RACF® Authorization

There are no authorization requirements, regardless of the caller's state, to use this service, with the following exceptions:

1. If the RunAs_userID parameter is specified, the caller must have UPDATE access to resource RunAs_userID.IRRSMO00 in the SURROGAT class. RunAs_userID is the value specified for the RunAs_userID parameter. All users who specify the RunAs_userID parameter are subject to this authorization check. If the authorization check fails, IRRSMO00 fails.
2. A non-zero ACEE parameter may only be specified by authorized callers. IRRSMO00 fails if an unauthorized caller specifies anything other than a zero value.
3. All updates performed on the security database (when the x'00000001' EXECUTE option is specified) run under the authority of the caller or the specified ACEE or RunAs_userID. This user must have authority to perform those security database updates. The required authority required varies depending on the type of updates being executed. An attempt is made to execute all of the security definitions, and each one will succeed or fail depending on the authorizations imbuing the user.
4. Unauthorized callers who specify the PRECHECK option code require READ access to resource IRR.IRRSMO00.PRECHECK in the XFACILIT class. The request will fail if the caller lacks this access.
5. To disable all users from being able to use the R_SecMgtOper service, define profile IRR.IRRSMO00.DISABLE.XML to the XFACILIT class. Presence of this profile causes R_SecMgtOper to return 8/200/20 for all callers.
   Note: This is a profile existence check, not an authorization check. A matching generic profile will not disable the service.