Defining Content Manager OnDemand resource classes and entities to RACF
About this task
RACF® requires entries in its Resource Class Descriptor Table corresponding to the Content Manager OnDemand resources to be protected. Additionally, entries need to exist in the RACF Router Table for each entry placed in the Resource Class Descriptor Table.
- IBM® SecureWay Security Server for z/OS® and OS/390® RACF: Command Language Reference
- IBM SecureWay Security Server for z/OS and OS/390 RACF: Macros and Interfaces
- IBM SecureWay Security Server for z/OS and OS/390 RACF: Security Administrator's Guide
- IBM SecureWay Security Server for z/OS and OS/390 RACF: System Programmer's Guide
General resource classes are defined to RACF through the assembly and link-editing of the RACF Class Descriptor Table. Table entries are created through the invocation of the ICHERCDE macro.
ARS1FLDR ICHERCDE CLASS=ARS1FLDR, OnDemand V7 Folder +
CASE=ASIS, See note (1) below +
ID=135, See note (2) below +
POSIT=37, See note (2) below +
MAXLNTH=60, +
FIRST=ANY, +
OTHER=ANY, +
OPER=YES, +
DFTUACC=NONE, +
RACLIST=ALLOWED, +
GENLIST=ALLOWED
*
ARS1APGP ICHERCDE CLASS=ARS1APGP, OnDemand V7 Application Group +
CASE=ASIS, See note (1) below +
ID=136, See note (2) below +
POSIT=37, See note (2) below +
MAXLNTH=60, +
FIRST=ANY, +
OTHER=ANY, +
OPER=YES, +
DFTUACC=NONE, +
RACLIST=ALLOWED, +
GENLIST=ALLOWED
*
ICHERCDE ,
ID
and POSIT
values
as shown are only for illustration purposes. The actual values selected
might be different and are a function of other general resource classes
which might already be defined.The RACF Router Table must also be assembled and link-edited. Table entries are created through the invocation of the ICHRFRTB macro.
ICHRFR01 CSECT ,
ARS1FLDR ICHRFRTB CLASS=ARS1FLDR, OnDemand V7 Folder +
ACTION=RACF
*
ARS1APGP ICHRFRTB CLASS=ARS1APGP, OnDemand V7 Application Group +
ACTION=RACF
*
ENDTAB ICHRFRTB TYPE=END
*
END ,
In Content Manager OnDemand, it is possible to create folder and application group name strings which contain embedded blanks. However, RACF resource names cannot contain blank characters. As a consequence, module ARSUSECZ translates all embedded blanks in these name strings to the underscore character (X'6D') when they are presented to the security system.
To protect Content Manager OnDemand resources whose names contain embedded blanks, you must define RACF profiles that will match an underscore (either explicitly or through generics) in place of the blank characters.