RACF authorization for commands entered through OM

All OM security checking uses the RACF® OPERCMDS class. The resource name is in the form of: IMS.imsplexname.commandverb.commandkeyword

IMS
The high-level qualifier for all RACF resources that protect IMS commands entered through OM.
imsplexname
The name of the IMSplex for which the command is authorized. The IMSplex name must include the characters CSL at the beginning. For example, CSLplex1.
commandverb
The name of the command verb.
commandkeyword
The primary command keyword or resource type for the command.

Example: authorizing users to commands in an IMSplex

The following example shows a RACF definition that authorizes various users to different commands.

/*   allow UPD TRAN command on any IMSplex for user ID Jim */
     RDEFINE OPERCMDS IMS.*.UPD.TRAN UACC(NONE)
     PERMIT IMS.*.UPD.TRAN CLASS(OPERCMDS) ID(JIM) ACCESS(UPDATE)

/*   allow INIT OLC command on IMSplex CSLPLEXA for user ID Sandy */
     RDEFINE OPERCMDS IMS.CSLPLEXA.INIT.OLC UACC(NONE)
     PERMIT IMS.CSLPLEXA.INIT.OLC CLASS(OPERCMDS) ID(SANDY) ACCESS(UPDATE)

/*   allow any QRY command on any IMSplex for user ID Tom */
     RDEFINE OPERCMDS IMS.*.QRY.* UACC(NONE)
     PERMIT IMS.*.QRY.* CLASS(OPERCMDS) ID(TOM) ACCESS(READ)

/*   allow any commands on any IMSplex for user ID Betty */
     RDEFINE OPERCMDS IMS.* UACC(NONE)
     PERMIT IMS.* CLASS(OPERCMDS) ID(BETTY) ACCESS(UPDATE)

     SETROPTS CLASSACT(OPERCMDS)
     SETROPTS RACLIST(OPERCMDS) REFRESH

Example: using RACF groups and the OPERCMDS class for type-2 command security

The following example shows a RACF definition that authorizes all user IDs that are part of a RACF group to use any IMS operator commands. This example shows two important elements of RACF administration:

  • RACF groups
  • Wildcard characters
/* define IMS operator group */ 
	ADDGROUP IMSOPER 
	CONNECT (PEDRO,ROSA,PETER,MATT) GROUP(IMSOPER) 

/* allow any commands on any IMSplex for group IMSOPER */ 
	RDEFINE OPERCMDS IMS.* UACC(NONE) 
	PERMIT IMS.* CLASS(OPERCMDS) ID(IMSOPER) ACCESS(UPDATE) 

	SETROPTS CLASSACT(OPERCMDS) 
	SETROPTS RACLIST(OPERCMDS) REFRESH

Using a group definition simplifies the administration of RACF profiles. The group can be permitted to numerous RACF profiles, such as data sets and OPERCMDS profiles. If a user changes jobs, you need to remove the user ID only from the group definition instead of deleting its access to each RACF resource profile.

The benefit of using wildcard characters in the RACF resource name is that you can keep the number of RACF resource definitions to a minimum. Also, any matching operator commands that are defined after the OPERCMDS profiles are created are still protected from unspecified users.

Example: authorizing users who are associated with the RACF APPL class

The following example shows a RACF definition that adds a profile for authorizing users who are associated with the RACF APPL class.

/* add a profile */ 
	RDEFINE APPL JOBNAME UACC(NONE)
	PERMIT JOBNAME CLASS(APPL) ID(USERID OR GROUPNAME) ACCESS(UPDATE)