Back-end Checking

The profiles for Back-end checking are defined in the NETCMDS class and constructed as described in Commands. If you use the Configuration Assistant and follow the IBM® recommendations, the profiles are already defined for you. The INGESAF member contains all the RACF® commands that you need to define profiles and permissions on a group, that is, role basis.

However, unless the TSO user or the user that is associated with the Batch job is already connected to any of the groups that represent different user roles (see Roles), more definitions are required.

Batch Command Interface AOFRYCMD/EVJRYCMD with SERVER=*

  • The user must be permitted to use the command EVJRVCMD (Batch only)

    EVJRVCMD is the Batch receiver command name and INGRYRU0 is the true name of the INGREQ command, rather than just the command synonym of INGREQ.

  • The user must be permitted to use each command that wants to issue (TSO and Batch)

For example, to allow the RUNAUTO job that is associated with user BOB to issue the INGREQ command, with RACF, the following permission statements as shown are required:

PE *.*.EVJRVCMD CLASS(NETCMDS) ID(BOB) ACC(READ)
PE *.*.INGRYRU0 CLASS(NETCMDS) ID(BOB) ACC(READ)

If BOB executes a user written command, then the command itself and all imbedded NetView commands require in addition read access by the auto task (for example AUTCMDnn), which is used to run the command.

TSO Function INGRCRPC

The user must be permitted to use each command that he wants to issue from TSO via function INGRCRPC.

For example, to allow TSO user BOB to execute the MYCMD command, with RACF, the following permission statements are required:
PE *.*.MYCMD CLASS(NETCMDS) ID(BOB) ACC(READ) 
PE *.*.MYCMD CLASS(NETCMDS) ID(AUTCMD01) ACC(READ)

As the second statement shows, the autotask (AUTCMD01 in this example) where the command is executed also needs the permission. If the command is executed under the security context of TSO user BOB, then no autotask is involved and the second permission statement is not needed. For more details, see Security Considerations in Customizing and Programming.

Relational Data Services INGRCRDX

The user must be permitted to use the command INGRCRDS. For example,
PE *.*.INGRCRDS CLASS(NETCMDS) ID(BOB) ACC(READ)

AT Overwrite Syntax Checking for the Customization Dialog

The user must be permitted to use NetView command PIPE. For example,
PE *.*.PIPE CLASS(NETCMDS) ID(BOB) ACC(READ)
Notes:
  1. To help you finding the true name for a command, search the INGESAF member for the synonym that you are looking for.
  2. Read access to such a profile ensures that the user really is authorized to issue the command even though that user might not even be known to the NetView program and the command is instead issued by an auto operator.
  3. For the security checks to prevent the unauthorized use of commands from TSO or batch, it is important that a profile exists and that the SAF-product is active. If a check fails indicating that any of these conditions is not met, access is granted, regardless. If this is not what you want, set the advanced automation option of AOF_AAO_SEC_PPIAUTH=FAIL.
  4. Read Step 14B: Install SA Provided Authorized TSO Command INGPAUTH to install INGPAUTH as an authorized TSO command. The TSO REXX functions use INGPAUTH under cover for RACF checking.