Design considerations for DBCTL security

Using password protection with command keywords

To provide verification before a command is accepted, you can require an accompanying password. The password is entered within parentheses immediately following the command verb.

Limiting access from a dependent BMP, JBP, or CCTL region

Dependent BMP, JBP, and CCTL regions are resources you should protect. You can protect them by preventing the start of an unauthorized dependent region by start of task JCL and by preventing the use of unauthorized resources in a dependent region.

Securing DBCTL dependent regions using RAS

RAS restricts the use of resources based on the user IDs of dependent regions. RAS uses RACF for security enforcement.

RAS allows an application program to access a PSB if the user ID of the dependent region in which the application program is running is authorized for that PSB. The authority of a user ID to use a PSB is defined in either the IIMS or JIMS RACF security class. RAS does not restrict the application programs that can be scheduled in a dependent region.

The IIMS and JIMS classes are predefined by RACF; however, if they have not been included with your release of RACF, you can use the RACF ICHERCDE macro to define them as new classes.

You can specify RAS by specifying ISIS=R on the initialization EXEC parameter.