Authorizing DTST transaction to modify storage

Note: This section is not applicable to IBM® Developer z/OS® (non-Enterprise Edition) or IBM Z and Cloud Modernization Stack (Wazi Code).

This topic describes the steps you must take to authorize the DTST transaction to modify either USER-key storage, CICS-key storage, or both. DTST does not allow users to modify Key-0 storage.

The following resources control DTST authorizations:

  • EQADTOOL.DTSTMODUSERK, which controls the ability to modify USER-key storage.
  • EQADTOOL.DTSTMODCICSK, which controls the ability to modify CICS-key storage.
  1. Establish profiles in the FACILITY class by entering the following RDEFINE commands:
    RDEFINE FACILITY EQADTOOL.DTSTMODUSERK UACC(NONE)
    RDEFINE FACILITY EQADTOOL.DTSTMODCICSK UACC(NONE)
  2. Verify that generic profile checking is in effect for the class FACILITY by entering the following command:
    SETROPTS GENERIC(FACILITY)
  3. Give a user permission to modify USER-key, CICS-key storage, or both by entering one or both of the following commands, where DUSER1 is the name of a RACF-defined user or group profile:
    PERMIT EQADTOOL.DTSTMODUSERK CLASS(FACILITY) ID(DUSER1) ACCESS(UPDATE)
    PERMIT EQADTOOL.DTSTMODCICSK CLASS(FACILITY) ID(DUSER1) ACCESS(UPDATE)
    Instead of connecting individual users, the security administrator can specify DUSER1 to be a RACF® group profile and then connect authorized users to the group.
  4. If the FACILITY class is not active, activate the class by entering the following SETROPTS command:
    SETROPTS CLASSACT(FACILITY)
    Enter the SETROPTS LIST command to verify that FACILITY class is active.
  5. Refresh the FACILITY class by entering the following SETROPTS RACLIST command:
    SETROPTS RACLIST(FACILITY) REFRESH