z/OS Security Server RACF System Programmer's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Assigning a user ID to the RACF subsystem

z/OS Security Server RACF System Programmer's Guide
SA23-2287-00

The RACF® subsystem must have a valid RACF user ID. The RACF subsystem cannot be initialized if a valid RACF user ID is not assigned to it. The PROC name for the RACF subsystem must be the same as the name used in IEFSSNxx.

Guideline: Assign a protected user ID to the RACF subsystem. A user ID becomes a protected user ID when it is assigned the NOPASSWORD, NOPHRASE, and NOOIDCARD attributes by an ADDUSER or ALTUSER command. A protected user ID cannot be revoked due to incorrect password or password phrase attempts or used to enter the system in ways that require a password or password phrase. For information on protected user IDs, see z/OS Security Server RACF Security Administrator's Guide.

In a remote sharing environment, the first seven characters of the user ID assigned to the RACF subsystem are displayed at the end of TSO XMIT messages after a command is successfully directed. You might want to consider this when you choose the RACF subsystem user ID.

The security administrator can assign a RACF user ID to the RACF subsystem using the STARTED class. If your installation has not activated the STARTED class, you can use the started procedures table (ICHRIN03). For more information, see Associating started procedures and jobs with user IDs.

Example: The following example shows how you could assign a RACF user ID to the RACF subsystem using ICHRIN03.
Note: The following example is not really representative of ICHRIN03 because it has only one entry.
ICHRIN03   CSECT
NUMBER     DC     X'8001'        Number of entries in started procedures table
PROC       DC     CL8'RACF    '  Name of the RACF subsystem
USERID     DC     CL8'RACFAS  '  Name of RACF-defined user ID
GROUP      DC     CL8'        '
FLAGS      DC     X'40'          Trusted
RESERVED   DC     XL7'00000000000000'
           END

Guideline: Define the RACF subsystem as privileged or trusted. You can use either the STARTED class or ICHRIN03 to do this.

Example: If your installation has activated the STARTED class, the security administrator can create a profile for the RACF subsystem in the STARTED class marked trusted, as shown in the following example, where RACF is the name of the subsystem and RACFAS is the RACF-defined user ID: 
RDEFINE STARTED RACF.* STDATA( USER(RACFAS) TRUSTED(YES) )
Example: If you are using ICHRIN03 instead of the STARTED class, the following example illustrates how to assign the RACF user ID SUBSYS to the RACF subsystem and mark it trusted: 
ICHRIN03   CSECT
NUMBER     DC     X'8001'        Number of entries in started procedures table
PROC       DC     CL8'RACF    '  Name of the RACF subsystem
USERID     DC     CL8'SUBSYS  '  Name of RACF-defined user ID
GROUP      DC     CL8'        '
FLAGS      DC     X'40'          Entry is trusted
RESERVED   DC     XL7'00000000000000'
           END
Parent topic: Activating the RACF subsystem

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014