Security for dependent region processing

Although security checking can be carried out by terminal, transaction, command, and other types of authorization, you can also implement security by limiting the resources that application programs that are scheduled in dependent regions can access using resource access security (RAS).

RAS uses RACF®, RACF security classes, and user IDs to define resources and the dependent regions that can use those resources. To implement RAS security, you must define in the RACF security classes resource profiles for the transactions, PSBs, and LTERMs that you want to protect. You must also specify in the resource profiles the user IDs of each dependent region that you want to allow to use each resource.

RACF is an external security product to IMS, accessed by IMS using the Security Access Facility (SAF). RACF is licensed with the IBM® z/OS® Security Server. Where this information directs you to use RACF, you can use a different, equivalent security product if you choose.

When an application program executing in a dependent region attempts to access a resource, RACF checks the resource's security class profile to see if the user ID of the dependent region in which the application resides is authorized for that resource. If the resource profile lists that user ID, RACF allows access; if not, RACF denies access.

You can also use exit routines, such as the Resource Access Security user exit (RASE) with RAS, which allows you to customize the security checking for dependent region processing.