Protecting ICKDSF commands with RACF

You can protect certain ICKDSF commands by defining FACILITY class resource profiles and restricting access to those profiles. Table 1 shows these commands and their associated RACF class profiles. Protection of an ICKDSF command occurs when the following conditions are met:

  • RACF FACILITY class is active
  • The FACILITY class profile has been defined

When FACILITY class is active and one of the profiles shown in Table 1 is defined, you need access authority to that profile in order to use the associated command. Otherwise, any user can use that command.

Table 1. RACF facility class profile names for ICKDSF commands
ICKDSF Command FACILITY Class Profile Name
ANALYZE STGADMIN.ICK.ANALYZE
BUILDIX STGADMIN.ICK.BUILDIX
CONTROL STGADMIN.ICK.CONTROL
CPVOLUME STGADMIN.ICK.CPVOLUME
FLASHCOPY STGADMIN.ICK.FLASHCPY
INIT STGADMIN.ICK.INIT
INSPECT STGADMIN.ICK.INSPECT
INSTALL STGADMIN.ICK.INSTALL
IODELAY STGADMIN.ICK.IODELAY
PPRCOPY STGADMIN.ICK.PPRCOPY
REFORMAT STGADMIN.ICK.REFORMAT
REVAL STGADMIN.ICK.REVAL
TRKFMT STGADMIN.ICK.TRKFMT
Note: For additional information on FACILITY class profiles, refer to z/OS Security Server RACF Security Administrator's Guide.