API and SPI restrictions DFHAPIR parmlib member
The DFHAPIR parmlib member contains rules that identify restricted CICS® API and SPI commands. The CICS translator uses this parmlib member to check program source against the specified command rules during translation. By default, the command rules apply to every user on the LPAR where DFHAPIR is located. However, you can exempt some users or LPARs by using profiles in RACF.
When you need to define RACF profiles for the DFHAPIR parmlib member
A RACF profile DFHAPIR.lpar in the FACILITY class defines whether users are subject to the command rules file. If users have no access to the profile, or if a profile is not defined, they are subject to the command rules file. If a user has READ access to the profile, the user is not subject to the command rules file.
- The command rules apply to most users but some users are exempt.
- The command rules apply to some LPARs, but not all.
Examples: Defining RACF profiles for the DFHAPIR parmlib member
The RACF FACILITY class is used to protect the DFHAPIR parmlib member. The following examples show how you can define RACF profiles and access lists for the two common scenarios.
- Example 1: Defining a general profile that applies to all LPARs
- This example creates a profile that applies to all LPARs. UACC(NONE) means that the command
rules apply, by default, to all users.
RDEFINE FACILITY DFHAPIR.** UACC(NONE)To allow some users to bypass the command rules, give them READ access to the profile by using PERMIT commands to set up an access list.PERMIT DFHAPIR.** CLASS(FACILITY) ID(user) ACCESS(READ) - Example 2: Defining profiles that apply to particular LPARs
- To enforce command rules only on particular LPARs, set up DFHAPIR.lpar
profiles where lpar is the four-character LPAR name. These should be set up for
those LPARs where users are subject to the command rules
file:
RDEFINE FACILITY DFHAPIR.** UACC(READ) RDEFINE FACILITY DFHAPIR.lpar UACC(NONE)As for the more general profile, UACC(NONE) means that the command rules apply to all users on the LPAR. Use an access list to grant exempt users READ access to the profile if required.PERMIT DFHAPIR.lpar CLASS(FACILITY) ID(user) ACCESS(READ)