Before you begin: You need to know which programs you want
to define to program control. If you run with enhanced program security,
you might need to define some programs with the MAIN attribute via
the APPLDATA operand on the PROGRAM profile.
Perform the following steps to define programs from traditional
load libraries to program control.
- Activate the RACF® program
control (both access control to load modules and program access to
data sets).
SETROPTS WHEN(PROGRAM)
_______________________________________________________________
- Define one of the following profiles.
- For a particular program, define a discrete RACF PROGRAM class profile:
RDEFINE PROGRAM membername ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ)
- For all members in a data set:
RDEFINE PROGRAM * ADDMEM('datasetname'/volser/NOPADCHK) UACC(READ)
_______________________________________________________________
- Refresh the in-storage copy of the PROGRAM profile.
SETROPTS WHEN(PROGRAM) REFRESH
_______________________________________________________________
When you are done, you have defined a program from a load library
to program control.
Tips:- PROGRAM profile * provides the same function as PROGRAM profile
**. If you already have a PROGRAM profile * defined, do not create
an ** profile. Instead, issue the RALTER command
against PROGRAM * with the same operands shown in the RDEFINE PROGRAM
example.
- If you are running in a sysplex with a shared RACF data base and your system libraries are
also shared, then leaving the VOLSER off will allow you to use the
same RACF definitions on all
systems in the sysplex.
- Any time you add, change, or delete a profile in the PROGRAM class
(with RDEFINE, RALTER, PERMIT, or RDELETE), you must update the in-storage
copy of the PROGRAM profile.
SETROPTS WHEN(PROGRAM)
REFRESH
- Daemons that are shipped by z/OS reside
in the file system and are controlled programs, so you do not need
to define them to program control. For example, suppose you have a
daemon named server1. The file /bin/server1 would have
the sticky bit on. Member SERVER1 would reside in SYS1.LINKLIB and
be defined as a controlled program.
RDEFINE PROGRAM SERVER1
ADDMEM('SYS1.LINKLIB'/'******'/NOPADCHK) UACC(READ)
SETROPTS WHEN(PROGRAM) REFRESH
Tip: You do not
need to define the daemons that are shipped by z/OS if you
decide to define BPX.MAINCHECK, as discussed in Using enhanced program security.
- Daemons can load locales from the file system or from MVS™ load modules. If they are loaded from MVS load libraries, then these modules
must be marked program-controlled. If they are loaded from the file
system, the program control extended attribute bit must be set. The
locales shipped by IBM® already
have this extended attribute bit set.