Restricting access to the RS catalog repository and IMSRSC repository

The Repository Server (RS) uses z/OS® system authorization facility (SAF) callable services to restrict access to the RS catalog repository and IMSRSC repository. You can use an SAF-enabled external security manager, such as RACF®, to administer RS security.

1. In your security database, do the following:
   1. Choose an existing resource class, such as FACILITY, or create a class for RS security checking.
   2. Define general resource profiles under this class as follows:
      • You can control access to user repositories by defining one or more resource profiles using the following form: FRPREP.repositoryname

        For example, you can define a resource profile using FRPREP.IMS_REPOS to secure a repository named IMS_REPOS, or you can define a resource profile using FRPREP.* to secure all repositories.

        In addition to a resource profile for FRPREP, you must also add a resource profile for FRPFLD with the same definitions as FRPREP to ensure that the Resource Manager (RM) address space can set the index, key, and security fields in the IMSRSC repository, as needed. For example, if you defined a resource profile in XFACILIT class using FRPREP.IMS_REPOS to secure a repository named IMS_REPOS, you should also add FRPFLD.IMS_REPOS to allow the FIELDS to be updated for the repository named IMS_REPOS. The product and type must also be specified as *. to ensure that the resource profile definition for XFACILIT class would be RDEFINE XFACILIT FRPFLD.IMS_REPOS.*.*

      • To control access to who can modify or access the RS catalog repository as a part of the FRPBATCH commands or other requests, you can define a resource profile for FRPREP.CATALOG and grant access only to authorized users.
      • You can control access to each resource or member by defining member level security. Member level security is enabled for access by non-authorized callers.

        Member level security is enabled based on the security fields defined for the user repository. You can define a resource profile for each member you want to secure using the following form: FRPMEM.repositoryname.product.type.membername

        Recommendation: For the FACILITY class, the profile name can be only 39 bytes long. If member level security is used, create a new RACF class for the RS by adding a new class to the RACF Class Descriptor Table (ICHRRCDE) and updating the RACF Router Table (ICHRFR01) with the new class.
      • To control who can modify the AUDIT levels, you can define a resource profile using the following form: FRPAUD.repositoryname.product.type.TYPE

        Considerations for specifying product and type are the same as for when setting security for the repository in the CSL RM address space.

   3. Authorize the appropriate users for these profiles by setting a RACF definition profile.
      You can authorize groups of user IDs at the same time by using the RACF ADDGROUP command.
   Here are examples of the RACF commands that are used to define profiles and then grant access to appropriate users:

   Repository:

   RDEFINE XFACILIT FRPREP.REPO1 UACC(NONE)

   PERMIT FRPREP.REPO1 CLASS(XFACILIT) ID(VIEWER1) ACCESS(READ)

   PERMIT FRPREP.REPO1 CLASS(XFACILIT) ID(ADMIN1) ACCESS(ALTER)

   RS catalog repository:

   RDEFINE XFACILIT FRPREP.CATALOG UACC(NONE)

   PERMIT FRPREP.CATALOG CLASS(XFACILIT) ID(ADMIN1) ACCESS(ALTER)

   Members within a repository:

   RDEFINE XFACILIT FRPMEM.REPO1.DFS.RSC.IMSPLEX1.TRAN.PART UACC(NONE)

   PERMIT FRPMEM.REPO1.DFS.RSC.IMSPLEX1.TRAN.PART CLASS(XFACILIT) ID(USER_UTIL10) 
   ACCESS(UPDATE)

   PERMIT FRPMEM.*.*.*.*.*.* CLASS(XFACILIT) ID(USER_UTIL20) ACCESS(READ)

   Audit levels associated with a repository:

   RDEFINE XFACILIT FRPAUD.REPO1.DFS.RSC.TYPE UACC(NONE)

   PERMIT FRPAUD.REPO1.DFS.RSC.TYPE CLASS(XFACILIT) ID(USER_ZOSMI) ACCESS(UPDATE)

2. In the FRPCFG member of the IMS PROCLIB data set, give the SAF_CLASS parameter the same class name as the one you have defined in the RACF definition profile.