CSL SCI security
To access the IMSplex, clients must first register with SCI. A client can register with SCI only if the user ID of the address space in which the client is running has the authority to do so. Define the authority for a client address space in the RACF® FACILITY class profile for the IMSplex.
The profile names in the RACF FACILITY
class must be in the form CSL.imsplex_name, where imsplex_name is
the name of the IMSplex that is being protected. The imsplex_name is
the characters CSL
followed by the IMSplex name as defined
on the IMSPLEX parameter in the CSLSIxxx PROCLIB member data set.
SCI checks security when a client issues a CSLSCREG request to register with SCI. In response to the CSLSCREG request, SCI issues a RACROUTE REQUEST=AUTH call to RACF to see if the client has the authority to register with SCI. RACF checks the user ID of the address space that issued the CSLSCREG request. This user ID must have at least UPDATE authority to register with SCI. An IMSplex with a RACF FACILITY class that has no UACC(NONE) profile and no profiles matching a particular user ID is unprotected. CSLSCREG requests to register with SCI will be authorized for an unprotected IMSplex.
Example: An IMSplex, PLEX1, has the IMSplex ID of CSLPLEX1. To define a profile that allows only users IMSUSER1 and IMSUSER2 to register with SCI in PLEX1, issue the following RACF commands:
RDEFINE FACILITY CSL.CSLPLEX1 UACC(NONE)
PERMIT CSL.CSLPLEX1 CLASS(FACILITY) ID(IMSUSER1) ACCESS(UPDATE)
PERMIT CSL.CSLPLEX1 CLASS(FACILITY) ID(IMSUSER2) ACCESS(UPDATE)
SETROPTS CLASSACT(FACILITY)