Using installation-defined classes without prefixing
To set up external security for transactions, files, and PSBs in installation-defined classes, without prefixing, take the steps described in this topic.
For an example of how to define installation-defined classes (T$USRTRN and G$USRTRN) for the XTRAN parameter, see the IBM-supplied sample, DFH$RACF, in CICSTS54.CICS.SDFHSAMP. See also Specifying user-defined resources to RACF.
Before you define a profile, activate the relevant classes, using the SETROPTS CLASSACT and SETROPTS GENERIC commands, as described in Summary of RACF commands.
To ensure the least interruption to actual business processes,
work in a test region first.
- Set up the following installation-defined classes:
- T$USRTRN like TCICSTRN, and G$USRTRN like GCICSTRN
- F$USRFCT like FCICSFCT, and H$USRFCT like HCICSFCT
- P$USRPSB like PCICSPSB, and Q$USRPSB like QCICSPSB
For specific information on setting up installation-defined classes, see the z/OS Security Server RACF System Programmer's Guide.
- Plan and create RACF profiles in the relevant classes:
RDEFINE T$USRTRN transaction-name UACC(NONE) NOTIFY(userid) RDEFINE F$USRFCT file-name UACC(NONE) NOTIFY(userid) RDEFINE P$USRPSB PSB-name UACC(NONE) NOTIFY(userid) - Permit appropriate users or groups (preferably groups) to have access to the profiles:
PERMIT transaction-name CLASS(T$USRTRN) ACCESS(READ) ID(userid or groupid) PERMIT file-name CLASS(F$USRFCT) ACCESS(READ) ID(userid or groupid) PERMIT PSB-name CLASS(P$USRPSB) ACCESS(READ) ID(userid or groupid) - Specify the following system initialization parameters:
SEC=YES XTRAN=$USRTRN XCMD=NO SECPRFX=NO XFCT=$USRFCT XDB2=NO XPSB=$USRPSB XDCT=NO XHFS=NO XJCT=NO XPCT=NO XPPT=NO XRES=NO XTST=NO XUSER=NO XAPPC=NO - Start the CICS region in which you will be using external security.
- If you add, change, or delete RACF profiles in the related classes, refresh the in-storage profiles. (For more information, see Refreshing resource profiles in main storage.)