Defining RACF (or equivalent security) authorization for IMS commands

You must define RACF® (or equivalent security software) authorizations for the IMS Database Recovery Facility Extended Functions IMSCMD function to operate.

About this task

The IMS Database Recovery Facility Extended Functions IMSCMD function allows you to execute IMS commands through a batch job. IMS commands must be secured with RACF or other equivalent security software to control access to who can issue IMS commands.

There are three different options for securing IMS commands through this feature. The information about IMS command authorization is defined in the IMS Tools Knowledge Base RECONID record.

Procedure

In the IMSCMD Security field, which is located in the RECONID record, specify the type of security that you want to implement by entering one of these values:

NONE

No security authorization is performed. This value is intended for test environments only and should not be used in a secured environment. The security level of NONE allows anyone to issue any supported IMS command.

APPL

The RACF application (APPL) resource class is used for command security checking. This method uses the application resource class (APPL) to protect the IMS commands. The RACF Class field in the RECONID record indicates the specific application resource name, within the RACF APPL class, that is used for securing the IMS commands.

When you use the APPL resource class method, you must first define the application resource name (applname in the next example) to RACF. Define the application resource name to RACF by using the RDEFINE command , as shown in this example:

   RDEFINE APPL applname UACC(NONE) AUDIT(NONE)

After you have defined the application resource name, your RACF administrator can permit users either READ or UPDATE levels of command authorization by using the PERMIT command, as shown in this example:

   PERMIT applname CLASS(APPL) ID(userid) ACCESS(READ|UPDATE)

The userid specifies a particular RACF user or RACF group. ACCESS specifies either read-level access or update-level access. Read-level access allows a user to issue IMS commands that display IMS system information, and update-level access allows users to issue IMS commands that alter IMS system resources. The next table indicates which IMS commands are allowed and the corresponding level of access that is required to run them.

IMS

The IMS resource class is used for command security checking. This method uses the same IMS command security class that is used by the online IMS system. The RACF Class field in the RECONID record indicates the RACF security class that is used for securing IMS commands. This value must match the one that you specified to IMS using the RCLASS= keyword on the SECURITY macro. This method allows you to use the same security class that is used by your online IMS control region.