You may want to organize the users who need access to ICSF keys
and services into groups. To do this, obtain a list of the user IDs
of users who need to use ICSF keys and services. If batch jobs or
started tasks need to use ICSF, obtain the user IDs under which
they will run.
Group any of the user IDs together if they require
access to the same keys and services. For example, you might want
to set up groups as follows:
- Users who work with MAC-related callable services
- Users who work with PIN-related callable services
- Users who work with a particular MAC, or a particular PIN
- Users who call applications to dynamically update the CKDS
- Users who perform functions available on the User Control Functions
panel
Usually, all users of ICSF should have access to keys
and services by virtue of their membership in one of these RACF groups,
rather than specific users. This is because RACF maintains the access
lists in in-storage profiles. When the in-storage profiles are created
or changed, the in-storage profiles must be refreshed. (Merely changing
them in the RACF data base is not sufficient. This is analogous to
the in-storage CKDS maintained by ICSF.) To refresh the in-storage
RACF profiles, the RACF security administrator must use the SETROPTS
command:
SETROPTS RACLIST(CSFKEYS) REFRESH
SETROPTS RACLIST(CSFSERV) REFRESH
If you place RACF
groups in the access lists of the RACF profiles, you can change
a user's access to the protected services and keys by adding or removing
the user from the groups. Ask your RACF security administrator to
create the RACF groups.
You should also ask your RACF security
administrator to connect you to these groups with CONNECT group authority.
This permits you to connect and remove users from the groups.
For
example, the security administrator could issue these commands:
ADDGROUP groupid
CONNECT your-userid GROUP(groupid) AUTHORITY(CONNECT)
With
CONNECT group authority, you are able to connect other users to the
groups:
CONNECT other-userid GROUP(groupid)
With CONNECT
group authority, you are also able to remove users from the groups:
REMOVE other-userid GROUP(groupid)