Granting access to the MCF on the host
In your installation, you may have several users with different roles concerning the task to manage I/O configurations. These users must have different access rights to the IODFs and the MCF data sets on the host. This section offers a proposal for a security set up based on RACF or a different security product for the following user groups:
- System programmer: responsible for all of an installation's I/O configurations and must have comprehensive access rights on IODFs and MCFs.
- I/O Configuration manager (class A): responsible for physical configurations, like cabling, and the consistency of MCF-enabled configurations, but not authorized to perform logical changes like creating or configuring processors. Is authorized to enable/disable configurations for being shared and authorized to update MCFs. Also must be able to retrieve any information (physical and logical) about configurations.
- I/O Configuration manager (class B): must be able to perform physical changes on MCF-enabled configurations and therefore needs authorization to update (upload) MCFs on the host. Must be able to retrieve any information about configurations, but is not authorized to enable/disable MCFs.
- System operator: must be able to retrieve any information about configurations, but is not authorized to perform any updates.
Table 1 shows the I/O configuration tasks that users
of the described groups must perform. Table 2 shows the
proposals on how to specify the appropriate staged access rights.
| Configuration task | System programmer | I/O Configuration manager (class A) | I/O Configuration manager (class B) | System operator |
|---|---|---|---|---|
| Perform all required I/O configuration tasks: update all IODFs and MCFs | yes | no | no | no |
| Apply physical changes only (includes physical mismatch resolution): update MCFs | yes | yes | yes | no |
| Observe consistency among shared physical configurations: enable/create and disable/delete shared MCFs on the host | yes | yes | no | no |
| Viewing I/O configurations: load IODF/download MCF to PC | yes | yes | yes | yes |
| Data set specification | System programmer | I/O Configuration manager (class A) | I/O Configuration manager (class B) | System operator |
|---|---|---|---|---|
| HLQ.IODF%%.** | alter | read | read | read |
|
HLQ.IODF%%.**.MCF
HLQ.IODF%%.**.MCF.CLUSTER |
alter | alter | update | read |
Note: Applying many physical updates to a configuration may require to enlarge an MCF data set by
deleting the old and allocate a new data set on the host. To allow users to insert a great amount of
physical configuration information, you may in advance enlarge the MCF data set beyond the space
that would be allocated per default. Use the HCD profile option
MCF_EXTENSION to
specify the percentage of additional space that is to be allocated when defining an MCF data set.
For a detailed description of the MCF_EXTENSION keyword, refer to the z/OS HCD User's Guide.