SYSSEC Macro
Access to system resources is managed by z/VM®; however, when RACF® is installed, the z/VM system resource manager calls RACF whenever a user requests access to a protected resource. Based on information contained in its various profiles and SYSSEC options, RACF responds to the resource manager, indicating whether the requested access is authorized or not.
The SYSSEC macro, part of the RACF module HCPRWA, establishes the relationship between RACF's response to an access request and the final disposition of that request by z/VM. RACF checks whether the access request is authorized. The SYSSEC macro options are then used to determine the final disposition of the request.
SYSSEC parameter options are supported for VMMDISK, VMRDR, VMNODE, VMCMD, and VMLAN classes. There is also a default category which covers resource checks made by CP using a generalized resource checking interface defined in ACIPARMS (function code ACIRSCHK). There are no SYSSEC options supported for VMMAC, VMSEGMT, or other general resource classes not covered by the categories listed above.
DEFLTx= DISKx=, RDRx=, NODEx=, CMDx=, LANx=
| | | | | |
| | | | | --> RACF CLASS=VMLAN
| | | | |
| | | | ---> RACF class=VMCMD (see note)
| | | |
| | | ----> RACF class=VMNODE
| | |
| | -----> RACF class=VMRDR
| |
| ------> RACF class=VMMDISK
|
-------> Default category for CP-initiated general resource checks
| Where x = | RACF Response to z/VM | SYSSEC Keyword Values |
|---|---|---|
| P | Authorized (PERMIT) | ALLOW | DEFER |
| F | Access Not Authorized (FAIL) | DEFER | FAIL |
| W | Not Authorized, WARNING | DEFER | FAIL |
| U | Resource Not Defined to RACF | ALLOW | DEFER | FAIL |
| M | Display RACF messages | ON | OFF |
SYSSEC parameter options are supported for the following commands and diagnose
codes protected in the VMCMD class: STORE.C, TRSOURCE, DEFINE.MDISK, DIAG088, DIAG0E4, XAUTOLOG.G,
DIAG0A0.VALIDATE, DIAG0A0.QUERYSEC, and DIAG0A0.HRTSTORE.
To change the defaults, create an update file for HCPRWA and modify the DISKx, RDRx, NODEx, CMDx, or LANx parameters on the SYSSEC macro.
If you change the SYSSEC options, you must reassemble HCPRWA before generating the CP nucleus. Be sure that RACF MACLIB is included in your MACLIB concatenation when you assemble HCPRWA. For instructions on performing this local modification to HCPRWA (a CP source part), see z/VM: Service Guide.
[label] SYSSEC [DEFLTP= ALLOW |DEFER] X
[,DISKP= ALLOW |DEFER] X
[,RDRP= ALLOW |DEFER] X
[,NODEP= ALLOW |DEFER] X
[,CMDP= ALLOW |DEFER] X
[,LANP= ALLOW |DEFER] X
[,DEFLTF=DEFER| FAIL ] X
[,DISKF=DEFER| FAIL ] X
[,RDRF=DEFER| FAIL ] X
[,NODEF=DEFER| FAIL ] X
[,CMDF=DEFER| FAIL ] X
[,LANF=DEFER| FAIL ] X
[,DEFLTW=DEFER|FAIL] X
[,DISKW=DEFER|FAIL] X
[,RDRW=DEFER|FAIL] X
[,NODEW=DEFER|FAIL] X
[,CMDW=DEFER|FAIL] X
[,LANW=DEFER|FAIL] X
[,DEFLTU=ALLOW|DEFER|FAIL]X
[,DISKU=ALLOW|DEFER|FAIL] X
[,RDRU=ALLOW|DEFER|FAIL] X
[,NODEU=ALLOW|DEFER|FAIL] X
[,CMDU=ALLOW|DEFER|FAIL] X
[,LANU=ALLOW|DEFER|FAIL] X
[,DISKM=ON|OFF] X
[,RDRM=ON|OFF] X
[,NODEM=ON|OFF] X
[,CMDM=ON|OFF] X
[,LANM=ON|OFF]The following parameters are supported by the SYSSEC macro.
- DEFLTP=, CMDP=, DISKP=, LANP=, RDRP=, NODEP=
- Defines the action z/VM will
take when RACF has permitted
access for commands that are protected within the VMCMD class, or
to the profile protecting a minidisk, Guest LAN, virtual reader, RSCS
node, or some other resource for which CP has requested
an access check. The following parameters options are allowed.
- ALLOW
- z/VM allows the access.
- DEFER
- z/VM processes the request as if RACF were not installed. (The request has been deferred to z/VM.)
- DEFLTU=, CMDU=, DISKU=, LANU=, RDRU=, NODEU=
- Defines the action z/VM will
take when a command that is protected within the VMCMD class, or a
minidisk, Guest LAN, virtual reader, RSCS node, or
some other resource for which CP has requested an access check. The
following parameters options are allowed.
- ALLOW
- z/VM allows the access.
- DEFER
- z/VM processes the request as if RACF were not installed. (The request has been deferred to z/VM.)
- FAIL
- z/VM fails the request.
- DEFLTF=, CMDF=, DISKF=, LANF=, RDRF=, NODEF=
- Defines the action z/VM will
take when RACF has denied access
for commands that are protected within the VMCMD class, or to a minidisk,
Guest LAN, virtual reader, RSCS node, or some other
resource for which CP has requested an access check. The
following parameters options are allowed.
- DEFER
- z/VM processes the request as if RACF were not installed. (The request has been deferred to z/VM.)
- FAIL
- z/VM fails the request.
- DEFLTW=, CMDW=, DISKW=, LANW=, RDRW=, NODEW=
- Defines the action z/VM will
take when RACF would have denied
access for a command that is protected within the VMCMD class, or
to a minidisk, Guest LAN, virtual reader, RSCS node, or
some other resource for which CP has requested an access check, but
the profile for the resource was in WARNING mode.
The following parameters options are allowed.
- DEFER
- z/VM processes the request as if RACF were not installed. (The request has been deferred to z/VM.)
- FAIL
- z/VM fails the request.
- CMDM=, DISKM=, LANM=, RDRM=, NODEM=
- Indicates whether error messages defined by RACF will be displayed at the command issuer's
console as well as the error messages issued by z/VM. If an invalid value is specified, the
default is for messages to be displayed.
The following parameters options are allowed.
- ON
- RACF error messages will be issued.
- OFF
- RACF error messages will
be suppressed. Note: RACF does not generate messages for the generalized resource checking interface (ACIRSCHK).