Defining Content Manager OnDemand resource classes and entities to RACF

About this task

RACF® requires entries in its Resource Class Descriptor Table corresponding to the Content Manager OnDemand resources to be protected. Additionally, entries need to exist in the RACF Router Table for each entry placed in the Resource Class Descriptor Table.

For details regarding the definition and protection of general resources via RACF, see the following publications:
  • IBM® SecureWay Security Server for z/OS® and OS/390® RACF: Command Language Reference
  • IBM SecureWay Security Server for z/OS and OS/390 RACF: Macros and Interfaces
  • IBM SecureWay Security Server for z/OS and OS/390 RACF: Security Administrator's Guide
  • IBM SecureWay Security Server for z/OS and OS/390 RACF: System Programmer's Guide

General resource classes are defined to RACF through the assembly and link-editing of the RACF Class Descriptor Table. Table entries are created through the invocation of the ICHERCDE macro.

The following illustrates the ICHERCDE macro invocations required to define the Content Manager OnDemand resource classes to RACF.
 ARS1FLDR ICHERCDE CLASS=ARS1FLDR,  OnDemand V7 Folder            + 
                CASE=ASIS,          See note (1) below            + 
                ID=135,             See note (2) below            +
                POSIT=37,           See note (2) below            +
                MAXLNTH=60,                                       +
                FIRST=ANY,                                        +
                OTHER=ANY,                                        +
                OPER=YES,                                         +
                DFTUACC=NONE,                                     +
                RACLIST=ALLOWED,                                  +
                GENLIST=ALLOWED                                    
 *                                                                 
 ARS1APGP ICHERCDE CLASS=ARS1APGP,  OnDemand V7 Application Group +
                CASE=ASIS,          See note (1) below            +
                ID=136,             See note (2) below            +
                POSIT=37,           See note (2) below            +
                MAXLNTH=60,                                       +
                FIRST=ANY,                                        +
                OTHER=ANY,                                        +
                OPER=YES,                                         +
                DFTUACC=NONE,                                     +
                RACLIST=ALLOWED,                                  +
                GENLIST=ALLOWED                                    
 *                                                                 
          ICHERCDE ,                                               
                                                                   
Note: The ID and POSIT values as shown are only for illustration purposes. The actual values selected might be different and are a function of other general resource classes which might already be defined.

The RACF Router Table must also be assembled and link-edited. Table entries are created through the invocation of the ICHRFRTB macro.

The following illustrates the ICHRFRTB macro invocations required to define the RACF Router Table entries corresponding to the Content Manager OnDemand Resource Classes.
ICHRFR01 CSECT ,                                                   
ARS1FLDR ICHRFRTB CLASS=ARS1FLDR,  OnDemand V7 Folder            +
               ACTION=RACF                                        
*                                                                 
ARS1APGP ICHRFRTB CLASS=ARS1APGP,  OnDemand V7 Application Group +
               ACTION=RACF                                        
*                                                                 
ENDTAB   ICHRFRTB TYPE=END                                        
*                                                                 
         END   , 

In Content Manager OnDemand, it is possible to create folder and application group name strings which contain embedded blanks. However, RACF resource names cannot contain blank characters. As a consequence, module ARSUSECZ translates all embedded blanks in these name strings to the underscore character (X'6D') when they are presented to the security system.

To protect Content Manager OnDemand resources whose names contain embedded blanks, you must define RACF profiles that will match an underscore (either explicitly or through generics) in place of the blank characters.

Note: The security exit routine is not called for a report if the ACT SECURITY EXIT field contains the word Public.