Optional external security features

You can setup your user exit routine to use one of the following external security features. You can also use the control options that are supplied with the security package, such as SHIFT validation and SOURCE validation. To use them, specify the commands EXTERNAL=YES and implement the option as the security package directs.

Customization of error messages

To suit your individual requirements, you can create customized error messages if one of these conditions occur:

  • The authority of the user is insufficient.
  • The user enters a wrong user ID.
  • The user enters a wrong password.

The customized error messages can be up to 120 bytes long, except for INFO-line messages. INFO-line messages, for example, /PWD relogon messages, can be up to 60 bytes long.

Members KO2RACFX and KOACF2X in the &rhilev.&rte.RKD2SAM data set contain sample exit routines.

Password update

You can give the user the ability of interactive communication when logging on to external security.

For example, if a user logs on by using an expired password, the security exit can prompt the user for a new password and update the security database.

Restriction: This option is not available when relogging on by using the /PWD command.

Audit suppression

You can suppress WTO or SMF auditing. To indicate suppression of WTO or SMF, your exit routine might set a flag in $UCHECK at initialization or relogon.

Audit supplement

In addition to the WTO and SMF audits that are available with the Classic User Interface, you can use the audit features of the external security package to supplement command tracking. The RACF® Report Writer and ACF2 ACFRPT utility programs are examples of this supplemental audit capability.

Locking feature

The feature can prevent users from changing their internal security level by using the /PWD command. Their level of authority is set only once and only at logon. It can be set to one of four levels (level 0, 1, 2, or 3).

Restrictions:

  • Because the feature locks the internal security level of a user, it affects only those commands that are marked as EXTERNAL=NO.
  • The locking feature disables the /PWD command only for supplying internal passwords. The user can still use the /PWD command to relogon to an external user ID.
  • You must define the security level of a user in ACF2 or RACF as an INITIALn resource, where n is a number from 0 to 3.
  • You must assign corresponding values to commands in the security update program by using the LEVEL keyword of the COMMAND control statement.
  • The routine starts checking INITIALn resources at the highest level. If you define users of INITIAL2, INITIAL3, and PERMIT to INITIAL3, the users are locked to level 3.
  • Users who have INITIAL authority without an attached value from 0 to 3 are allowed to change their internal security level by using the /PWD command.

User validation through RACF

To validate a user, the user exit routine checks the RACF resource class that is defined by the ICHERCDE macro.

The resources that allow the startup of the Classic User Interface include INITIAL, INITIAL0, INITIAL1, and INITIAL3.

This example shows these resources:

       <Allows /PWD to work>
               RDEFINE cccccccc INITIAL UACC(READ)

               <Defines security level 0 as unaccessible>
               RDEFINE cccccccc INITIAL0 UACC(NONE)

               <Defines security level 1 as unaccessible>
               RDEFINE cccccccc INITIAL1 UACC(NONE)

               <Defines security level 2 as unaccessible>
               RDEFINE cccccccc INITIAL2 UACC(NONE)

               <Defines security level 3 as unaccessible>
               RDEFINE cccccccc INITIAL3 UACC(NONE)

               <Locks USER02 to level 2 power>
               PERMIT INITIAL2 CLASS(classnme) ID(USER02) ACC(READ)
   

where classnme is the resource class name that you define when you modify RACF security rules.

User validation through ACF2

To validate a user, the user exit routine checks the ACF2 resource class.

The resources that allow the startup of the Classic User Interface include INITIAL, INITIAL0, INITIAL1, and INITIAL3.

To allow users to change their authorization level with the /PWD command, use INITIAL.

This example shows sample definitions:

       <Allows /PWD to work for USER01>
                ACFNRULE KEY(INITIAL) TYPE(cls) ADD(UID(****************USER01) ALLOW)

                <Locks USER02 to security level 0 commands>
                ACFNRULE KEY(INITIAL0) TYPE(cls) ADD(UID(****************USER02) ALLOW)

                <Locks USER03 to security level 1 commands>
                ACFNRULE KEY(INITIAL1) TYPE(cls) ADD(UID(****************USER03) ALLOW)

                <Locks USER04 to security level 2 commands>
                ACFNRULE KEY(INITIAL2) TYPE(cls) ADD(UID(****************USER04) ALLOW)

                <Locks USER05 to security level 3 commands>
                ACFNRULE KEY(INITIAL3) TYPE(cls) ADD(UID(****************USER05) ALLOW)
   

where cls is the generalized resource class name that you define when you modify RACF security rules.