against a data set name or a volume containing data sets, the RACROUTE is issued in the DATASET class with DSNTYPE=T. When there is no data set information for a MASTER or USER volume, the RACROUTE is issued in the TAPEVOL class. When DSNTYPE=T is coded, the authorization checking that is performed depends on the security product settings such as SETROPTS TAPEDSN, and whether the TAPEVOL class is active.

The variables in the examples have these meanings:

level: Is READ or UPDATE depending on the subcommand issued.
resource: Is the data set name to be processed. When the subcommand is issued against a volume, the data set name is the name of the first file on the volume.
n: Is the file sequence number of the data set on the volume.

Example 2: This example shows how authorization checking for RMM TSO subcommands is set. The RACROUTE command is issued in the TAPEVOL class. The request can be issued in the address space where the command is issued or in the DFSMSrmm subsystem address space. When issued in the DFSMSrmm subsystem address space, a third-party RACROUTE is issued.

 RACROUTE REQUEST=AUTH,CLASS=TAPEVOL,ATTR=level,ENTITY=resource,
              LOG=ASIS

The variables in the examples have these meanings:

level: is READ or UPDATE depending on the subcommand issued.
resource: Is the volume to be processed.