Securing dependent regions using resource access security

Resource access security (RAS) prevents an application program that is running in a dependent region from using a resource (a transaction, PSB, or LTERM) unless it is authorized to do so. RAS does not restrict the scheduling of application programs in dependent regions.

The authority of an application program to access a resource that is protected by RAS is based on the user ID of the dependent region. The user ID of the dependent region must be authorized in the RACF® security class profile for the resource that the application program is attempting to use.

You can specify RAS by using the ISIS= execution parameter in the IMS, DBC, and DCC startup procedures.

Related reading:
  • For additional information about the IMS, DBC, or DCC startup procedures, see IMS Version 15.2 System Definition.

RACF resource classes for RAS security

RAS uses the RACF resource classes to define the resources it protects and the user IDs of the dependent regions that can access those resources. The RACF resource classes that RAS uses include:

  • IIMS and JIMS for PSBs and groups of PSBs
  • LIMS and MIMS for LTERMs and groups of LTERMs
  • TIMS and GIMS for transactions and groups of transactions

Some of these classes are predefined by RACF, but others are not. If you do not find the security class that you need among the classes RACF provides, you can use the RACF resource class macro ICHERCDE to create an installation-defined class descriptor table (CDT).

The RACF security classes contain the names of the resources that RAS protects and the user IDs that can use them. When an application program in a dependent region attempts to use a resource, RAS checks the class profile of the resource to see if the user ID of the dependent region is listed as authorized for that resource. If the user ID is specified, RAS grants access to the application program. If the user ID is not specified, RAS denies access.

Related reading:
  • For more information about working with RACF security, see:
  • For more information about defining new classes with the ICHERCDE macro, see z/OS Security Server RACF System Programmer's Guide.