z/OS Security Server RACF Macros and Interfaces
Previous topic |
Next topic
|
Contents
|
Contact z/OS
|
Library
|
PDF
Contents (exploded view)
z/OS Security Server RACF Macros and Interfaces
SA23-2288-00
Abstract for Security Server RACF Macros and Interfaces
z/OS Version 2 Release 1 summary of changes
RACF customization macros
ICHERCDE macro
ICHNCONV macro
ICHNCONV coding guideline
ICHNCONV DEFINE
ICHNCONV SELECT
ICHNCONV ACTION
ICHNCONV END
ICHNCONV FINAL
Example of a naming convention table
ICHRFRTB macro
Panel driver interface module (ICHSPF03)
Invoking the panel driver interface
Panel mapping table
The ISPLINK call
Example of a RACF panel interface coding sequence
Profile name list service routine (IRRPNL00)
Invoking the profile name list service routine
Format of returned profile name list
Return codes
Date conversion routine
Invoking the date conversion routine
Format of returned converted date
Return code
SMF records
Record type 80: RACF processing record
Format of SMF type 80 records
Table of event codes and event code qualifiers
Table of relocate section variable data
Table of extended-length relocate section variable data
Table of data type 6 command-related data
Record type 81: RACF initialization record
Record type 83: Security events
Product section
Security section
Subtype 1
Subtype 2 and above
Relocate sections
Reformatted RACF SMF records
Reformatted process records
Reformatted status records
The format of the unloaded SMF type 80 data
IRRADU00 record format
XML grammar
Steps for converting RACF field names to XML tag names
The format of the header portion of the unloaded SMF type 30 and type 80
Event codes
Record extensions
The JOBINIT record extension
The ACCESS record extension
The ADDVOL record extension
The RENAMEDS record extension
The DELRES record extension
The DELVOL record extension
The DEFINE record extension
The ADDSD record extension
The ADDGROUP record extension
The ADDUSER record extension
The ALTDSD record extension
The ALTGROUP record extension
The ALTUSER record extension
The CONNECT record extension
The DELDSD record extension
The DELGROUP record extension
The DELUSER record extension
The PASSWORD record extension
The PERMIT record extension
The RALTER record extension
The RDEFINE record extension
The RDELETE record extension
The REMOVE record extension
The SETROPTS record extension
The RVARY record extension
The APPCLU record extension
The general event record extension
The directory search record extension
The check directory access record extension
The check file access record extension
The change audit record extension
The change directory record extension
The change file mode record extension
The change file ownership record extension
The clear SETID bits record extension
The EXEC SETUID/SETGID record extension
The GETPSENT record extension
The initialize z/OS UNIX record extension
The z/OS UNIX process completion record
The KILL record extension
The LINK record extension
The MKDIR record extension
The MKNOD record extension
The mount file system record extension
The OPENFILE record extension
The PTRACE record extension
The rename file record extension
The RMDIR record extension
The SETEGID record extension
The SETEUID record extension
The SETGID record extension
The SETUID record extension
The SYMLINK record extension
The UNLINK record extension
The unmount file system record extension
The check file owner record extension
The check privilege record extension
The open slave TTY record extension
The RACLINK command record extension
The IPCCHK record extension
The IPCGET record extension
The IPCCTL record extension
The SETGROUP record extension
The CKOWN2 record extension
The access rights record extension
The RACDCERT command record extension
The InitACEE record extension
The Network Authentication Service record extension
The RPKIGENC record extension
The RPKIEXPT record extension
The Policy Director Authorization Services record extension
The RPKIREAD record extension
The RPKIUPDR record extension
The RPKIUPDC record extension
The SETFACL record extension
The DELFACL record extension
The SETFSECL record extension
The WRITEDWN record extension
The PKIDPUBR record extension
The RPKIRESP record extension
The PassTicket evaluation (PTEVAL) record extension
The PassTicket generation (PTCREATE) record extension
The RPKISCEP record extension
The RDATAUPD record extension
The PKIAURNW record extension
The PGMVERYF record extension
The RACMAP record extension
The AUTOPROF record extension
The RPKIQREC record extension
The format of the unloaded SMF type 81 data
The format of the unloaded SMF type 81 class data
The format of the unloaded SMF type 83 data
RACF database unload utility (IRRDBU00) records
IRRDBU00 record types
Format of the record type identification number
The relationships among unloaded database records
Unloaded group record types
Unloaded user record types
Unloaded data set record types
Unloaded general resource record types
Conversion rules of the database unload utility
Record formats produced by the database unload utility
Group record formats
Group basic data record (0100)
Group subgroups record (0101)
Group members record (0102)
Group installation data record (0103)
Group DFP data record (0110)
Group OMVS data record (0120)
Group OVM data record (0130)
Group TME role record (0141)
Group CSDATA custom fields record (0151)
User record formats
User basic data record (0200)
User categories record (0201)
User classes record (0202)
User group connections record (0203)
User installation data record (0204)
User connect data record (0205)
User RRSF data record (0206)
User certificate name record (0207)
User associated mappings record (0208)
User associated distributed mappings record (0209)
User DFP data record (0210)
User TSO data record (0220)
User CICS data record (0230)
User CICS operator classes record (0231)
User CICS RSL keys record (0232)
User CICS TSL keys record (0233)
User language data record (0240)
User OPERPARM data record (0250)
User OPERPARM scope (0251)
User WORKATTR data record (0260)
User OMVS data record (0270)
User NETVIEW segment record (0280)
User OPCLASS record (0281)
User DOMAINS record (0282)
User DCE data record (0290)
User OVM data record (02A0)
User LNOTES data record (02B0)
User NDS data record (02C0)
User KERB data record (02D0)
User PROXY record (02E0)
User EIM data record (02F0)
User CSDATA custom fields record (02G1)
Data set record formats
Data set basic data record (0400)
Data set categories record (0401)
Data set conditional access record (0402)
Data set volumes record (0403)
Data set access record (0404)
Data set installation data record (0405)
Data set DFP data record (0410)
Data set TME role record (0421)
General resource record formats
General resource basic data record (0500)
General resource tape volume data record (0501)
General resource categories record (0502)
General resource members record (0503)
General resource volumes record (0504)
General resource access record (0505)
General resource installation data record (0506)
General resource conditional access record (0507)
General resource filter data record (0508)
General resource distributed identity mapping data record (0509)
General resource session data record (0510)
General resource session entities record (0511)
General resource DLF data record (0520)
General resource DLF job names record (0521)
General resource started task data record (0540)
General resource SystemView data record (0550)
General resource certificate data record (0560)
General resource certificate references record (0561)
General resource key ring data record (0562)
General resource TME data record (0570)
General resource TME child record (0571)
General resource TME resource record (0572)
General resource TME group record (0573)
General resource TME role record (0574)
General resource KERB data record (0580)
General resource PROXY record (0590)
General resource EIM record (05A0)
General resource alias data record (05B0)
General resource CDTINFO data record (05C0)
General resource ICTX data record (05D0)
General Resource CFDEF Data record (05E0)
General Resource SIGVER data record (05F0)
General Resource ICSF record (05G0)
General Resource ICSF key label record (05G1)
General Resource ICSF certificate identifier record (05G2)
General resource certificate information record (1560)
The RACF secured signon PassTicket
Generating and evaluating a PassTicket
Using the service to generate a PassTicket
How the secured signon service works
Invoking the secured signon service
Incorporating the PassTicket generator algorithm into your program
Input data for the algorithm
How the generator algorithm works
How the time-coder algorithm works
The permutation tables
The translation table
The translation process
Example
Generating a secured signon session key
Using the service to generate a secured signon session key
How the secured signon session key generator service works
Invoking the secured signon session key generator service
Return codes from the secured signon session key generator service
Incorporating the secured signon session key generator algorithm into your program
Secured signon session key generation logic
CDMF key-weakening logic
The RACF environment service
Function
Requirements
RACF authorization
Register usage
Format
Parameters
Return and reason codes
Usage notes
Related services
SAF user mapping plug-in interface
Installation considerations for the SAF user mapping service
Writing an application that uses the SAF user mapping plug-in interface
Preparing to run an application with the SAF user mapping plug-in implementation
Writing your own SAF user mapping plug-in implementation
SAF user mapping plug-in initialization function – safMappingInit()
Function
Format
Requirements
RACF authorization
Usage notes
Function return values
SAF user mapping plug-in lookup function – safMappingLookup()
Function
Format
Requirements
RACF authorization
Usage notes
Function return values
SAF user mapping plug-in termination function – safMappingTerm()
Function
Format
Requirements
RACF authorization
Usage notes
Function return values
The irrspim.h header file
Generic name translate service (IRRGNT00)
Function
Environment
Restrictions
Input register information
Output register information
Parameters
Return and reason codes
IRRXUTIL: REXX interface to R_admin extract
Parameters
Examples
Return codes
REXX stem variables created by IRRXUTIL
Example
SETROPTS data
Specifying a period in the stem name
Examples
ICHEINTY, ICHETEST, and ICHEACTN macros
ICHEINTY macro
Return codes from the ICHEINTY macro
ICHETEST macro
ICHEACTN macro
Using ICHEACTN with the DATAMAP=NEW and DATAMAP=OLD operands
Using ICHEACTN to retrieve data when ICHEINTY has DATAMAP=NEW
Using ICHEACTN to alter data when the ICHEINTY has DATAMAP=NEW
Using ICHEACTN to retrieve data when the ICHEINTY has DATAMAP=OLD
Using ICHEACTN to alter data when ICHEINTY has DATAMAP=OLD
Examples of ICHEINTY, ICHETEST, and ICHEACTN macro usage
REXX RACVAR
Supplied class descriptor table entries
RACF database templates
Format of field definitions
Repeat groups on the RACF database
Field length
Data field types
Date fields
Time fields
Integer fields
Character fields
Combination fields on the RACF database
Determining space requirements for the profiles
Determining space requirements for alias index entries
Group template for the RACF database
User template for the RACF database
Connect template for the RACF database
Data set template for the RACF database
General template for the RACF database
Reserved template for the RACF database
Event code qualifier descriptions
Event codes and event code qualifiers
Event 1( 1): JOB INITIATION/TSO LOGON/TSO LOGOFF
Event 2( 2): RESOURCE ACCESS
Event 3( 3): ADDVOL/CHGVOL
Event 4( 4): RENAME RESOURCE
Event 5( 5): DELETE RESOURCE
Event 6( 6): DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
Event 7( 7): DEFINE RESOURCE
Event 8(8)–25(19): COMMANDS
Event 26(1A): APPCLU
Event 27(1B): GENERAL AUDITING
Event 28(1C)–58(3A): z/OS UNIX EVENT TYPES
Event 59(3B): RACLINK EVENT TYPES
Event 60(3C)–62(3E): z/OS UNIX XPG4 EVENT TYPES
Event 63(3F): z/OS UNIX SETGROUPS EVENT TYPE
Event 64(40): X/OPEN SINGLE UNIX SPECIFICATION EVENT TYPES
Event 65(41): z/OS UNIX PASSING OF ACCESS RIGHTS EVENT TYPES
Event 66(42)–67(43): CERTIFICATE EVENT TYPES
Event 68(44): GRANT OF INITIAL KERBEROS TICKET
Event 69(45): R_PKIServ GENCERT
Event 70(46): R_PKIServ EXPORT
Event 71(47): POLICY DIRECTOR ACCESS CONTROL DECISION
Event 72(48): R_PKIServ QUERY
Event 73(49): R_PKIServ UPDATEREQ
Event 74(4A): R_PKIServ UPDATECERT
Event 75(4B): CHANGE FILE ACL
Event 76(4C): REMOVE FILE ACL
Event 77(4D): SET FILE SECURITY LABEL
Event 78(4E): SET WRITE-DOWN PRIVILEGE
Event 79(4F): CRL PUBLICATION
Event 80(50): R_PKIServ RESPOND
Event 81(51): PassTicket Evaluation
Event 82(52): PassTicket Generation
Event 83(53): R_PKIServ SCEPREQ
Event 84(54): R_Datalib RDATAUPD
Event 85(55): PKIAURNW
Event 86(56): R_PgmSignVer
Event 87(57): RACMAP
Event 88(58): AUTOPROF
Event 89(59): RPKIQREC
Copyright IBM Corporation 1990, 2014