Preparing a RACF security plan
A security plan for RACF® includes defining which resources need to be protected, specifying security options in system definition macros, and defining the resources that you want to protect to RACF.
To prepare a security plan that uses RACF:
Procedure
- Prepare a list of all of the IMS online resources to be protected, arranging them in groups to give an overview of the total resources covered.
- Select the security facilities that protect the resource groups.
- Design screen formats to include non-display fields for passwords in transactions and commands.
- Specify your security options in the SECURITY, COMM, and IMSGEN system definition macros.
- Define the RACF resource class profiles to RACF.
- Add users, groups, and data sets to RACF.
- Define transactions and transaction groups to RACF.
- Define databases, segments, fields, and other resources and resource groups to RACF.
- Define commands and command groups to RACF.
- Define extended resource protection sources (APPL).
- Modify JCL procedures in IMS.PROCLIB.
IMS security uses a variety of RACF resource classes. These classes define individual resources or groups of resources, and they are divided into the following categories:
- APPC/IMS
- The APPC resource classes used by APPC/IMS are not specific to IMS and include:
- APPCTP
- Identifies transaction profiles for LU 6.2 transactions to RACF.
- APPCLU
- Specifies the conversation security for a session.
- APPCPORT
- Controls access to the system from a given LU (APPC port of entry).
Related reading: For additional information on APPC/IMS and the RACF resource classes used by APPC/IMS, see the APPC Transaction Security topic in IMS Version 15.5 Communications and Connections.
- Application
- The application resource class, APPL, holds a profile of every subsystem that is defined to RACF. The application group resource class, AIMS, holds a profile for every APSB that is defined to RACF. The IMS system is defined in this class with the IMSID name (with the IMSCTRL macro) for system access authorization checking at signon.
- Command
- The command resource class, CIMS, holds a profile for every command that is defined to RACF for command authorization checking. The command group resource class, DIMS, allows grouping of IMS commands that have a common access authority profile. Commands are defined for authorized user IDs.
- Database
- The database resource class, PIMS, holds a profile for each database that is defined to RACF for authorization checking. The database group resource class, QIMS, allows grouping of database resources that have a common access authority profile.
- Field
- The field resource class, FIMS, allows RACF authorization checking of fields within a database. The field resource group class, HIMS, allows grouping of common access fields for RACF authorization checking.
- LTERM
- The LTERM resource class, LIMS, holds a profile for every IMS LTERM that is defined to RACF for LTERM authorization checking. The LTERM group resource class, MIMS, allows grouping of IMS LTERMs that have a common access authority profile.
- Other
- This resource class, OIMS, and its group resource class, WIMS, are available for you to use for resources that do not fit into any other class. This calls can be used to interface with the AUTH call.
- PSB
- The PSB resource class, IIMS, holds a profile for every IMS PSB that is defined to RACF for PSB authorization checking. The PSB group resource class, JIMS, allows grouping of IMS PSBs that have a common access authority profile.
- Segment
- The segment resource class, SIMS, identifies individual segments to RACF . The segment group resource class, UIMS, allows grouping of segments with a common access authority profile for RACF authorization checking.
- Transaction
- The transaction resource class, TIMS, holds a profile for every IMS transaction defined to RACF for transaction authorization checking. The transaction group resource class, GIMS, allows grouping of IMS transactions that have a common access authority profile.
Use the RCLASS= initialization EXEC parameter to specify the names of the resource classes that the IMS system will use.
The following table shows resource class assignments.
| Resource class type | Resource class name | |
|---|---|---|
| RACF-defined name | User-defined name | |
| APPC/IMS | APPCTP, APPCLU, APPCPORT, and others | These are not IMS-specific resource classes |
| Application resource class | APPL | This is not an IMS-specific resource class |
| Application group name resource class | AIMS | Axxxxxxx |
| Command resource class | CIMS | Cxxxxxxx |
| Command group resource class | DIMS | Dxxxxxxx |
| Database resource class | PIMS | Pxxxxxxx |
| Database group resource class | QIMS | Qxxxxxxx |
| Field resource class | FIMS | Fxxxxxxx |
| Field group resource class | HIMS | Hxxxxxxx |
| LTERM resource class | LIMS | Lxxxxxxx |
| LTERM group resource class | MIMS | Mxxxxxxx |
| Other resource class | OIMS | Oxxxxxxx |
| Other group resource class | WIMS | Wxxxxxxx |
| PSB resource class | IIMS | Ixxxxxxx |
| PSB group resource class | JIMS | Jxxxxxxx |
| Resume TPIPE class | RIMS | Rxxxxxxx |
| Segment resource class | SIMS | Sxxxxxxx |
| Segment group resource class | UIMS | Uxxxxxxx |
| Transaction resource class | TIMS | Txxxxxxx |
| Transaction group resource class | GIMS | Gxxxxxxx |
The RACF resource
classes are defined in the RACF resource
class descriptor table (CDT). Initially, the RACF-defined resource
classes (shown in column 2 of Table 1) are predefined
in the CDT. To add a resource class or to define a resource class
with a user-defined name, you must use the RACF resource class macro ICHERCDE to create
an installation-defined CDT.
Requirement: If you are going to allow mixed-case passwords (and you
are using RACF for security),
you must issue the SETROPTS,PASSWORD(MIXEDCASE) command.
Related
reading:
- For more information about the ICHERCDE macro, see z/OS® Security Server RACF Macros and Interfaces.
- For more information about updating the RACF resource class descriptor table, see z/OS Security Server RACF System Programmer's Guide.