Modifying RACF security rules

You must modify the RACF® security rules to interface with the Classic User Interface.

About this task

To modify RACF security rules, do the following:

Procedure

  1. Update the resource class description table to define a class name, for example, O2IBM, by using the ICHERCDE macro call.
    Note: The name must be the same name that you use when you define the resource class in the security exit routine.

    You should define the ICHERCDE macro as follows:

    ICHERCDE CLASS=classnme,
               ID=nnn,
               MAXLNTH=8,
               FIRST=ALPHANUM,
               OTHER=ANY,
               POSIT=nnn,
               DFTUACC=NONE

    where classnme and nnn are determined by your installation. Additional operands for this macro might also be required at your installation.

  2. Define a resource profile for logging on to the Classic User Interface by using the TSO RDEFINE command with a resource of INITIAL.

    The following example shows a definition that allows all users to sign on to the Classic User Interface and use the /PWD command for internal security. It allows access to all commands that are marked EXTERNAL=NO.

    RDEFINE classnme INITIAL UACC(READ)

    where classnme is the name that is assigned in the previous step.

    This definition is the minimum required for logon. If you want to restrict the use of the /PWD command, refer to Optional Classic User Interface external security features.

  3. Define resource profiles for the commands that you want to protect by using external security. The commands are marked EXTERNAL=YES.
    1. Use the TSO RDEFINE to specify the Classic User Interface command as the resource.

      Ensure that you define UACC(NONE) so that only specific users can execute the command.

    2. Use the PERMIT command to define the users who can access the resource, that is the users who can execute the command.
    3. Give the defined users READ access

    The following example shows how to authorize a user to run the PEEK command with RACF:

    RDEFINE classnme PEEK UACC(NONE)

    PERMIT PEEK CLASS(classnme) ID(USER01) ACCESS(READ)

    Important: When you authorize commands, the Classic User Interface modifies the command name. For example, it makes the following replacements:
    • It replaces the slash of the INFO-line commands with a dollar sign. For example, /ccccc becomes $ccccc and /LOGOUT is defined to RACF as $LOGOUT in CLASS(cccccccc).
    • It replaces the period of the immediate commands with @. For example, .cccc becomes @cccc.
  4. Include the RACF macro libraries SYS1.MACLIB and SYS1.AMODGEN, and the macro library &thilev.TKANMAC in the assembly of the security exit routine.