Authorizing DBRC commands and API requests with RACF

You can set up DBRC command and API request authorization support with RACF® by defining resource profiles (explicit or generic) that cover all of the DBRC commands and API requests, and permitting appropriate user access to these profiles.

The resource name corresponds directly to the command and consists of a high-level qualifier (HLQ) and up to three elements of the DBRC command. The resource name model has the following format:

High-level qualifier (for example, SAFHLQ)
Command verb (for example NOTIFY)
Command modifier (for example, PRILOG or IC)
Command qualifier (for example, dbname or OLDS)

DBRC uses a list of resource names for command authorization support. See Resource names for command authorization.

Different profiles can be used based on the set of RECON data sets being used, but only one HLQ name per RECON data set is allowed. For example, you might use an HLQ name of PRODRECN for the production RECON data sets and an HLQ name of TESTRECN for the test RECON data sets.

Other considerations for your definitions are as follows:

Resource profiles that protect the DBRC commands must be defined in the FACILITY resource class.
User identifiers in the ACEEUSRI field of the accessor environment element (ACEE) are used for all authorization checking and the user has READ access to the resource profile, at a minimum.
DBRC command authorization is enabled or disabled by using the CHANGE.RECON and INIT.RECON command with the CMDAUTH keyword. The HLQ name is required when enabling command authorization.

Authorizing security profiles for DBRC commands and API requests

You can define security resource profiles for your system to protect specific DBRC commands and requests, and permit appropriate user access to each command or request.

The security resource name corresponds directly to the DBRC command or request and consists of a high-level qualifier (HLQ) and up to three elements of the command or request. Assume that you are using RACF for data security and decide to use IMSA as your HLQ to identify your IMS system.

To restrict access to the DELETE.SUBSYS command:

Issue the following RACF command to allow access to all DBRC commands:
RDEFINE FACILITY IMSA.** OWNER(...) UACC(READ)
Issue the following two RACF commands to restrict the DELETE.SUBSYS command to the user IDs listed in the ID parameter:
RDEFINE FACILITY IMSA.DELETE.SUBSYS.* OWNER(...) UACC(NONE)

PERMIT IMSA.DELETE.SUBSYS.* CLASS(FACILITY) ID(...) ACC(READ)

Command protection is now in effect.
Issue the following command to clear the cache and cause RACF to refresh and read the new values from the database:
SETROPTS REFRESH GENERIC(FACILITY) RACLIST(FACILITY)
Issue the following DBRC command to specify accesses to the RECON data set. For example, to use the prefix IMSA for security checking:
CHANGE.RECON CMDAUTH(SAF,IMSA)