Controlling the Use of SFS Administrator and Operator Commands
You can activate the SFSCMD class to control who can issue SFS administrator and operator commands. Using SFSCMD profiles, users can provide protection for specific commands, and, through the use of generic profiles, for sets of commands.
The SFSCMD class is also used to restrict the use of the general user commands for RENAME DIRECTORY and RELOCATE DIRECTORY. See Restrictions for SFS Directory RENAME and RELOCATE for more information.
When RACF® is called to authorize an SFS administrator command, this replaces the SFS checking for file pool administrator authority, as specified in the DMSPARMS file or with the GRANT ADMIN command. RACF will authorize or deny use of the command by checking the command issuer's access to the SFSCMD profile protecting the command.
When RACF is protecting SFS operator commands, you must still enter the commands from the file pool server's console or from its secondary user console. Access to issue the commands can be further limited using SFSCMD profiles. RACF will authorize or deny use of the operator command by checking the command issuer's access to the SFSCMD profile protecting the command.
When SFS calls RACF to authorize an administrator or operator command and there is no profile to protect that command, RACF will fail the command.
To control which users can issue SFS administrator and operator commands, take the following steps:
- Plan your changes to the DMSESM profile.
The RACF protection of SFS administrator and SFS operator commands is dependent on ESM calls from an SFS file pool server using the RACROUTE interface. Using the DMSESM PROFILE as described in Setting Up DMSESM PROFILE for RACF SFS Protection, an installation can specify that RACF be called for all, some, or none of the SFS administrator and operator commands. The parameters of concern in the DMSESM PROFILE are the Bnnnn and Cnn parameters in Record 2.
- If you plan to use generic profiles in the SFSCMD class, activate
generic profiles:
SETROPTS GENERIC(SFSCMD)IBM® also recommends that you create atop
generic profile in the SFSCMD class to protect those SFS administrator and operator commands that are not protected by a more specific profile. To do so, enter:RDEFINE SFSCMD ** UACC(NONE) - Create appropriate profiles in the SFSCMD class:
RDEFINE SFSCMD profile-name UACC(NONE)Specifying UACC(NONE) is recommended if most users on the system will not be able to issue SFS administrator and operator commands. The resource names are determined by z/VM®, and are documented in z/VM CMS File Pool Planning, Administration, and Operation.
For example, the SFS administrator command
is translated into the resource nameQUERY FILEPOOL REPORT (CATALOG
in the SFSCMD class. This resource name could be protected by a RACF profile in the SFSCMD class namedfilepool.QUERY.FILEPOOL.CATALOG*.QUERY.FILEPOOL.CATALOGFor example, the SFS operator command
is translated into the resource nameAUDIT ON ALL
in the SFSCMD class. This resource name could be protected by a RACF profile in the SFSCMD class namedfilepool.AUDIT.ON.ALL*.AUDIT.ON.ALL - Use the PERMIT command to allow appropriate users and groups access
to the profile by giving them at least UPDATE access:
PERMIT profile-name CLASS(SFSCMD) ID(userid|group) ACCESS(UPDATE)For example:PERMIT *.AUDIT.ON.ALL CLASS(SFSCMD) ID(LAURIE) ACCESS(UPDATE) - When you are ready to use the protection defined in SFSCMD profiles,
activate the SFSCMD class:
SETROPTS CLASSACT(SFSCMD) - For performance reasons, you should consider requesting SETROPTS
RACLIST processing for the SFSCMD class:
SETROPTS RACLIST(SFSCMD) - Activate RACF as the SFS
external security manager.
If you are activating RACF protection for the first time on your file pool server, follow the instructions in Activating RACF as the SFS External Security Manager.
If you are already using RACF to protect SFS files and directories or BFS files in your file pool, you must update the DMSESM PROFILE with the changes you planned in step 1 above, and restart your file pool server.