z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Adding installation-defined classes to the static class descriptor table

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

There are two ways for an installation to define resource classes:
  • Define them in the dynamic class descriptor table, using RDEFINE and RALTER commands. For information on how to do this, see z/OS Security Server RACF Security Administrator's Guide.
  • Define them in the static class descriptor table, using the ICHERCDE macro, as described in the remainder of this section.

Guideline: Define your classes in the dynamic class descriptor table, to avoid the need to re-IPL.

An installation can add, modify, or delete installation-defined entries in the static class descriptor table using the ICHERCDE macro. The ICHERCDE macro cross-checks entries in the class descriptor table for errors. Each installation-defined class entry becomes a CSECT in load module ICHRRCDE. The ICHERCDE macro produces a CSECT for each invocation.
  • If there is a CLASS operand, the CSECT name is that of the class being defined.
  • If there is no CLASS operand, the CSECT name is ICHRRCDE, indicating the end of the descriptor table.

The ICHERCDE macro generates class entries for the RACF® static class descriptor table. Each entry in the installation-defined static class descriptor table becomes a CSECT in load module ICHRRCDE. The module resides in SYS1.LINKLIB or any other APF-authorized linklist library.

To add a class entry, specify the ICHERCDE macro for each class you are adding. Follow this procedure:

  1. Produce assembler source statements to invoke ICHERCDE for each class that you are adding. For information on coding the ICHERCDE macro, see the description of the ICHERCDE macro in z/OS Security Server RACF Macros and Interfaces.
  2. Ensure that the last entry of ICHERCDE is blank. It cannot have a CLASS operand.
  3. Assemble your source.
  4. Use the link-edit utility to link-edit the resulting object module into the ICHRRCDE load module, using ORDER statements for each CSECT. ICHRRCDE must be linked with RMODE=24.

    Be sure that your linkage editor ORDER statements specify ICHRRCDE as the last CSECT. Any class that does not have an ORDER statement, or any class that appears after ICHRRCDE in the output load module, is not usable.

    If you install the class descriptor table with an SMP/E SYSMOD, consider assigning it a user-defined FMID, not the RACF FMID, to prevent SMP/E from deleting it during future RACF product installations.

  5. Re-IPL your system for the change to take effect. In a sysplex you must re-IPL each system on which you intend to use the class before you activate the class.
If you are adding new classes to a load module previously created, you do not have to reassemble your unchanged class entries. You can use the LKED INCLUDE SYSLMOD statement to copy the previous version. For example, if your ICHRRCDE load module contains four classes and you are adding a fifth, here are some sample linkage editor statements to add the fifth entry to your load module: 
//SYSLMOD   DD  DSN=SYS1.RACF.MYLOAD,DISP=OLD
//SYSOBJ    DD  DSN=SYS1.RACF.MYOBJ,DISP=OLD
//SYSIN     DD  *
      INCLUDE SYSOBJ(CLASS5)
      INCLUDE SYSLMOD(ICHRRCDE)
      ORDER CLASS1
      ORDER CLASS5
      ORDER CLASS2
      ORDER CLASS3
      ORDER CLASS4
      ORDER ICHRRCDE
      NAME  ICHRRCDE(R)

The RACTABLE member of SYS1.SAMPLIB contains a sample job.

For information on the class descriptor table and class entries used by CICS®, see CICS RACF Security Guide, available at http://publib.boulder.ibm.com/infocenter/cicsts/v3r1/index.jsp.

Parent topic: The class descriptor table (CDT)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014