Issuing DBRC commands

You can issue batch and online (/RMxxxxxx) commands and DBRC API requests to use DBRC functions. Authorization checking is supported for DBRC commands that are submitted as batch or online commands.

The /RMxxxxxx commands perform the following DBRC functions:

Record recovery information in the RECON data set
Generate JCL for various IMS utilities and generate user-defined output
List general information in the RECON data set
Gather specific information from the RECON data set

The IMS security administrator can use a security product like RACF® (Resource Access Control Facility), a security exit routine, or both to control authorization of DBRC commands. Commands issued through the z/OS® console are always authorized.

Recommendation: Allow operators or automation programs to issue the /RMLIST command (or DSPAPI FUNC=QUERY API request) and the /RMGENJCL command (or DSPAPI FUNC=COMMAND COMMAND=GENJCL API request). Restrict the use of /RMCHANGE, /RMDELETE, and /RMNOTIFY commands (or equivalent API requests), because they update the RECON data sets.

Attention: When the /RMLIST command is issued from the OM API (such as TSO SPOC), the amount of output that is generated can be large. Because the RECON data set is reserved during command processing, if the generated output is large, do not issue the command during peak times. To prevent the command from being issued with the DBRC='RECON' option inadvertently, consider protecting the command with a security product.