Implementing AO command security with RACF

RACF® implements security based on user IDs and resource profiles stored in RACF security classes. RACF allows a user access to a resource only if the user's user ID is associated with the resource in the appropriate RACF security class.

For both type-1 and type-2 AO application program security, you must coordinate the definitions of the user IDs and resources that you make in the RACF resource class with your specifications in the AOI= keyword parameter in the TRANSACT macro.

You might need to define substitute user IDs depending on the type of dependent region in which your application programs are executing and other circumstances. For a description of those circumstances, see User ID substitutions for AO application programs.

Example RACF definitions for AO application program security

When using RACF for security for both type-1 and type-2 AO application programs, you can use the following examples to help code your RACF definitions. The examples define the user IMSUSER1 and the transaction APOL13. The RACF definitions you use differ depending on the specifications that you make by using the AOI= keyword on the TRANSACT macro.

In the following example, where AOI=YES, the command /STOP is the protected resource and the user IMSUSER1 is authorized for the command. IMSUSER1 signs on to an IMS terminal and enters transaction APOL13. The transaction issues a CMD or ICMD call to issue the /STOP command (For type-2 AO security, the specification of AOI=YES is not required). 

ADDUSER IMSUSER1 PASSWORD(IUSER1PW) DFLTGRP(SYS1)
RDEFINE CIMS (STO) UACC(NONE)
PERMIT STO CLASS(CIMS) ID(IMSUSER1) ACCESS(UPDATE)

In the following example, where AOI=TRAN, the command /STOP is the protected resource and the transaction APOL13 is authorized for the command. Any user can enter transaction APOL13. The transaction issues a CMD or ICMD call to issue the /STOP command. The APOL13 transaction is authorized to issue the /STOP command. 

ADDUSER APOL13 NOPASSWORD DFLTGRP(SYS1)
RDEFINE CIMS (STO) UACC(NONE)
PERMIT STO CLASS(CIMS) ID(APOL13) ACCESS(UPDATE)

In the following example, where AOI=CMD, the transaction APOL13 is the protected resource and the user IMSUSER1 and the command /STOP are authorized for that transaction. Authorization is checked twice: when IMSUSER1 enters the transaction at the terminal and when the transaction issues a CMD or ICMD call to issue the /STOP command. 

ADDUSER IMSUSER1 PASSWORD(IUSER1PW) DFLTGRP(SYS1)
ADDUSER STO NOPASSWORD DFLTGRP(SYS1)
RDEFINE TIMS (APOL13) UACC(NONE)
PERMIT APOL13 CLASS(TIMS) ID(IMSUSER1) ACCESS(UPDATE)
PERMIT APOL13 CLASS(TIMS) ID(STO) ACCESS(UPDATE)
Related reading:
  • For more information about defining users for AO application program security purposes, see AO command security and system definition.
  • For more information about programming RACF security classes, see z/OS® Security Server RACF System Programmer's Guide.
  • For more information about RACF commands, see z/OS Security Server RACF Command Language Reference.